Headline
Healthcare in the Crosshairs of North Korean Cyber Operations
CISA, FBI, and South Korean intelligence agencies warn that the North Korean government is sponsoring ransomware attacks to fund its cyber-espionage activities.
Organizations in the US healthcare and public health sector are among the top targets for state-sponsored North Korean cyber-threat actors seeking to fund espionage activities via ransomware and other attacks.
That’s the assessment of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the US Department of Health and Human Services, and South Korean intelligence agencies. In a joint advisory Feb. 9, the group described the North Korean government as using revenues — in the form of cryptocurrency — from these ransomware attacks to fund other cyber operations that include spying on US and South Korean defense sector and defense industrial base organizations.
State-Sponsored Ransomware Attacks With a Mission
“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives,” the advisory said.
The alert also cautioned ransomware victims in healthcare and critical infrastructure sectors against paying ransoms. “Doing so does not guarantee files and records will be recovered and may pose sanctions risks,” it said.
There is little in the advisory to indicate whether it was prompted by new threat intelligence or word about imminent attacks. But it comes amid a continuing increase in ransomware attacks against healthcare entities overall. A report by the Journal of the American Medical Association (JAMA) earlier this year identified a doubling in the number of ransomware attacks against healthcare entities between 2016 and 2021. Of the total 374 ransomware attacks on US healthcare organizations during that period, some 44% disrupted heathcare delivery.
The most common disruptions included systems downtime, cancellations of scheduled care, and ambulance diversions. JAMA’s study found an increase especially in ransomware attacks against large healthcare organizations with multiple facilities between 2016 and 2021.
A June 2022 report from Sophos showed 66% of healthcare organizations experienced at least one ransomware attack in 2021. Sixty-one percent of those attacks ended with the attackers’ encrypting data and demanding a ransom for the decryption key.
“Healthcare saw the highest increase in volume of cyberattacks (69%) as well as the complexity of cyberattacks (67%) compared to the cross-sector average of 57% and 59% respectively,” Sophos said.
New Intel, New Tactics
CISA’s latest cybersecurity advisory this week updates its earlier guidance on state-sponsored ransomware attacks from North Korea directed against the US healthcare and public health sector. It highlighted multiple tactics, techniques, and procedures (TTPs) that North Korean cyber actors are currently employing when executing ransomware attacks against healthcare targets. Most of the TTPs are typical of those observed with ransomware attacks and include tactics like lateral movement and asset discovery.
The advisory also highlighted several ransomware tools — and associated indicators of compromise (IoCs) — that North Korean actors have been using in attacks on healthcare organizations. Among them were privately developed variants such as Maui and H0lyGh0st and publicly available encryption tools such as BitLocker, Deadbolt, Jogsaw, and Hidden Tear.
“In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group,” in an attempt to evade attribution, the advisory said.
In addition to obfuscating their involvement by operating with other affiliates and foreign third parties, North Korean actors frequently use fake domains, personas, and accounts to execute their campaigns, CISA and the others said. “DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.”
The advisory highlighted some of newer software vulnerabilities that state-backed groups in North Korea have been exploiting in their ransomware attacks. Among them were the Log4Shell vulnerability in the Apache Log4j framework (CVE-2021-44228) and multiple vulnerabilities in SonicWall appliances.
CISA’s recommended mitigations against the North Korean threat included stronger authentication and access control, implementing the principle of least privilege, employing encryption and data masking to protect data at rest, and securing protected health information during collection, storage, and processing.
The advisory also urged healthcare entities to maintain isolated backups, develop an incident response plan, update operating systems and applications, and monitor remote desktop protocol (RDP) and other remote access mechanisms.
Related news
Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload. The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
SQL Injection vulnerability in Talend ESB Runtime 7.3.1-R2022-09-RT thru 8.0.1-R2022-10-RT when using the provisioning service.
The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.
A lack of MFA remains one of the biggest impediments to enterprise security.
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.