Tag: Providers | Page 3

North Korean cyberespionage actor Lazarus targets energy providers with new malware

September 14, 2022/in Computer Security

Detecting of a malware. Virus, system hack, cyber attack, malware concept. 3d rendering. — Image: Adobe Stock

Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyberespionage threat actor originating from North Korea, according to the U.S. government. The threat actor has been active since 2009 and has often switched targets through time, probably according to nation-state interests.

Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries including the U.S. It also targeted selected entities to assist strategic sectors such as aerospace and military equipment.

The threat actor is now aiming at energy providers, according to a new report from Cisco Talos.

SEE: Mobile device security policy (TechRepublic Premium)

Attack modus operandi

Lazarus often uses very similar techniques from one attack to the other, as exposed by Talos (Figure A).

Figure A

lazarus cyber kill chain list according to cisco talos — Image: Cisco Talos. Full attack scheme from the current Lazarus operation.

In the campaign reported by Talos, the initial vector of infection is the exploitation of the Log4j vulnerability on internet-facing VMware Horizon servers.

Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.

Talos has witnessed three variants of the attack. Each variant consists of another malware deployment. Lazarus could use only VSingle, VSingle and MagicRAT, or a new malware dubbed YamaBot.

Variations in the attack also imply using other tools such as mimikatz for credential harvesting, proxy tools to set up SOCKs proxies, or reverse tunneling tools such as Plink.

Lazarus also checks for installed antivirus on endpoints and disables Windows Defender antivirus.

The attackers also copy parts of Windows Registry Hives, for offline analysis and possible exploitation of credentials and policy information, and gather information from the Active Directory before creating their own high-privileged users. These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning Windows Event logs.

At this point, the attackers then take their time to explore the systems, listing multiple folders and putting those of particular interest, mostly proprietary intellectual property, into a RAR archive file for…

Source…

Karakurt ransomware group targeting healthcare providers, HHS warns

August 24, 2022/in Internet Security

The Karakurt ransomware group has attacked at least four health sector organizations in the last three months, a Department of Health and Human Services alert warned. (Photo by Alex Wong/Getty Images)

Provider organizations are being warned to be on the alert for cyberattacks levied by the Karakurt ransomware group after at least four cyberattacks by the threat actors against the healthcare sector in the last three months.

Those observed attacks included an assisted living facility, a dental firm, a provider and a hospital.

An alert from the Department of Health and Human Services Cybersecurity Coordination Center (HC3) notes that while Karakurt emerged in late 2021, their impact is heightened by their likely ties to the Conti ransomware group, either as a working relationship or as a side business of Conti.

Federal agencies have long warned of the risk the Conti ransomware group poses to the healthcare sector, having successfully targeted more than 16 providers since early 2021.

The Karakurt actors’ attack flow mirrors typical ransomware groups, claiming to steal data and threatening to auction it off on the dark web or release it to the public unless their demands are met. The ransoms range from $25,000 to $13,000,000 in Bitcoin with deadlines often set to expire within just one week of the initial contact by the cybercriminals.

What’s most troubling about Karakurt is their “extensive harassment campaigns against victims to shame them,” according to HC3.

This was recently evidenced by the Karakurt campaign against Methodist McKinney Hospital in early July. The actors threatened to release the data they allegedly stole from the hospital system, but Methodist McKinney instead informed patients of the ongoing attack and continued investigation about the possible data theft.

Karakurt gains access by purchasing stolen login credentials through cybercrime partnerships who may provide the group with access to already compromised victims, or by “buying access to already compromised victims via third-party intrusion broker networks.” Among its exploited vulnerabilities are outdated SonicWall VPNs, Log4j, phishing, and outdated Windows Servers.

The impact is also caused by…

Source…

Why North Korea Ransomware Attacks Target U.S. Health Care Providers

July 23, 2022/in Internet Security

WASHINGTON – MARCH 09: The seal of the F.B.I. hangs in the Flag Room at the bureau’s headquaters … [+] March 9, 2007 in Washington, DC. F.B.I. Director Robert Mueller was responding to a report by the Justice Department inspector general that concluded the FBI had committed 22 violations in its collection of information through the use of national security letters. The letters, which the audit numbered at 47,000 in 2005, allow the agency to collect information like telephone, banking and e-mail records without a judicially approved subpoena. (Photo by Chip Somodevilla/Getty Images)

Getty Images

The U.S Department of Justice (DOJ) announced this week that around $500,000 in BitcoinBTC
has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States. DOJ filed a complaint in the District of Kansas asking for the forfeiture of the Bitcoin be returned to the victims of the attacks which were healthcare providers in Kansas and Colorado.

The attacks caused extensive disruption to IT systems and medical services and put patient safety at risk. The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The Kansas provider had alerted the FBI when the ransomware occurred. As a result, the FBI was able to observe a $120,000 bitcoin payment into one of the seized accounts that was separately being paid by the health care provider in Colorado.

Young Asian male frustrated, confused and headache by ransomware attack on desktop screen, notebook … [+] and smartphone, cyber attack and internet security concepts

getty

The attack was traced to a North Korean hacking group that is suspected of receiving backing from the DPRK. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying…

Source…

SPHINX Real-time Cyber Risk Assessment

July 10, 2022/in Video

Tag Archive for: Providers

Attack modus operandi