A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) about Rhysida ransomware.

Rhysida ransomware is a ransomware-as-a-service (RaaS) operation that first emerged in May 2023. The group engages in double extortion tactics, involving data theft and encryption, with ransom payment required to obtain the keys to decrypt files and prevent the public release of stolen data. Researchers at Check Point identified significant similarities between Rhysida ransomware and Vice Society, one of the most prolific ransomware groups since 2021 that aggressively targeted the education and healthcare sectors.

In August 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued its own advisory about Rhysida ransomware following several attacks on the healthcare sector, including the attack on Prospect Medical Holdings, which affected 17 hospitals and 166 clinics across the United States. The latest cybersecurity advisory includes an update on the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IoCs) from malware analyses and recent incident response investigations to help network defenders and incident response teams detect and block attacks in progress.

Rhysida ransomware actors have been observed using a variety of techniques for gaining initial access to victims’ networks, including leveraging external-facing remote services such as virtual private networks (VPNs), commonly through the use of compromised credentials. These attacks have proven successful against organizations that have failed to implement multi-factor authentication for VPN connections. Rhysida ransomware actors have also exploited unpatched vulnerabilities, such as the Zerologon (CVE-2020-1472) vulnerability in Microsoft’s Netlogon Remote Protocol, and commonly use phishing emails. Once initial access has been achieved, the group often creates Remote Desktop Protocol (RDP) connections for lateral movement, establishes VPN access, and uses PowerShell and native network administration tools to perform operations, which helps them to evade detection by hiding their activity within normal Windows systems and network activities.

The FBI, CISA, and the MS-ISAC suggest several mitigations for hardening security, including steps that can be taken to block the main attack vectors, restrict lateral movement, and detect attacks in progress. These include enabling phishing-resistant multifactor authentication, especially for webmail, VPNs, and accounts that access critical systems; disabling command-line and scripting activities and permissions; restricting the use of PowerShell; enhancing PowerShell logging and logging within processes; restricting the use of RDP; and securing remote access through application controls.

The post Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an updated cybersecurity advisory about Royal ransomware, which is thought to be about to shut down and rebrand.

Royal ransomware first emerged in September 2022 and is thought to have split from the Conti ransomware operation, with a brief spell operating as Quantum in between. Royal ransomware has been a prolific ransomware operation, having conducted more than 350 attacks since September 2022 and has issued ransom demands in excess of $275 million, according to the FBI. Royal ransomware is a private ransomware group that has targeted organizations in healthcare and public health (HPH), education, manufacturing, and communications. The number of attacks on HPH sector organizations prompted an earlier cybersecurity advisory from CISA, the FBI, and the HHS, which shared the latest tactics, techniques, and procedures (TTPs) used by the group and Indicators of Compromise (IoCs). They have been updated in the latest advisory.

In May 2023, a new ransomware variant was detected that had several coding similarities to Royal ransomware, and similar intrusion techniques were used. Researchers at Trend Micro found the two ransomware variants were almost identical, with 98% similar functions, 98.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff. The two groups have been observed using similar software and open source tools in their attacks such as Chisel and Cloudflared for network tunneling, Secure Shell (SSH) Client, OpenSSH, and MobaXterm for SSH connections, Mimikatz and Nirsoft for credential harvesting, and the attacks involved similar remote access tools.

Along with those similarities was the timing of the emergence of the new ransomware variant – Blacksuit – which led security researchers to believe that Royal was about to rebrand. Royal has just conducted a major attack on the city of Dallas which attracted considerable attention from law enforcement and, as is common after major attacks, ransomware groups often rebrand. Royal did not rebrand immediately, and it has been suggested that all did not go well with the new ransomware variant, and the rebrand was delayed. Alternatively, Blacksuit could be a spinoff variant of Royal. CISA and the FBI are convinced that the two ransomware variants are linked.

LockBit 3.0 Exploiting Citrix Bleed Vulnerability

The LockBit 3.0 group has been exploiting the critical Citrix Bleed vulnerability that affects Citrix NetScaler ADC and Gateway to gain access to the systems of its victims. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix in October 2023; however, many organizations have been slow to patch and are running vulnerable appliances.

According to Security researcher Kevin Beaumont, who has been tracking the group’s attacks, several of the group’s recent victims had exposed Citrix servers that were vulnerable to the Citrix Bleed flaw, and that appears to have been exploited using a publicly available exploit.

Currently, there are more than 3,000 Citrix servers in the United States that are exposed to the Internet and vulnerable to the Citrix Bleed flaw which can be exploited remotely with no user interaction. Immediate patching is strongly recommended to prevent exploitation of the flaw.

