www.scmagazine.com Open in urlscan Pro
2606:4700:20::681a:c13  Public Scan

Form analysis
2 forms found in the DOM

<form class="w-100" scmag-registration="set">
  <div class="my-2 font-sans"><label class="visually-hidden form-label" for="email">Business Email</label><input placeholder="Business Email*" required="" type="email" id="email" class="fs-7 text-black p-3 form-control" value=""></div>
  <div class="fs-9 my-4">
    <p>By clicking the Subscribe button below, you agree to SC Media <a class="text-underline" href="/terms-and-conditions" data-feathr-click-track="true" data-feathr-link-aids="[&quot;60071024bdb3f8d0470da8d6&quot;]">Terms and Conditions</a><span>
        and </span><a class="text-underline" href="/privacy-policy" data-feathr-click-track="true" data-feathr-link-aids="[&quot;60071024bdb3f8d0470da8d6&quot;]">Privacy Policy</a>.</p>
  </div><button type="submit" class="btn btn-primary">Subscribe</button>
</form>

<form>
  <div class="swal-input-row" style="margin: 15px auto 0px; display: block; text-align: left;"><label class="swal-input-label" for="swal-input2" style="font-size: 14px; color: black; cursor: pointer; display: block; width: 100%;">Email Address<input
        data-label="Email Address" data-required="true" data-key="email" id="swal-input2" class="swal2-input swal-input" type="text" placeholder="Email Address"
        style="font-size: 14px; color: black; height: auto; border: 1px solid rgb(223, 223, 223); padding: 10px 8px 10px 15px; margin: 0px auto; width: 100%; box-shadow: none;"></label><span class="swal-span-required"
      style="display: block; color: rgb(181, 0, 0); font-size: 12px; line-height: 16px; font-weight: 400; margin-top: 3px;">Required *</span></div>
</form>

Text Content

Log inRegister
Topics
Events
Podcasts
Research
Recognition
Leadership
About CRA


ADVERTISEMENT





Ransomware, Cybercrime



RANSOMWARE GANG PREYS ON CANCER CENTERS, TRIGGERS ALERT

Simon HenderyJune 20, 2023


An attack against a U.S. cancer center this month by an obscure ransomware group
has sparked a warning to the healthcare sector about the threat actor’s “rarely
used and very effective” techniques.

While the group, which calls itself TimisoaraHackerTeam (THT), is not widely
known, it has a history of attacking medical facilities by exploiting known
vulnerabilities and using a living-off-the-land approach to minimize detection.

In a notification (PDF) about this month’s cancer center attack, the Department
of Health & Human Services’ Healthcare Sector Cybersecurity Coordination Center
(HC3) said THT was first discovered by researchers in July 2018 and had targeted
healthcare organizations around the world.

“Little is known about the obscure group of hackers, but when its ransomware is
deployed, their rarely used and very effective technique of encrypting data in a
target environment has paralyzed the health and public health (HPH) sector,” the
notification said.

ADVERTISEMENT



HC3 did not name the THT’s latest target but said the attack on the cancer
center “rendered its digital services unavailable, put the protected health
information of patients at risk, and significantly reduced the ability of the
medical center to provide treatment for patients”.

Research into THT’s tactics, techniques, and procedures (TTPs) suggested a link
between it and a suspected Chinese malware groups including DeepBlueMagic and
APT41, both of which have a history of targeting healthcare organizations. It is
not clear, however, if the groups shared members or simply used similar methods.


WHAT IS A LOTL ATTACK?

Adopting a living-off-the-land (LOTL) approach allowed the groups to encrypt
files without being detected by security solutions. A LOTL attack, sometimes
described as a fileless malware attack, is a type of adversarial technique that
utilizes applications that are considered friendly and are not red-flagged as
malicious. For example an attack may include Windows tools such as PowerShell
and Windows Management Instrumentation (WMI) to open up a system to a malware
attack.

“Rather than use custom built tools to encrypt the files of the victims like
many ransomware groups, THT's characteristic tactic of abusing legitimate tools
like Microsoft Bitlocker and Jetico's BestCrypt makes them unique among threat
actors,” the notification said.

HC3 said THT’s ransomware attacks seemed to target healthcare organizations with
medium to large servers and the group often employed Common Vulnerability
Exploitations (CVEs) against vulnerable VPNs to gain initial remote access into
a victim’s network.


THT EXPLOITS INSTANCES OF UNPATCHED BUG

“THT will usually authenticate into the network using administrative level
credentials obtained via vulnerabilities exploitation. Once THT gains initial
access into a victim’s network, they will look to move laterally around the
network,” HC3 said.

