Several federal agencies have issued a warning of an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” reporting a rise in malware attacks using hacking tools with names like Dyre, Ryuk, Trickbot, and BazarLoader.
“Often leading to ransomware attacks, data theft, and the disruption of healthcare services, these issues will be particularly challenging for organizations within the COVID-19 pandemic,” notes the new report. “Therefore, administrators will need to balance this risk when determining their cybersecurity investments.”
The 15-page Joint Cybersecurity Advisory was issued on October 28, 2020 by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), which enforces civil rights laws including HIPAA.
The new report comes on the heels of an earlier Joint Cybersecurity Advisory providing guidance on identifying and mitigating malicious activity.
This latest advisory is aimed at ensuring healthcare providers take timely and reasonable precautions to protect their networks.
What is the threat?
Although malicious actors are constantly probing and attacking computer networks worldwide, federal cybersecurity investigators have been tracking the evolution of a “full suite of tools to conduct a myriad of illegal cyber activities.”
The latest addition to this hacker toolkit is called Anchor_DNS, which leverages the global Domain Name System (DNS) to wreak havoc.
DNS manages how computers on the Internet find each other. Anchor_DNS sets up a backdoor on victim networks to disguise its activities as legitimate DNS traffic.
The lineage of this latest hacker tool can be traced back to 2016 with the rise of a line of malware called Trickbot, which itself was a variant of a trojan aimed at banks named Dyer.
“The cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization,” the advisory notes.
Early last year, the FBI started seeing a new Trickbot module called Anchor, which was optimized to attack large corporations. Anchor_DNS is an extension of that module.
Altogether, these tools support criminal activities including stealing login credentials, stealing email, stealing data from point-of-sale systems, mining cryptocurrency, and deploying ransomware.
How do these attacks work?
In the case of Anchor_DNS, hackers plant a file with a randomly generated filename on computers running the Windows operating system. It then connects with command and control servers to receive further instructions, while designing its activities to look like regular DNS activity.
From there, the malware does many things, from attempting to disable common security tools to encrypting files and deleting backup files.
The joint advisory includes a number of specific filenames and domain name queries that can help system administrators determine whether their systems have been compromised.
What should hospitals and healthcare providers do?
“CISA, FBI, and HHS suggest [public health] sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors,” according to the advisory.
The publication provides network best practices, such as multi-factor authentication, regular password changes, prompt firmware installation, and operating system and software patches.
Meanwhile, by monitoring systems for Trickbot malware, system administrators may be able to head off an imminent ransomware attack, securing and backing up sensitive and proprietary data.
Notably, the agencies do not advocate paying ransoms.
“Payment does not guarantee files will be recovered,” they write. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and fund illicit activities.”
User awareness and training is also recommended.
What other resources are available?
CISA, FBI, and HHS recommend that healthcare organizations join a healthcare information sharing organization like the Health Information Sharing and Analysis Center (H-ISAC).
The advisory references the joint CISA MS-ISAC Ransomware Guide, which provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
In addition, the agencies recommend that IT administrators review CISA’s Ransomware webpage for additional information.
Finally, the HHS Office for Civil Rights also provides a Fact Sheet on Ransomware and HIPAA that includes further information for entities regulated by the HIPAA Rules.