Product
Jake Trujillo
Aug 13, 2024
Note: These were the top 10 cyber threats to the Healthcare industry as of October 9th, 2024. To see the latest top 10 cyber threats to the Healthcare industry, click here.
1. CVE-2012-4792
A vulnerability spreading info-stealing malware.
Summary: A vulnerability in Microsoft Defender SmartScreen, identified as CVE-2024-21412, distributes information-stealing malware such as ACR Stealer, Lumma, and Meduza, allowing attackers to bypass security features by using maliciously crafted files. The campaign has been observed targeting users in Spain, Thailand, and the U.S.
Free Advice: Disable or remove Internet Explorer versions 6 through 8 from all systems within the organization to prevent exploitation of the outdated browser.
2. APT45
A North Korean hacker group with ties to Lazarus.
Summary: North Korean hacker group APT45, aka Andariel, has been implicated in extensive cyber espionage and ransomware attacks. APT45 has targeted critical infrastructure, including hospitals, banks, and defense companies, particularly in South Korea.
The group is a subgroup of the Lazarus Group and has been involved in financially motivated attacks as well as traditional espionage. APT45's activities reflect North Korea's geopolitical priorities, with a shift from state-focused espionage to broader targets like healthcare.
Free Advice: Implement multi-factor authentication (MFA) for all users, especially those with access to sensitive information or critical infrastructure systems.
3. CVE-2024-4879
A vulnerability targeting ServiceNow.
Summary: CISA issued an urgent call for federal agencies to patch critical vulnerabilities in ServiceNow, identified as CVE-2024-4879 and CVE-2024-5217, by August 19 due to active exploitation attempts. Between 13,000 and 42,000 ServiceNow systems could be affected, with a significant number of these systems located in the U.S., the UK, India, and the European Union. These vulnerabilities, along with another identified as CVE-2024-5178, pose a risk of database hijacking and data theft.
Free Advice: After patching, verify that the updates have been successfully applied and that the system versions are no longer vulnerable.
4. Agenda
An attack that caused blood supply shortages in the NHS.
Summary: Synnovis, a pathology services provider, has made significant progress in restoring its systems following a ransomware attack on June 3, 2024. Despite these advancements, the NHS has alerted about ongoing blood supply shortages, particularly of O type blood, exacerbated by the cyber-attack. The ransomware group Qilin claimed responsibility for the Agenda attack and has published 400GB of stolen data, including patient information and business documents.
Free Advice: Conduct an immediate security audit of cloud services to identify and patch any vulnerabilities that could be exploited by attackers.
5. APT40
A Chinese cyber-espionage group that has been targeting healthcare groups.
Summary: APT40 is a Chinese cyber-espionage group that has been active since at least 2009. The group employs spear-phishing, exploits vulnerabilities in widely-used software, and adapts Proof-of-Concept (PoC) exploits for new vulnerabilities to gain initial access to target systems. APT40 is known for its ability to maintain persistence in compromised networks using web shells and other mechanisms.
Free Advice: Conduct a network audit to identify and disconnect any end-of-life or unpatched devices that could be exploited.
6. Daixin
A ransomware group threatening to leak 10 million ambulance records.
Summary: Ransomware group Daixin has threatened to release sensitive medical information of 10 million patients on the dark web, claiming to have stolen the data from Louisiana-based Acadian Ambulance. The compromised server contained protected health information, and Acadian is working to identify and notify affected individuals.
Daixin's leak site displays databases with patient records and employee information. No ransom had been paid. Federal authorities had previously warned about Daixin Team targeting the healthcare sector.
Free Advice: Conduct Immediate Risk Assessment: Quickly identify systems that may have been compromised and assess the extent of the breach.
7. RAGroup
A ransomware group that has shifted it's focus to healthcare.
Summary: The ransomware group RA Group, now rebranded as RA World, has significantly increased its activities since March 2024, with a notable focus on the healthcare industry. RA World employs a multi-extortion tactic, threatening to leak sensitive data unless their ransom demands are met. They have also introduced a "cost per customer" calculation to quantify their ransom demands publicly. Their operations have predominantly affected organizations in the U.S., followed by Europe and Southeast Asia.
Free Advice: Conduct a review of current backup procedures to ensure they are robust and that backups are stored offline or in a secure, immutable format.
8. SEXi
A group targeting VMware ESXi systems.
Summary: SEXi is a cybercrime group that has attacked VMware ESXi servers since February 2024, encrypting data and demanding ransoms. The ransomware appends ".SEXi" to file names and drops a ransom note named SEXi.txt, instructing victims to contact the extortionists via an encrypted messaging app. There are no known weaknesses in the encryption to recover data without paying, so businesses must rely on uncompromised backups. The group has recently attempted to rebrand as "APT Inc."
Free Advice: Avoid using multi-tenant GPU environments for security-critical processes until a fix is implemented.
9. CVE-2024-6327
A vulnerability in Progress Software's Telerik Report Server.
Summary: Progress Software issued fixes for a critical vulnerability in its Telerik Report Server, identified as CVE-2024-6327, which affects all instances before version 10.1.24.709. This vulnerability allows for remote code execution due to insecure deserialization. Additionally, a high-severity issue in Telerik Reporting, CVE-2024-6096, was patched, addressing insecure type resolution that could lead to object injection attacks and remote code execution.
Free Advice: Change the Report Server Application Pool user to one with limited permissions as a temporary mitigation measure, following the instructions in the Telerik knowledge base article.
10. Gh0stRAT
A remote-access trojan haunting healthcare.
Summary: Gh0st RAT is a remote access trojan known for its data collection and remote-control capabilities. The campaign uses a dropper, dubbed Gh0stGambit, to deploy the RAT by masquerading as a Google Chrome installer. Once executed, Gh0stGambit performs various evasion techniques, including creating unique GUIDs for file paths, checking for security software processes, and modifying registry entries for persistence. It also uses open-source tools like the Donut loader for executing payloads and an embedded rootkit to conceal its presence.
Free Advice: Implement strict web filtering to block access to known malicious domains and IP addresses associated with this campaign.
Sign up for Fletch to get access more industry threats.
