US hospitals and health care providers are facing an “increased and imminent” cybercrime threat, the Federal Bureau and Investigation (FBI) and two other federal agencies have warned.
The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (DHHS) say they have “credible information” that malicious cyber actors are targeting the health sector with Trickbot malware, leading to ransomware attacks, disruption of services and data theft.
In an advisory note published this week the agencies are urging healthcare providers to take precautions against the threats and to ensure business continuity plans are in place in case of an emergency.
It outlines threats posed by a new trickbot module named Anchor, used in attacks targeting high-profile victims, such as large organisations. These attacks often involved data exfiltration from networks and point-of-sale devices. It described a new tool called Anchor_DNS , a backdoor that allows victim machines to communicate with command and control servers over Domain Name Systems (DNS) to evade typical network defence products and make their malicious communications blend in with legitimate DNS traffic.
The advisory outlines risks posed by the notorious Ryuk family of ransomware.
It said: “Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP).”
The agencies are recommending healthcare providers review business continuity plans.
“Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations”, it warns. The agencies say healthcare organisations should also review or establish patching plans, security policies and user agreements.
The advisory note lists technical details of the threats posed and suggested mitigations and best practices for countering them.
What action should US healthcare providers take? below are some of the suggestions in the advisory note:
Network Best Practices
- Patch operating systems, software, and firmware as soon as manufacturers release updates.
- Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Use multi-factor authentication where possible.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access
- Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Audit logs to ensure new accounts are legitimate.
- Scan for open or listening ports and mediate those that are not needed.
- Identify critical assets; create backups of these systems and house the backups offline from the network.
- Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
- Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
Ransomware Best Practices
- Regularly back up data, air gap, and password protect backup copies offline.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
User Awareness Best Practices
- Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.