web analytics

BlackCat Pounces on Health Sector After Federal Takedown – Source: www.databreachtoday.com

blackcat-pounces-on-health-sector-after-federal-takedown-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific

Feds Issue Alert as Change Healthcare Hack Affects Medicare, CVS Caremark, MetLife

Marianne Kolbasuk McGee (HealthInfoSec) •
February 28, 2024    

BlackCat Pounces on Health Sector After Federal Takedown

U.S. authorities have been trying to shut down the BlackCat ransomware-as-a-service group for over a year. The relatively young group, also known as Alphv, has built a notorious reputation, grabbing headlines in March 2023 when it leaked stolen photos of breast cancer patients in an extortion attempt against a group of Pennsylvania cancer clinics.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The FBI, posing as an affiliate, infiltrated the ransomware group’s operation and developed a tool that could decrypt the systems of more than 500 BlackCat victims. Then, agents in December seized the group’s data leak site and its Tox peer-to-peer instant messaging account – though the leak site was back in BlackCat’s control within a week (see: FBI Seizes BlackCat Infrastructure, Group Has New Domain).

In retaliation for the attempted takedown, federal authorities say the BlackCat administrator posted a note “encouraging its affiliates to target hospitals.”

On Wednesday, the Russian-speaking group claimed on its dark web site that it is behind the biggest healthcare hack so far the year – exfiltrating 6 terabytes of “highly selective data” relating to “all” Change Healthcare clients, including Tricare, Medicare, CVS Caremark, MetLife, Loomis, Davis Vision, Health Net, Teachers Health Trusts “and tens of insurance and other companies.” (See: Change Healthcare Outage Hits Military Pharmacies Worldwide).

A joint warning from CISA, the FBI and the U.S. Department of Health and Human Services on Tuesday makes no mention of the Change Healthcare incident but says Alphv/BlackCat affiliates have posted notices on nearly 70 leaked victims since mid-December 2023, and the healthcare sector has been the most victimized.

The cyberattack on IT services firm Change Healthcare, a unit of Optum, has been disrupting scores of the company’s healthcare sector clients since last week, including the companies listed on the BlackCat leak site (see: Change Healthcare Outage Disrupts Firms Nationwide).

A CVS spokesman in a statement to Information Security Media Group said the company has seen the BlackCat claims, but “at this time, Change Healthcare has not confirmed whether any CVS Health member or patient information that it holds, including CVS Caremark information, was affected by this incident.

“Change Healthcare’s network interruption is impacting certain CVS Health business operation and our business continuity plans remain in place to minimize disruption of services.”

Other clients listed by BlackCat did not immediately respond to ISMG’s requests for comment on BlackCat’s claims.

Weeklong Outage, So Far

Optum, a unit of UnitedHealth Group, has been responding to the Feb. 21 attack on Change Healthcare for more than a week, and 116 software components are still offline as of Wednesday morning, when the company issued a status update (see: Groups Warn Health Sector of Change Healthcare Cyber Fallout).

Last week, UnitedHealth Group, in a filing to the U.S. Securities and Exchange Commission, said the incident involves “a suspected nation-state associated cyber security threat actor” who gained access to some of the Change Healthcare IT systems.

Change Healthcare’s IT products – which run the gamut from healthcare revenue cycle management to pharmacy benefits and claims management applications, are used to process 15 billion healthcare transactions annually, with the company’s clinical connectivity solutions “touching” 1 in 3 patient records in the U.S., according to Change Healthcare’s website.

Optum did not immediately respond to ISMG’s requests for additional details about the Change Healthcare incident.

In previous claims posted on its site, BlackCat asserted that it didn’t target healthcare providers, though the affiliates are known to go after insurance companies, pharmaceutical companies and other related vendors.

Agencies’ Warnings

The U.S. government agencies’ joint advisory this week said affiliates are being encouraged to target providers and the threat actors have “improvised communication methods by creating victim-specific emails to notify of the initial compromise.”

The FBI, CISA and HHS encourage critical infrastructure organizations to implement a list of recommended mitigations to reduce the likelihood and impact of Alphv BlackCat ransomware and data extortion incidents.

Urgent recommended mitigation actions include taking inventory of assets and data to identify authorized and unauthorized devices and software, prioritizing remediation of known exploited vulnerabilities, enabling and enforcing multifactor authentication with strong passwords, and closing unused ports and removing applications not deemed necessary for day-to-day operations.

Further recommended mitigations include securing remote access tools, implementing application controls to manage and execute software such as allowlisting remote access programs, and implementing FIDO/WebAuthn authentication or public key infrastructure-based multifactor authentication to reduce the risk of phishing, push bombing or SIM swap attacks, “which are techniques known be used by ALPHV BlackCat affiliates,” the advisory said.

