CISA, FBI Share Latest Threat Intelligence on Phobos Ransomware

Posted by Steve Alder

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have shared the latest threat intelligence about Phobos ransomware, which has been used to attack municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities. Phobos ransomware is related to multiple ransomware variants, including Elking, Eight, Devos, Backmydata, and Faust ransomware. The Backmydata variant was used in a February 2024 attack in Romania that resulted in systems being taken offline at around 100 healthcare facilities.

Phobos ransomware is a ransomware-as-a-service (RaaS) group that has been active since May 2019. The group commonly gains access to victims’ networks through phishing campaigns that deliver malware via spoofed attachments with hidden payloads, including the Smokeloader backdoor trojan. Affiliates also use IP scanning tools such as Angry IP Scanner to identify vulnerable Remote Desktop Protocol (RDP) ports that are subjected to brute force attacks, and affiliates have been observed leveraging RDP to attack Microsoft Windows devices. Attacks often involve Cobalt Strike, Bloodhound, and Sharphound, Mimikatz to obtain credentials, NirSoft, and Remote Desktop Passview to export browser client credentials.

Phobos engages in double extortion tactics, where sensitive data is exfiltrated in addition to file encryption and victims have to pay for the keys to decrypt data and to prevent the publication of their stolen data on the group’s data leak site. Volume shadow copies are deleted from Windows environments to hinder attempts to recover without paying the ransom. The ransom demands are often of the order of several million dollars.

The Health Sector Cybersecurity Coordination Center issued an alert about Phobos ransomware in July 2021 after several attacks on organizations in the healthcare and public health sector. The latest alert shares updated tactics, techniques, and procedures used by the group in attacks up to February 2024, along with the latest Indicators of Compromise (IoCs), MITRE ATT&CK techniques, and recommended mitigations.

The post CISA, FBI Share Latest Threat Intelligence on Phobos Ransomware appeared first on HIPAA Journal.

Egyptian Health Department Cyberattack Affects Up to 100,000 Individuals

Posted by Steve Alder

Egyptian Health Department (EHD) in Eldorado, IL, has recently announced a data breach affecting up to 100,000 patients. EHD suffered a cyberattack on December 21, 2023, and while the forensic investigation is still ongoing, evidence has been found that indicates folders on its network were accessed by an unauthorized individual. Those folders contained files that included patients’ protected health information and employee data.

The exposed patient data included names, dates of birth, medical information, and health insurance claims information. The exposed employee data included names, Social Security numbers, driver’s license numbers/ other government-issued IDs, financial account information, and/or insurance information. EHD is still investigating the incident to determine the potentially impacted employees and patients and will mail notifications when that process is completed.

EHD has taken several steps to improve security, including creating new domain controllers, moving the SMB network shares of the domain controllers to a dedicated virtual machine, conducting permission audits on shared folders, limiting Sharepoint Server to internal access only, installing Sentinel One and Huntress on all equipment, and implementing password protection on spreadsheets with PHI.

McKenzie County Healthcare System Announces Email Account Breach

McKenzie County Healthcare System in North Dakota has identified unauthorized access to an employee email account. The breach was detected on or around October 5, 2023, and the forensic investigation confirmed an unauthorized individual accessed a single email account between October 2 and October 5, 2023.

A review was conducted of all emails and attachments in the account, and it was confirmed that the protected health information of 21,000 patients had been exposed. The exposed data included names, addresses, medical information, and health insurance information. No evidence was found to indicate any of that information has been misused.

Forward Healthcare Impacted by MOVEit Hack at Business Associate

Forward Healthcare has confirmed that the protected health information of 3,999 patients was compromised in a cyberattack on its business associate, Philips Respironics. On December 20, 2023, Philips Respironics notified Forward Healthcare that data was compromised in a May 31, 2023, cyberattack that saw access gained to its Care Orchestrator and Encore Anywhere software solutions after a zero day vulnerability in the MOVEit Transfer solution was exploited. The data potentially stolen in the attack included names and personal and medical information.

Email Account Breached at Maryville Addiction Treatment Centers

Maryville Addiction Treatment Centers in New Jersey have started notifying 155,03 patients about a breach of an employee email account. The security breach was detected on or around August 22, 2023, and the forensic investigation revealed there had been unauthorized access to the account between August 21, 2023, to August 22, 2023.

