On October 28, 2020, a joint cybersecurity advisory warning of an imminent cybercrime threat to hospitals was issued, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).
The advisory warned that cyber actors were targeting the healthcare sector using TrickBot and BazarLoader malware, resulting in ransomware attacks, data theft, and disruption of services.
There are many factors at play. We suspect that the recent Zerologon vulnerability has contributed to this series of attacks, and any hospital that has not patched their systems is at risk. Time is of the essence—earlier this month it was reported in Threatpost that Ryuk threat actors were taking advantage of Zerologon (CVE-2020-1472) to encrypt a victim's network just five hours after sending a phishing email.
Unfortunately, sophisticated bad actors may easily get through the first layer of perimeter defenses and, once inside, move laterally through the network and attempt to escalate privileges. It's during this gap, after the malware infection and before the attacker gets escalated privileges, that security teams have the greatest potential to stop the ransomware. Organizations should monitor east-west traffic inside the network to look for anomalous SMB traffic and other indicators of compromise to detect and stop the ransomware before it encrypts their data.
What Can You Do to Secure Your Healthcare Organization?
There are many tools generally in use at the perimeter, such as endpoint detection and response (EDR), that are designed to stop malware from infecting your systems. These vendors look for known signatures and patterns of behavior at the endpoint to isolate suspicious traffic and malware to stop the threat at the perimeter.
Unfortunately, protecting the perimeter alone is not enough. If a sophisticated attacker finds a way past your defenses and gets inside the network, they look for ways to move laterally and escalate privileges to infect the network. How do you detect them?
Passively monitoring your east-west traffic provides the best opportunity to uncover and thwart attacks in progress to prevent a shutdown or damage within your healthcare network.
ExtraHop Reveal(x) network detection and response (NDR) fires detections based on ransomware behavior when accessing the network. Ransomware detections are prioritized to get immediate attention.
Reveal(x) machine learning detects unusual behavior taking place on your network, identifying lateral movement, privilege escalation, and anomalous modification of file shares. Security teams receiving these alerts should practice immediate investigation and response to prevent ransomware from infecting their environments.
The CISA alert provides examples of the tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) used in these attacks.
ExtraHop Response to These Attacks
ExtraHop customers are already protected; ExtraHop has created detections for the TTPs and IOCs that are seen in this ransomware attack, which are automatically available to all Reveal(x) customers. ExtraHop's ransomware detector already recognizes Ryuk indicators, and we have added the additional domain names listed in the CISA advisory to our built-in Threat Intelligence (TI) feed.
Additionally, Reveal(x) can catch anchor_dns and BazarLoader bots with our machine learning and rules-based detections. ExtraHop Reveal(x) customers will be alerted if those domains are used.
Recommendations for Healthcare organizations:
- Immediately back up all systems and maintain offline encrypted backups
- Monitor your NDR, EDR, and SIEM for unusual behavior
- Immediately respond to high-fidelity alerts
- Ensure systems are patched
- Place your employees on high alert for phishing emails
ExtraHop is closely monitoring the situation and will update our TI feed as needed.