Thought leadership. threat analysis, news and alerts.
Increased Cybercrime Threat to Canadian Healthcare Organizations
In recent months, threat actors have launched cyberattacks against organizations in the healthcare sector, including those based in Canada, according to the latest report released by Microsoft.
In the blog post "Cyberattacks targeting health care must stop," Tom Burt, Corporate Vice President for Customer Security and Trust at Microsoft, said that the targets include organizations in the health sector in Canada, France, India, South Korea and the United States. Burt identified three threat groups and gave these threat groups codename: Strontium, Zinc and Cerium.
According to Burt, Strontium uses password spray and brute force login attempts to steal login credentials. “These are attacks [password spray and brute force login attempts] that aim to break into people’s accounts using thousands or millions of rapid attempts,” Burt said.
Password spray refers to a cyberattack that uses a small number of common passwords to brute force large numbers of accounts. Brute force attack, meanwhile, refers to a cyberattack that uses the trial-and-error method in guessing the correct username and password combination.
According to the Corporate Vice President for Customer Security and Trust at Microsoft, Zinc and Cerium use spear-phishing lures for credential theft. Spear-phishing is a cyberattack in which a threat actor, masquerading as a trusted individual or entity, tricks targeted individuals into clicking a bogus email, text message or instant message.
In the case of the threat actor Zinc, the Corporate Vice President for Customer Security and Trust at Microsoft said the spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters, while threat actor Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives.
Ransomware Attacks in the Healthcare Sector
The Canadian, Australian, the U.S. and UK Governments, meanwhile, issued separate alerts warning about the increased ransomware activity targeting the healthcare sector. Ransomware is a type of cyberattack that uses a malicious software (malware) that encrypts victims’ files, locking out victims of these files.
In traditional ransomware attacks, attackers demand from the victims ransom in exchange for the keys that would unlock the encrypted files. Modern-day ransomware attackers not just demand ransom to unlock the encrypted files, they also demand ransom in exchange for not publishing the stolen files gathered during the ransomware attack.
In September of this year, the University Hospital Düsseldorf in Germany reported a ransomware attack. The attack rendered 30 servers used by the hospital inoperable, forcing the hospital to turn away patients even those with life-threatening conditions.
According to German authorities, a patient with a life-threatening condition was turned away and sent to another hospital some 20 miles away and died as a result of the treatment delay. This is the first reported death as a result of a cyberattack.
Threat Actors Tool Evolution
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued the alert “Ransomware Activity Targeting the Healthcare and Public Health Sector,” warning that threat actors targeting the U.S. healthcare sector use the malware called “BazarLoader,” often leading to ransomware attacks, data theft, and the disruption of healthcare services.
In a recent alert “Renewed Cyber Threats to Canadian Health Organizations,” the Canadian Centre for Cyber Security (Cyber Centre) said threat actors targeting the Canadian healthcare sector have been observed using the BazarLoader malware for initial compromise on victims’ networks for the eventual deployment of the ransomware called “Conti,” believed to be the successor of Ryuk ransomware. The Cyber Centre said that the BazarLoader malware is typically deployed via a phishing email.
Phishing, in general, doesn’t have a particular target as its aim is to victimize whoever takes the bait. Opposite to phishing is spear-phishing which targets certain individuals or organizations.
The BazarLoader malware, the Canadian Centre for Cyber Security said, provides a backdoor through which additional malware is introduced to the victim’s network. Once inside the victim’s network, the Cyber Centre said, the malware called “Anchor” is used to maintain a presence on the network. Anchor is comprised of a framework of tools that allows the covert uploading of malicious tools, and, once done, to remove any evidence of malicious activity.
The Australian Cyber Security Centre, meanwhile, issued its own alert "SDBBot Targeting Health Sector," warning that it has observed increased targeting activity against the Australian health sector by threat actors using the SDBBot Remote Access Tool for the eventual deployment of ransomware called “Clop.”
SDBBot has three components: 1) an installer that allows threat actors to establish persistence on the victim’s network; 2) a loader that downloads additional components; and 3) the remote access tool itself allows threat actors full control of compromised computers, remotely. Once inside the victims’ networks, threat actors also use SDBBot to move within the victims’ networks and steal data.
Cybersecurity Best Practices
Below are some of the cybersecurity best practices to mitigate the risks:
Is your organization at risk? Let us help you evaluate your controls quickly and efficiently.
Email us today at firstname.lastname@example.org and sleep better at night knowing that your business is well protected against cybercriminals.
Steve E. Driz, I.S.P., ITCP