At the beginning of February, attackers exploited a zero-day vulnerability (CVE-2023-0669) found in Fortra’s GoAnywhere MFT secure file transfer software on over 130 companies, which include a few companies in the healthcare sector, for instance, Community Health Systems (CHS) in Tennessee. That attack impacted around 1 million patients. Fortra released a notification regarding the vulnerability at the beginning of February when it was found to have been taken advantage of in attacks and released workarounds to avoid exploitation prior to the release of an emergency patch, which was offered on February 7.
The attacks have made the Health Sector Cybersecurity Coordination Center (HC3) to release an extra warning concerning the Clop ransomware group, which is believed to be behind the attacks. As per Clop, the attacks happened within a time period of about 10 days. The group boasts to have taken advantage of the vulnerability – a pre-authentication remote code execution vulnerability in the License Response Servlet – enabling the stealing of sensitive information. Clop usually makes use of ransomware for file encryption after extracting sensitive information, then demands a ransom payment. If payment is not made, Clop threatens to release the stolen data publicly. During these attacks, the group stated it might have deployed the ransomware, yet it did not do so, rather choosing an extortion-only strategy.
Clop is a Russia-connected ransomware group that is actually busy starting February 2019, when the first noticed attack was performed by a threat group monitored as TA505. The group was also responsible for the well-known Dridex banking Trojan. Clop (or Cl0p) is the ransomware variant used in attacks, which have mostly been performed on companies in the HPH industry and other critical infrastructure providers. A law enforcement campaign against Clop resulted in the capture of people in Ukraine in June 2021; nevertheless, the group has persisted to operate, seemingly not affected by those apprehensions, and continues to present a big threat to the healthcare and public health (HPH) industry.
HC3 initially gave a warning regarding the Clop ransomware group last March 2021. In January 2023, HC3 released an updated Analyst Note after attacks continued on the HPH industry. Although HC3 shared information on the tactics, techniques, and procedures employed by the Clop ransomware group, the Clop group still change its strategies as can be seen from the most recent string of attacks.
Protecting against cyberattacks carried out by a very competent threat group that continuously changes strategies can be difficult; nevertheless, HC3 suggests implementing the advice of a lot of cybersecurity experts such as giving attention to the threat landscape, evaluating their circumstances, and furnishing employees with solutions and resources required to avoid a cyberattack are still the ideal way ahead for healthcare companies.
Read the most recent HC3 notification here.
Alerting Healthcare Companies About MedusaLocker Ransomware Attacks
The healthcare and public health (HPH) industry has been cautioned regarding cyberattacks using MedusaLocker ransomware, which is a lesser-known ransomware variant employed in cyberattacks on the HPH sector. High-profile ransomware groups have been extensively targeting the HPH sector utilizing ransomware variants like Clop, BlackCat and Royal, however, attacks using these lesser-recognized variants are just as harmful.
The threat actor responsible for the MedusaLocker is thought to have a ransomware-as-service operation. The group hires affiliates to perform attacks for a portion of any earnings they create, which is thought to be about 55%-60% of the ransom payment. This ransomware variant was initially discovered in September 2019 and was used to target the HPH industry. Beginning in 2019, most of the attacks have employed phishing and spam email messages that have malicious file attachments as the preliminary access vector. If the victims open the attachments, the device is linked to the command-and-control server, and automatically downloads a script as well as the ransomware payload. Distribution is thought to happen through WMI.
In 2022, the group began to take advantage of vulnerabilities in Remote Desktop Protocol (RDP), and this currently seems to be the favored preliminary access vector. The group takes advantage of RDP services and accesses legit RDP accounts utilizing brute force strategies to guess weak passwords. Once getting access to victims’ systems, the group creates persistence by means of registry entries, increases privileges, moves sideways, exfiltrates information, then uses the ransomware. MedusaLocker ransomware employs a hybrid encryption strategy, first, it encrypts files using an AES-256 symmetric encryption algorithm, then encrypts the secret key using RSA-2048 public-key encryption. Copies of encrypted files are removed to hinder recovery without giving the ransom payment. Although the group responsible for MedusaLocker has a system of Russian hosts for performing attacks, the group likewise controls U.S. infrastructure, which includes utilizing the breached framework of information centers and U.S. colleges as redirects to confuse their attacks.
The Health Sector Cybersecurity Coordination Center (HC3) revealed a few of the recognized tactics, techniques, and procedures, which the group used and recommends a number of mitigation steps. Considering that the group currently prefers RDP compromise, it is necessary to make sure that RDP cases have several access and authentication control levels. HC3 suggests tracking RDP utilization, flagging and looking into first-time-observed and anomalous actions like unsuccessful login attempts, and employing a strong account lockout rule to protect against brute force attacks.
RDP must not be exposed online, the patching of RDP vulnerabilities ought to be prioritized, strong passwords must be set, multi-factor authentication applied on accounts, and in case remote users have to access the company network through RDP, a VPN must be employed. HC3 additionally recommends limiting the Remote Desktop port access to good IP addresses and modifying the standard RDP port from 3389 to a different port. To secure against phishing attacks, healthcare companies must look at deactivating hyperlinks in email messages and putting a banner on all email messages that came from an outside email address.
Read the HC3 MedusaLocker Ransomware Analyst Note here.