FBI, HHS warn of 'increased and imminent' cyber threat to hospitals
In a joint alert sent Wednesday evening, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the U.S. Department of Health and Human Services said they have "credible information" that cybercriminals are taking new aim at healthcare providers and public health agencies as the coronavirus pandemic reaches new heights.
WHY IT MATTERS
In their cybersecurity advisory, the agencies offer some detailed insights into the potential tactics that might be used by bad actors planning fresh incursions on the U.S. healthcare system as many hospitals are overrun with new COVID-19 patients.
"CISA, FBI and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," officials said. "Malicious cyber actors" may soon be planning to "infect systems with Ryuk ransomware for financial gain" on a scale not yet seen across the American healthcare system.
The agencies suggested hospitals, practices and public health organizations take "timely and reasonable precautions to protect their networks from these threats" – which they said include targeting with Trickbot malware, "often leading to ransomware attacks, data theft, and the disruption of healthcare services" just as hospitals are also hard-pressed to respond to a third wave of the COVID-19 crisis.
Over the past five years, the originators of Trickbot have "continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization," the agencies said. "What began as a banking trojan and descendant of Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk."
The FBI noticed new Trickbot modules grouped under the name Anchor in 2019, the agencies said, "which cyber actors typically used in attacks targeting high-profile victims."
Such attacks "often involved data exfiltration from networks and point-of-sale devices," they said. "As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling. Anchor_DNS is a backdoor that allows victim machines to communicate with command and control (C2) servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic."
In addition to a long list of various technical attack techniques and indicators of compromise, CISA, FBI and HHS offered some basic suggestions for how hospitals and healthcare organizations can shore up their defenses to help protect against ransomware and other cyberattacks:
- Patch operating systems, software and firmware as soon as manufacturers release updates.
- Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix, due to having local administration disabled.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Use multifactor authentication where possible.
- Disable unused remote access/Remote Desktop Protocol ports and monitor remote access/RDP logs.
THE LARGER TREND
In a Wednesday blog post, respected cybersecurity expert Brian Krebs noted that he'd received a tip about "communications this week between cybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S."
Many hospitals have already been targeted with Ryuk ransomware, of course, most notably the UHS attack a month ago that left hundreds of that health system's hospitals hobbled. Most recently, a trio of hospitals in upstate New York this week reported system failures because of an apparent Ryuk attack. While officials at St. Lawrence Health System say patient data doesn't appear to have been compromised, the attack did disrupt communications and caused ambulances to be redirected away from some hospitals.
In his report, Krebs said he spoke to a healthcare industry source who surmised that, if this were the sort of real escalation with "hundreds of medical facilities at imminent risk" that would prompt a late-night alert from CISA and the FBI, that scope suggests the threat might go beyond "any one hospital group and may implicate some kind of electronic health record provider that integrates with many care facilities."
ON THE RECORD
"Ransomware attacks on our healthcare system may be the most dangerous cybersecurity threat we’ve ever seen in the United States," said Charles Carmakal, chief technology officer of cybersecurity firm Mandiant, in a press statement.
"UNC1878, an Eastern European criminal threat actor, is deliberately targeting and disrupting U.S. hospitals with ransomware, forcing them to divert patients to other healthcare providers. Patients may experience prolonged wait time to receive critical care. Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase."
"Among the 25 adversaries CrowdStrike tracks that are engaged in Big Game Hunting (a.k.a. Enterprise Ransomware), we’re seeing two categories emerge: ransomware-as-a-service groups that adopt a revenue-share model and closed groups, such as WIZARD SPIDER’s TrickBot, who fully manage ransomware operations and reap all the benefits," added Adam Meyers, SVP of Intelligence at CrowdStrike. "We have also witnessed a disturbing trend in the last 18 months in which adversaries are moving beyond encrypting files to exfiltrating data and threatening to release it if demands are not met. In fact, in some cases the attackers demand two ransoms – one to delete the data and another to decrypt it."