www.scmagazine.com
Open in
urlscan Pro
2606:4700:20::681a:c13
Public Scan
URL:
https://www.scmagazine.com/news/ransomware/ransomware-cancer-center-alert
Submission: On June 21 via api from TR — Scanned from DE
Submission: On June 21 via api from TR — Scanned from DE
Form analysis
2 forms found in the DOM<form class="w-100" scmag-registration="set">
<div class="my-2 font-sans"><label class="visually-hidden form-label" for="email">Business Email</label><input placeholder="Business Email*" required="" type="email" id="email" class="fs-7 text-black p-3 form-control" value=""></div>
<div class="fs-9 my-4">
<p>By clicking the Subscribe button below, you agree to SC Media <a class="text-underline" href="/terms-and-conditions" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Terms and Conditions</a><span>
and </span><a class="text-underline" href="/privacy-policy" data-feathr-click-track="true" data-feathr-link-aids="["60071024bdb3f8d0470da8d6"]">Privacy Policy</a>.</p>
</div><button type="submit" class="btn btn-primary">Subscribe</button>
</form>
<form>
<div class="swal-input-row" style="margin: 15px auto 0px; display: block; text-align: left;"><label class="swal-input-label" for="swal-input2" style="font-size: 14px; color: black; cursor: pointer; display: block; width: 100%;">Email Address<input
data-label="Email Address" data-required="true" data-key="email" id="swal-input2" class="swal2-input swal-input" type="text" placeholder="Email Address"
style="font-size: 14px; color: black; height: auto; border: 1px solid rgb(223, 223, 223); padding: 10px 8px 10px 15px; margin: 0px auto; width: 100%; box-shadow: none;"></label><span class="swal-span-required"
style="display: block; color: rgb(181, 0, 0); font-size: 12px; line-height: 16px; font-weight: 400; margin-top: 3px;">Required *</span></div>
</form>
Text Content
Log inRegister Topics Events Podcasts Research Recognition Leadership About CRA ADVERTISEMENT Ransomware, Cybercrime RANSOMWARE GANG PREYS ON CANCER CENTERS, TRIGGERS ALERT Simon HenderyJune 20, 2023 An attack against a U.S. cancer center this month by an obscure ransomware group has sparked a warning to the healthcare sector about the threat actor’s “rarely used and very effective” techniques. While the group, which calls itself TimisoaraHackerTeam (THT), is not widely known, it has a history of attacking medical facilities by exploiting known vulnerabilities and using a living-off-the-land approach to minimize detection. In a notification (PDF) about this month’s cancer center attack, the Department of Health & Human Services’ Healthcare Sector Cybersecurity Coordination Center (HC3) said THT was first discovered by researchers in July 2018 and had targeted healthcare organizations around the world. “Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector,” the notification said. ADVERTISEMENT HC3 did not name the THT’s latest target but said the attack on the cancer center “rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients”. Research into THT’s tactics, techniques, and procedures (TTPs) suggested a link between it and a suspected Chinese malware groups including DeepBlueMagic and APT41, both of which have a history of targeting healthcare organizations. It is not clear, however, if the groups shared members or simply used similar methods. WHAT IS A LOTL ATTACK? Adopting a living-off-the-land (LOTL) approach allowed the groups to encrypt files without being detected by security solutions. A LOTL attack, sometimes described as a fileless malware attack, is a type of adversarial technique that utilizes applications that are considered friendly and are not red-flagged as malicious. For example an attack may include Windows tools such as PowerShell and Windows Management Instrumentation (WMI) to open up a system to a malware attack. “Rather than use custom built tools to encrypt the files of the victims like many ransomware groups, THT's characteristic tactic of abusing legitimate tools like Microsoft Bitlocker and Jetico's BestCrypt makes them unique among threat actors,” the notification said. HC3 said THT’s ransomware attacks seemed to target healthcare organizations with medium to large servers and the group often employed Common