US healthcare sector to continue facing ransomware attacks, data breaches

The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) observed a continuation of many ongoing trends concerning cyber threats to the healthcare and public health (HPH) community. Ransomware attacks, data breaches, and often both continued to be prevalent in attacks against the health sector. Furthermore, ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. 

“Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations open,” the HC3 identified in its cybersecurity bulletin for Q1 2023. “Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”

The HC3 bulletin covered Emotet – historically a prolific threat to the health sector – that went operational again in early March after being offline for three months. “The operators began to reconstitute their command-and-control (C&C) infrastructure in late January. Their epochs began going back online on January 25, and on March 8, four epochs resumed delivery of phishing e-mails, which is their standard practice for distributing malicious office documents in ZIP archives. One new technique they are using now is binary padding. They are inflating both the dropper and the dynamic link library to avoid detection by exceeding size limitations by anti-malware software,” it added.

After the payload is successfully downloaded, “Emotet does a check to ensure the file is either ZIP or a PE (portable executable). This seems to suggest they may be preparing to leverage other file formats outside of zipped archives in the future. They have also been spotted using fake W-9 tax forms purported to be from the IRS,” the agency added.

The bulletin also reminded the sector that Microsoft released a public notification that Exchange Server 2013 will reach its extended end-of-support date on April 11, 2023. It reached its mainstream end date in April 2018. Once this extended EOS date is reached this coming April, Microsoft will stop providing technical support and bug fixes for it. 

Additionally, Microsoft has announced the end of support for Windows Server 2012 and 2012 R2. The official date is October 10, 2023, so the good news is that there is still some time, the bulletin said. “The bad news is that server migrations and upgrades are major projects and can take a lot of time. As part of this, they are providing three options: migrate to Azure, which is their cloud solution, upgrade on-prem to Server 2022, or subscribe to extended security updates which will provide three more years of updates,” it added. 

The HC3 also identified vulnerabilities that were made public for OpenEMR, an open-source electronic health record and medical practice management application. They can be used to fully compromise a system running a vulnerable version. There is a patched version available. 

In January, the HC3 published a Clop ransomware analyst note covering the ransomware group that operates under the ransomware-as-a-service (RaaS) model and was initially observed in 2019. Clop was a highly used ransomware in the market and typically targeted organizations with a revenue of US$5 million or higher. The HPH sector has been recognized as being a highly targeted industry for the Clop ransomware.

Data released Monday by cybercrime threat intelligence firm KELA showed that Clop is the second most active group, targeting more than 100 victims in the first quarter of this year. “The most targeted sectors of the group were professional services, technology, healthcare and life sciences. Clop gained attention in February, when it claimed to have exploited a zero-day vulnerability in the Fortra GoAnywhere MFT (CVE-2023-0669), which allegedly allowed the actors to steal data from 130 organizations,” it added. 

The HC3 released in January a threat brief covering two relatively new ransomware variants, Royal and BlackCat, which both pose a significant threat to the HPH sector. 

The HC3 published an Artificial Intelligence (AI) for malware development analyst note, which identifies that AI has now evolved to a point where it can be effectively used by hackers to develop malware and phishing lures. “While the use of AI is still very limited and requires a sophisticated user to make it effective, once this technology becomes more user-friendly, there will be a major paradigm shift in the development of malware. One of the key factors making AI particularly dangerous for the healthcare sector is the ability of a threat actor to use AI to customize attacks easily and quickly against the healthcare sector,” it added. 

In February, the HC3 published a Healthcare Sector DDoS Guide covering Distributed Denial of Service (DDoS) attacks that have the potential to deny healthcare organizations and providers access to vital resources that can have a detrimental impact on the ability to provide care. In healthcare, disruptions due to a cyberattack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets, such as electronic health records, software-based medical equipment, and websites to coordinate critical tasks.

The agency again in February identified that the Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the GoAnywhere flaw to its public catalog of Known Exploited Vulnerabilities.

The HC3 also published in February a MedusaLocker ransomware analyst note covering the ransomware variants used to target the healthcare sector, from relatively well-known cyber threat groups, continuing to be a source of concern and attention. Likewise, the threats from lesser-known but potent ransomware variants, such as the MedusaLocker, should also be a source of concern and attention for healthcare security decision-makers and defenders.

The agency published in March a threat profile on the Black Basta ransomware, which was initially spotted in early 2022. Known for its double extortion attacks, the Russian-speaking group executes ransomware and exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it, should a victim fail to pay a ransom. The threat group’s prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access. 

HC3 added that the level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on dark web forums, support why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups. 

“Previous HC3 Analyst Notes on Conti and BlackMatter even reinforce the similar tactics, techniques, and procedures (TTPs) shared with Black Basta,” the agency warned. “As ransomware attacks continue to increase, this Threat Profile highlights the emerging group and provides best practices to lower risks of being victimized.”

Given the prevalence of mobile devices in the health sector, and with their ability to store and process private health information (PHI) and other sensitive data, HC3 assesses that these devices can be a critical part of healthcare operations. It published in March a document representing a basic checklist of recommended items for health sector mobile devices to maintain security, including data in motion and at rest, as well as the capabilities of the device itself.

Last week, the HC3 published a sector alert covering fake Domain Name Server (DNS) requests for non-existent domains (NXDOMAINs). A trusted third party shared information with HC3 regarding a DDoS attack, which it has been tracking since last November, flooding targeted networks and servers with a fake DNS NXDOMAIN.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.