DIRECTORY

  • Alerts
  • APTs
  • Blog
  • Books
  • Certifications
  • Cheat Sheets
  • Courses
  • Cyber Briefing
  • CyberDecoded
  • CyberReview
  • CyberStory
  • CyberTips
  • Definitions
  • Domains
  • Entertainment
  • FAQ
  • Frameworks
  • Hardware Tools
  • Incidents
  • Malware
  • News
  • Papers
  • Podcasts
  • Quotes
  • Reports
  • Tools
  • Threats
  • Tutorials
No Result
View All Result
  • Login
  • Register
  • Cyber Citizens
  • Cyber Professionals
  • Institutions
CyberMaterial
Get Help
  • Cyber Citizens
  • Cyber Professionals
  • Institutions
CyberMaterial
No Result
View All Result
Get Help
CyberMaterial
Home Alerts

Ransomware Activity Targeting the Healthcare and Public Health Sector

by CISA

November 3, 2020
Reading Time: 4 mins read
in Alerts

Alert (AA20-302A)

This advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Click here for a PDF version of this report.

Key Findings

  • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
  • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

Technical Details

Threat Details

The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.

TrickBot

What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.

In early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created anchor_dns, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

anchor_dns is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. anchor_dns uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string anchor_dns can be found in the DNS request traffic.

TrickBot Indicators of Compromise

After successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

  • C:\Windows\
  • C:\Windows\SysWOW64\
  • C:\Users\[Username]\AppData\Roaming\

Once the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host’s %APPDATA% or %PROGRAMDATA% directory, such as %AppData\Roaming\winapp. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g., importDll32 or importDll64):

  • Systeminfo
  • importDll
  • outlookDll
  • injectDll with a directory (ex. injectDLL64_configs) containing configuration files:
    • dinj
    • sinj
    • dpost
  • mailsearcher with a directory (ex. mailsearcher64_configs) containing configuration file:
    • mailconf
  • networkDll with a directory (ex. networkDll64_configs) containing configuration file:
    • dpost
  • wormDll
  • tabDll
  • shareDll

Filename client_id or data or FAQ with the assigned bot ID of the compromised system is created in the malware directory. Filename group_tag or Readme.md containing the TrickBot campaign IDs is created in the malware directory.

The malware may also drop a file named anchorDiag.txt in one of the directories listed above.

Read more

Tags: AlertsAlerts 2020AnchorattacksCISAContiCyber threatNovemberRansomwareTrickbotTrojansUSAvirus
3
VIEWS
ADVERTISEMENT

Related Posts

Cyber Espionage in North Africa

Cyber Espionage in North Africa

June 9, 2023
Barracuda Urges ESG Appliance Replacement

Barracuda Urges ESG Appliance Replacement

June 9, 2023
North Korean Kimsuky: Targeting Experts

North Korean Kimsuky: Targeting Experts

June 9, 2023
Belarusian Hackers: Cybercrime and Espionage

Belarusian Hackers: Cybercrime and Espionage

June 9, 2023

More Articles

Book

The Technology Tail: A Digital Footprint Story (Communicate with Confidence)

December 15, 2021
Jobs

XOR Security – Cyber Hunt/Deception Operations SME

January 12, 2023
Incidents

Beanstalk Farms Lost $180M in Flash Loan Attack

April 18, 2022
Alerts

HPE security advisory (AV23-095)

February 16, 2023

Security through data

Cybersecurity Domains

  • API Security
  • Business Continuity
  • Career Development
  • Compliance
  • Cryptography
  • HSM
  • KPIs / KRIs
  • Penetration Testing
  • Shift Left
  • Vulnerability Scan

Emerging Technologies

  • 5G
  • Artificial Intelligence
  • Blockchain
  • Cryptocurrency
  • Deepfake
  • E-Commerce
  • Healthcare
  • IoT
  • Quantum Computing

Frameworks

  • CIS Controls
  • CCPA
  • GDPR
  • NIST
  • 23 NYCRR 500
  • HIPAA

Repository

  • Books
  • Certifications
  • Definitions
  • Documents
  • Entertainment
  • Quotes
  • Reports

Threats

  • APTs
  • DDoS
  • Insider Threat
  • Malware
  • Phishing
  • Ransomware
  • Social Engineering

© 2023 | CyberMaterial | All rights reserved.

World’s #1 Cybersecurity Repository

  • About
  • Legal and Privacy Policy
  • Site Map
No Result
View All Result
  • Audience
    • Cyber Citizens
    • Cyber Professionals
    • Institutions
  • Highlights
    • Blog
    • CyberDecoded
    • Cyber Review
    • CyberStory
    • CyberTips
  • Cyber Risks
    • Alerts
    • Attackers
    • Domains
    • Incidents
    • Threats
  • Opportunities
    • Events
    • Jobs
  • Repository
    • Books
    • Certifications
    • Cheat Sheets
    • Courses
    • Definitions
    • Frameworks
    • Games
    • Hardware Tools
    • Memes
    • Movies
    • Papers
    • Podcasts
    • Quotes
    • Reports
  • Report Cyber Incident
  • GET HELP

Subscribe to our newsletter

© 2022 Cybermaterial - Security Through Data .

Welcome Back!

Sign In with Google
Sign In with Linked In
OR

Forgotten Password? Sign Up

Create New Account!

Sign Up with Google
Sign Up with Linked In
OR

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.