Vulnerability Exploitations (CVEs) against vulnerable VPNs to gain initial remote access into a victim’s network. THT EXPLOITS INSTANCES OF UNPATCHED BUG “THT will usually authenticate into the network using administrative level credentials obtained via vulnerabilities exploitation. Once THT gains initial access into a victim’s network, they will look to move laterally around the network,” HC3 said. “The threat group also utilizes [now patched] zero-day vulnerability found in Microsoft Exchange servers found in early 2021 and recent vulnerabilities in Fortinet firewalls.” That was the case in THT’s latest attack on the cancer center, where it targeted Fortinet’s FortiOS SSL-VPN to exploit CVE-2022-42475, a heap-based buffer overflow vulnerability that allows remote attackers to execute code or commands using specially crafted requests. TimisoaraHackerTeam gets its name from the Romanian town of Timisoara and researchers say examination of THT’s source code suggests it was produced by Romanian speakers. According to HC3’s notification, an April 2021 attack on a French hospital has been “loosely attributed” to THT while an August 2021 attack on Hillel Yaffe Medical Center in Israel was the “most infamous” one carried out by DeepBlueMagic. “The [Hillel Yaffe] incident paralyzed the majority of the hospital’s computer systems, resulting not only in the theft of large amounts of data, including confidential patient information, but also an inability to access patient files and the patient registry system, and nonfunctional electric doors,” HC3 said. “In a matter of days, the targeting of the medical center, which was attributed to DeepBlueMagic, spurred an additional nine attacks on other hospitals and health organizations in the country, resulting in the largest cyber attack ever launched on the Israeli health sector.” Simon Hendery Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments. RELATED Ransomware DATA BREACH FOLLOWING RANSOMWARE ATTACK CONFIRMED BY IOWA’S LARGEST SCHOOL DISTRICT SC StaffJune 20, 2023 Des Moines Public Schools, the largest school district in Iowa, has disclosed that nearly 6,700 individuals had their data compromised following a January ransomware attack that resulted in the disruption of its network and internet services, BleepingComputer reports. Vulnerability management NEW MOVEIT TRANSFER ZERO-DAY VULNERABILITY LEAKED ON TWITTER SC StaffJune 20, 2023 Bloomberg BNN reports that details of a new zero-day vulnerability impacting Progress Software's MOVEit Transfer file transfer app that had been disclosed by an ethical hacker and exploit writer to Huntress Senior Researcher John Hammond had been inadvertently exposed by the exploit writer on Twitter. Ransomware US PUTS UP $10M REWARD TO DISRUPT CLOP RANSOMWARE GANG SC StaffJune 20, 2023 Rewards of up to $10 million are being offered by the U.S. State Department's Rewards for Justice program to individuals with any information that would establish a connection between the Clop ransomware operation and foreign governments, BleepingComputer reports. RELATED EVENTS * eSummit SURVIVE OR SINK? THE BEFORE, DURING AND AFTER OF A RANSOMWARE ATTACK Tue Nov 14 - Wed Nov 15 * eSummit RANSOMWARE ATTACKERS VS. DEFENDERS: THE NEVER-ENDING GAME OF ONE-UPMANSHIP Tue Jul 25 - Wed Jul 26 * eSummit THE WAR ON RANSOMWARE: LIVES AND LIVELIHOODS ON THE LINE On-Demand Event ADVERTISEMENT GET DAILY EMAIL UPDATES SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy. Subscribe ADVERTISEMENT -------------------------------------------------------------------------------- ABOUT US SC MediaCyberRisk AllianceContact UsCareersPrivacy GET INVOLVED SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us EXPLORE Product reviewsResearchWhite papersWebcastsPodcasts Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions. COOKIES This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you. If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies. Accept cookies × SIGN UP FOR THE SC DAILY SCAN NEWSLETTER SC Media's daily must-read of the most current and pressing daily news. Delivered straight to your inbox! Email AddressRequired * SubmitCancel By submitting this form, you agree to SC Media's Privacy Policy