Top | |
Newsletter 7/08/2022 |
Back to Contents A Printable PDF of this post is available here. |
Supply Chains Attacks on Healthcare As BleepingComputer reported, July 7, 2022: Professional Finance Company Inc. (PFC), a full-service accounts receivables management company, says that a ransomware attack in late February led to a data breach affecting over 600 healthcare organizations... Founded in 1904, PFC helps thousands of healthcare, government, and utility organizations across the U.S. ensure that customers pay their invoices on time. Further investigation revealed "that an unauthorized third party had access to systems that contained information about patients of its healthcare provider clients, and files containing patient data were accessed." Security researchers at AdvIntel, "detected the PFC attack via signal collections on February 23, 2022 from the Cobalt Strike infrastructure with the early warning details following the attack flow." It wasn't until May 5, 2022 that PFC "sent notification letters to all affected healthcare provider clients... and has since issued notification letters to all affected individuals." PFC also published a list of healthcare related entities who were victims of the data breach. That document is 15 pages long of fairly small type. The list can be found here. And, of course, the breached financial services provider offered up the cyberattack equivalent of "thoughts and prayers." In all the reporting about this incident there
is no discussion which I can discern of the fact that, if the hackers were
inside the systems to steal data, were they not then able to plant more
malware? And are these 657 victim entities now exposed to any
other kind of attack? Are the 657 entities now possible, if not
certain, future victims of other ransomware? How are those 657 different
systems going to be cleaned? I wish that were the end of the problems the
healthcare industry experienced in June and July 2022, but healtcare
providers really took a beating in early summer 2022. This joint CSA provides information—including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)—on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA. Among the mitigation procedures was the recommendation that affected network admins "Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs)." Cutting the WAN cord, I read to mean: "Disconnect from the Internet." Why attack healthcare entities seems a fair question to ask. To which, CISA replied: The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations. Moreover, according to the Alert, the activity has been ongoing since May 2021. As DarkReading reported: Since May 2021, there have been multiple incidents where threat actors operating the malware have encrypted servers responsible for critical healthcare services, including diagnostic services, electronic health records servers, and imaging servers at organizations in the targeted sectors. In some instances, the Maui attacks disrupted services at the victim organizations for a prolonged period, the three agencies said in an advisory. As reported by
threatpost.com, July 8, 2022, the Maui strain
of ransomware is unique in that the attacker does not offer up a ransom
note on how to get back the encrypted files. Another unusual
characteristic of this ransonware is that an attack seems to instigated
by a human and not simply following the preset programming of the
malware on autopilot. Maui will attack specific files and not just
the entire directory structure. Oh, gee. More good news. Sending my
most sincere Tots & Pears
This
ain't no party, this ain't no disco,
|
Back to Top Gerald Reiff |
Back to Top | next post → |