“The threat group also utilizes [now patched] zero-day vulnerability found in
Microsoft Exchange servers found in early 2021 and recent vulnerabilities in
Fortinet firewalls.”

That was the case in THT’s latest attack on the cancer center, where it targeted
Fortinet’s FortiOS SSL-VPN to exploit CVE-2022-42475, a heap-based buffer
overflow vulnerability that allows remote attackers to execute code or commands
using specially crafted requests.

TimisoaraHackerTeam gets its name from the Romanian town of Timisoara and
researchers say examination of THT’s source code suggests it was produced by
Romanian speakers.

According to HC3’s notification, an April 2021 attack on a French hospital has
been “loosely attributed” to THT while an August 2021 attack on Hillel Yaffe
Medical Center in Israel was the “most infamous” one carried out by
DeepBlueMagic.

“The [Hillel Yaffe] incident paralyzed the majority of the hospital’s computer
systems, resulting not only in the theft of large amounts of data, including
confidential patient information, but also an inability to access patient files
and the patient registry system, and nonfunctional electric doors,” HC3 said.
“In a matter of days, the targeting of the medical center, which was attributed
to DeepBlueMagic, spurred an additional nine attacks on other hospitals and
health organizations in the country, resulting in the largest cyber attack ever
launched on the Israeli health sector.”


Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance,
and enterprise workflows. With a background in technology journalism and
marketing, he is a passionate storyteller who loves researching and sharing the
latest industry developments.


RELATED

Ransomware

DATA BREACH FOLLOWING RANSOMWARE ATTACK CONFIRMED BY IOWA’S LARGEST SCHOOL
DISTRICT

SC StaffJune 20, 2023

Des Moines Public Schools, the largest school district in Iowa, has disclosed
that nearly 6,700 individuals had their data compromised following a January
ransomware attack that resulted in the disruption of its network and internet
services, BleepingComputer reports.

Vulnerability management

NEW MOVEIT TRANSFER ZERO-DAY VULNERABILITY LEAKED ON TWITTER

SC StaffJune 20, 2023

Bloomberg BNN reports that details of a new zero-day vulnerability impacting
Progress Software's MOVEit Transfer file transfer app that had been disclosed by
an ethical hacker and exploit writer to Huntress Senior Researcher John Hammond
had been inadvertently exposed by the exploit writer on Twitter.

Ransomware

US PUTS UP $10M REWARD TO DISRUPT CLOP RANSOMWARE GANG

SC StaffJune 20, 2023

Rewards of up to $10 million are being offered by the U.S. State Department's
Rewards for Justice program to individuals with any information that would
establish a connection between the Clop ransomware operation and foreign
governments, BleepingComputer reports.


RELATED EVENTS

 * 
   eSummit
   
   SURVIVE OR SINK? THE BEFORE, DURING AND AFTER OF A RANSOMWARE ATTACK
   
   Tue Nov 14 - Wed Nov 15

 * 
   eSummit
   
   RANSOMWARE ATTACKERS VS. DEFENDERS: THE NEVER-ENDING GAME OF ONE-UPMANSHIP
   
   Tue Jul 25 - Wed Jul 26

 * 
   eSummit
   
   THE WAR ON RANSOMWARE: LIVES AND LIVELIHOODS ON THE LINE
   
   On-Demand Event

ADVERTISEMENT




GET DAILY EMAIL UPDATES

SC Media's daily must-read of the most current and pressing daily news
Business Email

By clicking the Subscribe button below, you agree to SC Media Terms and
Conditions and Privacy Policy.

Subscribe

ADVERTISEMENT




--------------------------------------------------------------------------------

ABOUT US

SC MediaCyberRisk AllianceContact UsCareersPrivacy

GET INVOLVED

SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us

EXPLORE

Product reviewsResearchWhite papersWebcastsPodcasts

Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may
not be published, broadcast, rewritten or redistributed in any form without
prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy
Policy and Terms & Conditions.

COOKIES

This website uses cookies to improve your experience, provide social media
features and deliver advertising offers that are relevant to you.

If you continue without changing your settings, you consent to our use of
cookies in accordance with our privacy policy. You may disable cookies.

Accept cookies




×


SIGN UP FOR THE SC DAILY SCAN NEWSLETTER

SC Media's daily must-read of the most current and pressing daily news.
Delivered straight to your inbox!

Email AddressRequired *
SubmitCancel
By submitting this form, you agree to SC Media's Privacy Policy