Hunters International Ransomware Group Takes over from Hive

Hive, one of the most notorious ransomware groups in recent years, was shut down in January this year following an international law enforcement operation. The group had obtained more than $100 million in ransom payments and conducted more than 1,500 attacks worldwide, including many attacks on healthcare organizations.

Following law enforcement takedowns, ransomware groups often go quiet and then reemerge months later with a new ransomware variant. A new threat group, Hunters International, has since emerged and several similarities have been found with Hive, including coding overlaps and a 60% match between the group’s code, according to security researcher BushidoToken.

According to a recent report from Martin Zugec, technical solutions director at Bitdefender, a member of the Hunter’s International group issued a statement confirming that Hive and Hunter’s International are two separate groups and Hive’s source code and infrastructure were acquired. The Hive spokesperson said Hive sold their source code, website, and old Goland and C versions, and Hunter’s purchased them. The spokesperson for Hunter’s said encryption isn’t its primary goal, which is why the group didn’t develop everything from scratch. Bitdefender’s research uncovered evidence to suggest the adoption of Hive’s code rather than a rebrand, thus corroborating the Hunter’s International statement. Bitdefender’s analysis, recommendations, and IoCs can be found here.

The post Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups appeared first on HIPAA Journal.

A zero-day vulnerability in the SysAid IT service management solution is being exploited by the Lace Tempest (aka FIN11, DEV-0950, TA505) threat group to gain access to SysAid servers, steal data, and deploy Clop ransomware.

The threat group is well known for exploiting zero-day vulnerabilities. Before the latest campaign, the group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution, stole data, and attempted to extort more than 2,000 victims. Earlier this year, a zero-day vulnerability was exploited in another file transfer solution, Fortra’s GoAnywhere MFT, and before that in 2021, the group exploited a zero-day vulnerability in the Accellion FTA.

The SysAid vulnerability was identified on November 2, 2023, after it had been exploited. The vulnerability, tracked as CVE-2023-47246, was identified by Microsoft, which notified SysAid. The attacks detected by Microsoft were attributed to the Lace Tempest group.

CVE-2023-47246 is a path traversal vulnerability in SysAid’s on-premises software that can be exploited to execute unauthorized code. In one of the attacks, the threat actor exploited the flaw to upload a Web Application Resource (WAR) archive containing a webshell to the webroot of the SysAid Tomcat web service. The webshell allowed the threat actor to execute PowerShell scripts to load GraceWire malware into a legitimate process such as spoolsv.exe, msiexec.exe, or svchost.exe. The malware checks for Sophos security software, and if not present, will be used to deploy additional scripts. In one attack, a Cobalt Strike listener was deployed on compromised hosts. After exfiltrating sensitive data, Clop ransomware was deployed and executed.

Given the speed at which the group has exploited vulnerabilities in the past, immediate action is required to fix the flaw. SysAid has released a patch and all SysAid users are being strongly encouraged to update to version 23.3.36 or later as soon as possible to prevent exploitation. After upgrading to the latest version, servers should be checked for signs of compromise. SysAid has published a list of Indicators of Compromise (IoCs) in its recent report on the attacks exploiting the flaw. SysAid also recommends reviewing any credentials or other information that would have been available to someone with full access to the SysAid server an to check any relevant activity logs for suspicious behavior.

The post SysAid Zero-Day Vulnerability Exploited to Deploy Clop Ransomware appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, Office of the Director of National Intelligence, and partners have released guidance on software bill of materials (SBOM) generation and consumption, as part of ongoing efforts to better secure the software supply chain.

The guidance was developed by the Software Supply Chain Working Panel, which was established by the Enduring Security Framework (ESF) and is a collaborative partnership across private industry, academia, and government. The Working Panel has developed a three-part Recommended Practices Guide series, that covers best practices to help ensure a more secure software supply chain for developers, suppliers, and customer stakeholders.

The latest guidance is aimed at software developers and suppliers, and includes industry best practices and principles, including managing open source software and SBOM to maintain and provide awareness about the security of software.

Cyber actors are increasingly targeting the software supply chain and are searching for software vulnerabilities that can be exploited to allow them to attack all users of the software, such as the 2020 cyberattack on the SaaS provider SolarWinds. The attack is believed to have been conducted by the Russian state-sponsored hacking group Cozy Bear, which compromised the SolarWinds Orion IT performance and monitoring solution and added a backdoor. When a software update was rolled out to customers, so was the backdoor, resulting in the compromising of an estimated 18,000 systems. The hackers then conducted follow on activities on selected high value targets.