The alert also advises entities to use network monitoring tools to identify, detect and investigate abnormal activity and potential traversal of ransomware; regularly train users to identify social engineering and phishing attacks; monitor internal mail and messaging traffic to identify suspicious activity; install and maintain antivirus software; and implement “free” security tools to prevent cyberthreat actors from redirecting users to malicious websites to steal their credentials.

The alert says that in February 2023, Alphv/BlackCat announced the ALPHV BlackCat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as improved defense evasion and additional tooling. “This ALPHV BlackCat update has the capability to encrypt both Windows and Linux devices, and VMware instances. ALPHV BlackCat affiliates have extensive networks and experience with ransomware and data extortion operations,” the alert said.

Alphv/BlackCat affiliates use advanced social engineering techniques and open-source research on a company to gain initial access, the alert says. That includes threat actors posing as IT or help desk staff to obtain credentials from employees to access the target network.

“Some ALPHV BlackCat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV BlackCat affiliates communicate with victims via TOR [S0183], Tox, email, or encrypted applications. The threat actors then delete victim data from the victim’s system,” the advisory says.

Among the long list of IoCs contained in the advisory is a network IOC – “Domain Fisa99.screenconnect[.]com ScreenConnect Remote Access” – involving ConnectWise ScreenConnect remote access tool.

Security researchers have speculated in recent days that the Change Healthcare attack involved exploitation of ScreenConnect vulnerabilities. But ConnectWise maintains that it has not found any definitive link between the attack and exploitation of ScreenConnect flaws.

BlackCat also dismissed the claims. “We did not use ConnectWise as our initial access,” the gang wrote as a P.S. on its dark web post about the Change Healthcare attack.

ConnectWise Connection, Disconnected?

ConnectWise has maintained that it is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on Feb. 19, and the incident at Change Healthcare.

“Our internal reviews have yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of managed service providers have come forward with any information regarding their association with Change Healthcare,” ConnectWise said in a statement Tuesday night.

“As typical examples, cyberattacks can occur through numerous avenues, including vulnerabilities, phishing and business email compromise. While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities,” ConnectWise said.

Yelisey Bohuslavskiy, co-founder and chief research officer at threat intelligence firm RedSense, which had found indicators that the Change Healthcare incident involved a ScreenConnect exploit, told ISMG on Wednesday that use of several attack vectors and possibly even several initial access vectors “is not only possible in this case but is most likely the only option.”

“For both nation-state groups and with ransomware, the actor utilizing a CVE for initial access will always use a more traditional method at the same time, he said. “The few examples of ransomware weaponization of CVEs – Conti with Log4J being the most illustrative one – always had three vectors – the CVE itself, use of pre-exposed credentials, and traditional precursor deployment – botnet like Qbot dropping CS as an example,” he said.

“Patching is still critical.”

Critical Measures

When data security incidents such as the Change Healthcare attacks occur, related parties, vendors and organizations need to react quickly to evaluate whether they might have been exposed as a result of the breach and whether there are any indicators that require further action, said Claude Mandy, chief evangelist of data security at security firm Symmetry Systems.

“Organizations in healthcare sector will obviously be on high alert as a result of the continued targeting of healthcare, but organizations with ties to the impacted parties should be proactively investigating any activity and rotating potentially compromised credentials,” he said.

The common thread that connects many attacks in the healthcare sector is the perception of those organizations by threat actors as “easy pickings” compared to other sectors, said Bud Broomhead, CEO at security firm Viakoo. That is in part due to healthcare’s extensive use of IoT devices and applications, its highly complex environment with many visitors and contractors, and IT resources that historically have been stretched thin, he said.

“The key lessons for organizations doing business with healthcare organizations is to follow best practices around vendor and supply chain management: Perform cyber audits and surveys to understand the security posture of the organization you’re working with, ensure they have a timely communications policy in case of breach, and prioritize security scores in making vendor selection,” he said.

Original Post url: https://www.databreachtoday.com/blackcat-pounces-on-health-sector-after-federal-takedown-a-24469

Category & Tags: –

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Marcos Jaimovich
Presentación “ModoSOC in Real Life” por Marcos Jaimovich en SEGURINFO Chile 2022.
Presentación “ModoSOC in Real Life”...
IBM Security
How much does a data breach cost in 2022? IBM Cost of a Data Breach 2022 Report by IBM Security
How much does a data...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Cybertalk.org
ChatGPT Security Risks -A Guide for Cyber Security Professionals by Cybertalk.org
ChatGPT Security Risks -A Guide...
Chris Davis
Blue Team Cheat Sheets by Chris Davis
Blue Team Cheat Sheets by...
MITRE
11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTERS HIGHLIGHTS BY MITRE
11 STRATEGIES OF A WORLD-CLASS...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...
Forrester - Allie Mellen
Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR – EDR Is Dead, Long Live XDR by Allie Mellen – Forrester
Adapt Or Die: XDR Is...
CYBER LEADERSHIP INTITUTE
CISO PLAYBOOK: FIRST 100 DAYS Setting the CISO up for success
CISO PLAYBOOK: FIRST 100 DAYS...