The review of the account confirmed the following data was exposed: full names, Social Security numbers, medical treatment information, health insurance information, dates of birth, financial account information, and government identification. Maryville said there are no indications that any of the exposed information has been misused.

Cencora Confirms Recent Cyberattack Involved Data Exfiltration

The Fortune 500 pharmaceutical firm, Cencora, said in a filing with the Securities and Exchange Commission (SEC) that it has experienced an intrusion and data was exfiltrated from its network. Cencora said the attack did not have a material impact on its operations, but it is too early to tell whether the incident will have any material impact on its financial condition.

Cencora said it discovered unauthorized activity within its systems and took immediate action to contain the threat and reported the incident to law enforcement. Third-party cybersecurity experts have been engaged to assist with the investigation and data exfiltration was confirmed on February 21, 2024, but an announcement has yet to be made about the nature of the impacted data.

California Department of State Hospitals Alerts Patients About SSN Exposure

The State of California – Department of State Hospitals Atascadero (DSH-A) has started notifying certain patients about a security incident discovered on February 15, 2024, in which Leave and Activity Balance (LAB) reports were exposed. The reports were disseminated to DSH-A staff for use in timesheet approval and contained confidential information such as names and Social Security numbers. DSH has launched an investigation to determine if the reports have been improperly accessed and is in the process of arranging for complimentary identity theft protection services to be provided to the affected individuals.  At this stage, it is unclear how many individuals have been affected.

The post Egyptian Health Department Cyberattack Affects Up to 100,000 Individuals appeared first on HIPAA Journal.

Feds Sound Alarm as ALPHV/Blackcat Ransomware Group Targets Healthcare

Posted by Steve Alder

A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) to share known Indicators of Compromise (IoCs) and the latest Tactic, Techniques, and Procedures (TTPs) used by the ALPHV/Blackcat ransomware group.

In December 2023, the U.S. Department of Justice (DoJ) announced that it had disrupted the operations of the ALPHV/Blackcat. An FBI agent posed as an affiliate and gained access to the group’s computer network, resulting in the seizure of several of the websites operated by the group. Around 900 public/private key pairs were obtained which allowed a decryption tool to be developed to help those victims recover their files. Within hours of the DOJ announcement, a spokesperson for the group said it had unseized the websites and issued a threat of retaliation. The group said the restrictions that were in place for affiliates had been removed. “You can now block hospitals, nuclear power plants, anything, anywhere,” wrote ALPHV/Blackcat, and attacks on hospitals were actively encouraged. The only rule that remained was the restriction on attacks within the Commonwealth of Independent States (CIS).

According to the cybersecurity alert, it appears that hospitals have been the main focus for the group. Since December 2023, ALPHV/Blackcat has added the data of 70 victims to its data leak site and the healthcare sector has been the most victimized. While the alert does not reference specific healthcare victims, one of the latest is Change Healthcare. ALPHV/Blackcat claims to have stolen 6TB of data in the attack, including data from all of its clients including Medicare, CVS Caremark, Health Net, and Tricare. Change Healthcare was briefly added to the group’s data leak site the day after the cybersecurity alert was released.

The alert explains that ALPHV/Blackcat affiliates often pose as IT technicians or helpdesk staff to steal credentials from employees to gain initial access to healthcare networks. The group also gains initial access through phishing, using the Evilginx phishing kit to steal multifactor authentication codes, session cookies, and login credentials. They install legitimate remote access and tunneling tools software such as AnyDesk Mega sync, and Splashtop to prepare for data exfiltration, tunneling tools such as Plink and Ngrok, and Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. Affiliates move laterally to extensively compromise networks and use allowlisted applications such as Metasploit to avoid detection.

While many ALPHV/Blackcat affiliates engage in double extortion – data theft and file encryption – some choose not to encrypt files and only steal data, then threaten to publish that data if a ransom is not paid. This approach ensures faster attacks with less chance of detection. The alert shares the latest IoCs, MITRE ATT&CK tactics and techniques, incident response recommendations, and mitigations for improving cybersecurity posture, one of the most important being phishing-resistant multifactor authentication such as FIDO/WebAuthn authentication or public key infrastructure (PKI)-based MFA.

The post Feds Sound Alarm as ALPHV/Blackcat Ransomware Group Targets Healthcare appeared first on HIPAA Journal.