By: Ravie Lakshmanan
The US Federal Bureau of Investigation (FBI), Departments of Homeland Security, and Health and Human Services (HHS) issued a joint alert Wednesday warning of an “imminent” increase in ransomware and other cyberattacks against hospitals and healthcare providers.
“Malicious cyber actors are targeting the [Healthcare and Public Health] Sector with TrickBot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services,” the Cybersecurity and Infrastructure Security Agency said in its advisory.
The infamous botnet typically spreads via malicious spam email to unsuspecting recipients and can steal financial and personal data and drop other software, such as ransomware, onto infected systems.
It’s worth noting that cybercriminals have already used TrickBot against a major healthcare provider, Universal Health Services, whose systems were crippled by Ryuk ransomware late last month.
TrickBot has also seen a severe disruption to its infrastructure in recent weeks, what with Microsoft orchestrating a coordinated takedown to make its command-and-control (C2) servers inaccessible.
“The challenge here is because of the attempted takedowns, the TrickBot infrastructure has changed and we don’t have the same telemetry we had before,” Hold Security’s Alex Holden told The New York Times.
Although the federal report doesn’t name any threat actor, the advisory makes a note of TrickBot’s new Anchor backdoor framework, which has been recently ported to Linux to target more high-profile victims.
“These attacks often involved data exfiltration from networks and point-of-sale devices,” CISA said. “As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.”
As The Hacker News reported yesterday, Anchor_DNS is a backdoor that allows victim machines to communicate with C2 servers via DNS tunneling to evade network defense products and make their communications blend in with legitimate DNS traffic.
Also coinciding with the warning is a separate report by FireEye, which has called out a financially-motivated threat group it calls “UNC1878” for the deployment of Ryuk ransomware in a series of campaigns directed against hospitals, retirement communities, and medical centers.
Urging the HPH sector to patch operating systems and implement network segmentation, CISA also recommended not paying ransoms, adding it may encourage bad actors to target additional organizations.
“Regularly back up data, air gap, and password protect backup copies offline,” the agency said. “Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.”