Threat Intelligence Report

The healthcare industry is facing an increasing number of cyberthreats as threat actors target healthcare organizations for their highly confidential data and valuable information. This is a significant issue for healthcare providers, as a successful cyberattack can have serious consequences including the loss or publication of sensitive patient data, financial losses, and even direct physical harm to patients. Healthcare is particularly vulnerable to these threats due to a combination of factors including the widespread use of medical technology with a long service life, the complex and often interconnected nature of healthcare systems and the vast amounts of sensitive data that are routinely collected and stored. It is imperative that healthcare providers understand the dangers of the current cyberthreat landscape and proactively protect themselves and their patients from potential harm.

Overall, ransomware still poses the biggest threat to the healthcare industry, and threat groups that rely on ransomware are still very actively targeting it, as we can see by the ransomware attack on CommonSpirit Health in October, where data belonging to more than 600,000 patients was compromised^xxix. In the past, some RaaS groups like Maze indicated they would not attack hospitals, but such promises cannot be guaranteed. With the diversity of multiple RaaS groups and the proliferation of affiliate models, the group that executes an attack may not be the same group that developed the malware, which makes tracing and attribution a concern.

According to our telemetry, Cylance Endpoint Security solutions stopped 7,748 unique malware samples targeting the healthcare industry during this reporting period, accounting for an average of more than 80 unique malware samples per day. The most popular Trojan was Qakbot, which has been used by cybercriminals since at least 2012 and poses a high risk to the healthcare industry. In 2022, Qakbot was mostly used by affiliates deploying Black Basta ransomware. Because Emotet did not operate many campaigns after its recent four-month shutdown and TrickBot seems more focused on improving its Bumblebee malware, we believe that Qakbot continues to be the most active Trojan facilitating healthcare network access for RaaS affiliates and IABs.

Meterpreter (a Metasploit payload that provides an interactive shell for the attacker) and BloodHound were also active during this timeframe. We detected an attack that used Meterpreter alongside the execution of SharpHound, a collector for BloodHound that is commonly used for lateral movement inside a network after an attack takes place. The Cybersecurity and Infrastructure Security Agency (CISA) recommends that network and system administrators intentionally execute BloodHound themselves to understand possible attack paths on their environments^xxx.

We also observed TinyNuke dropping the Netwire RAT. Originally a banking Trojan with similar functions as ZeuS, TinyNuke is a fully featured Trojan that includes the VNC server device controller and reverse SOCKS functionality. TinyNuke has also been used by Kimsuky Group^xxxi and attributed to the Democratic People’s Republic of Korea (DPRK). While examining this attack, we found TinyNuke downloading and executing Netwire RAT and connecting to a domain hosted on DuckDNS, which is commonly used by RATs.

BlackBerry researchers also found an instance where an unknown threat actor deployed the PlugX RAT, which is commonly used by multiple nation-state threat actors including Mustang Panda (learn more in our public report), indicating that both cybercriminals and nation-state actors are interested in attacking the healthcare industry. And, while we haven’t seen infostealers like Redline and Raccoon specifically targeting healthcare, we did encounter an instance of GuLoader, a downloader commonly used by cybercriminals to deploy infostealers.

Comments are closed.