Cyber actors also take advantage of vulnerabilities in open source software and third-party components, such as the Log4Shell vulnerability in the Log4j logging tool, which is used by millions of computers worldwide. When a critical vulnerability was identified and patches were released, they could only be applied if it was known that Log4j was used. Because Log4j was a component of many different software solutions, the vulnerability went unaddressed as many users were unaware that they were vulnerable.

One of the ways that the security of the software supply chain can be improved is by having a complete SBOM that includes all software components and dependencies. The SBOM can be rapidly queried to determine if a vulnerable software component is used and steps can then be taken to address the problem. The latest guidance document is part of the ESF Software Supply Chain Working Panel’s second phase of guidance, which provides further details on the SBOMs that were recommended in the Phase 1 Recommended Practices Guides.

According to CISA, the guidance can be used as a basis for describing, assessing, and measuring security practices relative to the software lifecycle and the suggested practices can be applied across the acquisition, deployment, and operational phases of a software supply chain. The guidance includes recommendations in line with industry best practices and principles which software developers and software suppliers are encouraged to reference, and includes managing open source software and SBOMs to maintain and provide awareness about the security of software.

While the guidance provides recommendations for SBOM generation and consumption processes, implementing these recommendations will be a challenge for many organizations as it will require considerable investment and resources that many organizations currently lack.

The post CISA Issues Software Bill of Materials Guidance appeared first on HIPAA Journal.

A new report from Sophos on healthcare cybersecurity trends indicates data encryption occurred in 75% of ransomware attacks on healthcare organizations. Only 24% of surveyed healthcare organizations were able to detect an attack in progress and disrupt it before files were encrypted. Sophos says this is the highest rate of encryption and the lowest rate of disruption the company has seen in the past 3 years. Last year, healthcare organizations disrupted 34% of attacks before files were encrypted.

“To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyberattackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.

Many ransomware gangs use double-extortion tactics, where files are encrypted after data exfiltration and a ransom must be paid to decrypt files and prevent the release of the stolen data. 37% of healthcare ransomware attacks involved these double extortion tactics – an increase from previous years. Ransomware attacks are continuing to grow in sophistication, threat actors are constantly changing and improving their tactics, and attack timelines are speeding up, giving network defenders less time to detect and block attacks. Sophos says the median time from the start of an attack to detection has now fallen to just 5 days. The majority of attacks are also scheduled to occur outside of office hours when staffing levels are lower. Only 10% of attacks were conducted during regular business hours.

The sophisticated nature of attacks has increased the time taken to recover. Only 47% of healthcare organizations were able to recover from a ransomware attack within a week, compared to 54% last year. Recently, the Department of Health and Human Services’ Office for Civil Rights said there has been a 278% increase in ransomware attacks on healthcare organizations over the past four years; however, Sophos’s data indicates there has been a slight reduction in attacks, from 66% of surveyed organizations in 2022 to 60% in 2023. There has also been a sizeable reduction in the number of healthcare organizations paying ransoms. Last year, 61% of healthcare organizations paid a ransom payment following an attack, with just 42% choosing to pay in 2023.

“The ransomware threat has simply become too complex for most companies to go at it alone. All organizations, especially those in healthcare, need to modernize their defensive approach to cybercrime, moving from being solely preventative to actively monitoring and investigating alerts 24/7 and securing outside help in the form of services like managed detection and response (MDR),” said Wisniewski.

Sophos recommends strengthening defenses by using security tools such as end-point protection solutions with strong anti-ransomware and anti-exploit capabilities, implementing zero trust network access to prevent the abuse of compromised credentials, using adaptive technologies that can respond automatically to attacks in progress to buy network defenders more time, and to implement 24/7 threat detection, investigation, and response, whether that is conducted in-house or by a specialized MDR provider.

It is also important to maintain good security hygiene, such as updating software and patching promptly, regularly reviewing security tool configurations, and regularly backing up, practicing recovering data from backups, and maintaining an up-to-date incident response plan.

The post Data Successfully Encrypted in 75% of Healthcare Ransomware Attacks appeared first on HIPAA Journal.

The Cyber Division of the Federal Bureau of Investigation (FBI) has issued a private industry notification that includes details of emerging techniques that are being used by ransomware gangs to gain initial access to victims’ networks. The FBI has identified several ransomware trends that are emerging or continuing and have been used in multiple attacks since July 2023 to gain initial access to networks. Several attacks have involved the exploitation of vulnerabilities in vendor-controlled remote access to casino servers, and companies have been victimized through legitimate system management tools to elevate network permissions.