LASTEST PUBLISHED POSTS

National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface
HANIM EKEN
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CNIL
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024
PRACTICE GUIDE GDPR – SECURITY...
PWNED LABS
Cloud Security Engineer Roadmap
Cloud Security Engineer Roadmap
tutorialspoint.com
Cloud Computing Tutorial Simply Easy Learning
Cloud Computing Tutorial Simply Easy...
SMITHA SRIHARSHA
CISSP Preparation Notes
CISSP Preparation Notes
CISSP Mind Map: All Domains
CISSP Mind Map: All Domains
Lansweeper
CIS 18 CRITICAL SECURITY CONTROLS CHECKLIST
CIS 18 CRITICAL SECURITY CONTROLS...
Semaphore
CI-CD with Docker and Kubernetes
CI-CD with Docker and Kubernetes
EC-MSP
BUSINESS CONTINUITY PLAN & DISASTER RECOVERY PLAN TEMPLATE
BUSINESS CONTINUITY PLAN & DISASTER...
PWC
Building a risk-resilient organisation
Building a risk-resilient organisation

More Latest Published Posts

40 under 40
40 under 40 in CyberSecurity 2024
40 under 40 in CyberSecurity 2024
HADESS
40 Days in DeepDark Web About Crypto Scam
40 Days in DeepDark Web About Crypto Scam
Everbridge
8 Principles of Supply Chain Risk Management
8 Principles of Supply Chain Risk Management
CHAOSSEARCH
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
ENDGAME
The Hunters Handbook Endgame’s Guide to Adversary Hunting
The Hunters Handbook Endgame’s Guide to Adversary Hunting
THE EU’S MOST THREATENING by EUROPOL
THE EU’S MOST THREATENING by EUROPOL
National Cyber Security Centre
Responding to a cyber incident – a guide for CEOs
Responding to a cyber incident – a guide for CEOs
IGNITE Technologies
CREDENTIAL DUMPING
CREDENTIAL DUMPING
HADESS
Pwning the Domain Lateral Movement
Pwning the Domain Lateral Movement
Jorgen Lanesskog
PING Basic IP Network Troubleshooting
PING Basic IP Network Troubleshooting
TELESOFT
Layer 7 Visibility What are the Benefits?
Layer 7 Visibility What are the Benefits?
TIGERA
Introduction to Kubernetes Networking and Security
Introduction to Kubernetes Networking and Security
Department of Defense's (DoD)
Defense Industrial Base Cybersecurity Strategy 2024
Defense Industrial Base Cybersecurity Strategy 2024
Dummies
Zero Trust Access for Dummies Fortinet
Zero Trust Access for Dummies Fortinet
Homeland Security
Zero Trust Implementation Strategy
Zero Trust Implementation Strategy
National Australia Bank Limited
Your Business and Cyber Security
Your Business and Cyber Security
CYFIRMA
Xeno RAT- A New Remote Access Trojan
Xeno RAT- A New Remote Access Trojan
IGNITE Technologies
Windows Persistence COM Hijacking MITRE T1546 015
Windows Persistence COM Hijacking MITRE T1546 015
IGNITE Technologies
Windows Exploitation Rundll32
Windows Exploitation Rundll32
IGNITE Technologies
Windows Exploitation Msbuild
Windows Exploitation Msbuild
HADESS
Web LLM Attacks
Web LLM Attacks
HADESS
Trended Protocols for Security Stuff
Trended Protocols for Security Stuff
Red Iberoamericana de Protección de Datos
Transferencia Internacional de Datos Personales – Guia de Implementación
Transferencia Internacional de Datos Personales – Guia de Implementación
CYFIRMA
TRACKING RANSOMWARE January 2024
TRACKING RANSOMWARE January 2024
https://www.linkedin.com/in/harunseker/
TOP Cyber Attacks Detected by SIEM Solutions
TOP Cyber Attacks Detected by SIEM Solutions
TRAVARSA
Top 100 Cyber Threats and Solutions 2024
Top 100 Cyber Threats and Solutions 2024
Top 50 Cybersecurity Threats
Top 50 Cybersecurity Threats
OWASP
Top 10 Considerations for Incident Response
Top 10 Considerations for Incident Response