The Silent Ransom Group (aka Lunar Moth) has been conducting phishing attacks using messages containing a phone number that must be called to prevent a pending charge to an account. This type of attack is known as callback phishing and has been popular with ransomware gangs since 2022. Since the emails contain no malicious content other than a phone number, the emails are not blocked by email security solutions and often reach their intended targets. To stop the pending account charge, the victim is required to download and install a legitimate system management tool, which is used by the threat actor to access their device. The threat actor can then access local files and shared drives and exfiltrate data. The victim is then extorted.

The FBI recommends all organizations implement the suggested mitigations to harden their defenses against these attacks. The key to defending against these attacks is preparation. Organizations should ensure they maintain offline backups of data, encrypt their backup data, and implement an incident response and recovery plan. Reviews should be conducted of the security posture of all third-party vendors, with priority given to those that have network access. The FBI recommends implementing listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy, and to document and monitor external remote connections.

Identity and access management controls are vital. All accounts that require passwords should comply with National Institute of Standards and Technology (NIST) password standards and phishing-resistant multifactor authentication should be implemented for webmail, virtual private networks, and accounts that access critical systems. Domain controllers, servers, workstations, and active directories should be reviewed for unrecognized accounts, user accounts should be audited, and time-based access should be set for accounts at the admin level and higher.

Protective controls and architecture should include the segmenting of networks, the identification, detection, and investigation of abnormal activity and potential traversal with a networking monitoring tool, antivirus tools capable of real-time detection of threats, and close monitoring of the use of remote desktop protocol (RDP).

It is important to ensure that all software, operating systems, and firmware are kept up to date, unused ports and protocols are disabled, command-line and scripting activities and permissions are disabled, devices are properly configured with security features enabled, and for Server Message Block (SMB) Protocol to be restricted. Controls should also be implemented to improve email security, such as adding a banner to all external emails and disabling hyperlinks in emails.

The post FBI Shares Intel on Emerging Initial Access Techniques Used by Ransomware Gangs appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note about BlackSuit ransomware, a new ransomware group believed to pose a credible threat to the healthcare and public health (HPH) sector.

Security researchers have identified several similarities between BlackSuit ransomware and Royal ransomware, with the latter group having actively targeted the HPH sector like the Conti ransomware group that Royal is believed to have replaced. BlackSuit has already been used in at least one attack on the HPH sector in October this year, so it is fair to assume that BlackSuit will be used in further attacks on the sector. That attack was on a provider of medical scans and radiology services to more than 1,000 hospitals in 48 states.

Like many other ransomware operations, BlackSuit ransomware is used in double extortion attacks, where sensitive data is exfiltrated before file encryption and ransoms must be paid to prevent the release of the stolen data as well as to decrypt the encrypted files. So far, BlackSuit ransomware has only been used in a limited number of attacks; however, activity could be ramped up at any point.

BlackSuit ransomware is believed to be a private group rather than a ransomware-as-a-service operation, and the operation is thought to be run by individuals with experience in conducting ransomware attacks due to the links with Royal and Conti. Some cybersecurity researchers have suggested BlackSuit may be a rebrand of Royal ransomware, which conducted a major attack on a Texas city in May 2023 which attracted considerable media and law enforcement attention. BlackSuit first appeared shortly after that attack but Royal is still operational, although BlackSuit has not been extensively used to date so that conclusion has not been discounted.

Windows and Linux variants of BlackSuit have been detected, and like Royal ransomware, use OpenSSL’s AES for encryption. The ransomware uses intermittent encryption techniques, which are more efficient and allow files to be encrypted faster. Given the low number of detected attacks, it is difficult to tell which attack methods are favored by the group. The distribution methods that are most likely used are email attachments containing macros, embedding the ransomware in torrent files, malicious adverts (malvertising), and delivery via other malware variants such as Trojans, droppers, and downloaders, which are commonly distributed via compromised websites, fake software updates and phishing emails.

The HC3 Analyst Note details the MITRE ATT&CK techniques used by the group, Indicators of Compromise (IoCs), and recommended mitigations for hardening defenses. HC3 has also recommended reporting any suspected attacks to the local Federal Bureau of Investigation (FBI) field office and FBI Internet Crime Compliant Center (IC3).

The post BlackSuit Ransomware Poses a Credible Threat to the HPH Sector appeared first on HIPAA Journal.