The IT Nerd

Baptist Medical Center has suffered a malware attack, which involved the exfiltration of data affecting more than 1.24 million patients from two Texas hospitals, according to a statement from Baptist Medical Center:

On April 20, 2022, it was discovered that certain systems within our network may have been infected with malicious code as a result of potentially unauthorized activity. In response to this incident, user access was immediately suspended to impacted information technology applications, extensive cybersecurity protection protocols were executed, and steps were quickly taken to restrict further unauthorized activity. In parallel, an investigation of the incident was immediately launched, and a national forensic firm was engaged to assist with investigation and remediation efforts. Although the investigation is ongoing, it has been determined that an unauthorized third party was able to access certain systems that contained personal information and remove some data from the network between March 31, 2022 and April 24, 2022. As a result of this review, it appears that your personal information may have been involved.

Clearly this isn’t a trivial event given the large number of people who were affected.

I have two comments on this. The first is from Saryu Nayyar, CEO and Founder of Gurucul:

     “Here is yet another example of a security lapse involving a third party. All network access should be monitored continuously in order to detect unauthorized access by malicious insiders, third party contractors, and cybercriminals. Insider threats can quickly become external threats as we’ve seen in this case. Organizations need to re-evaluate their threat detection, investigation and response (TDIR) programs to enhance insider risk and threat initiatives. The most effective defense is an advanced set of behavioral analytics, to baseline and monitor for unusual user behaviors and catch bad actors in real-time before data is exfiltrated.”

The second comment is from Artur Kane, VP of Product for GoodAccess:

     “Hospitals are a tempting target for financially oriented cyberattacks, as the records of malware and ransomware incidents from the past couple of years show. There are three main reasons why cyber criminals like to pick them:

• First, they have a lot of data to steal. Healthcare institutions contain enormous troves of patients’ personal data, which provides hackers with plenty of loot to sell, if not exploit directly. 
• Second, hospitals are more likely to pay a high ransom. Healthcare institutions often have large budgets that are required to sustain the large number of highly qualified staff in their employment and cover the upkeep of hi-tech medical equipment. But when a ransomware attack encrypts their sensitive information, hospitals face the threat of a data leak and, worse still, they can no longer provide treatment, which directly threatens human lives. Under such circumstances, healthcare institutions are pushed to comply with the ransom demands to allow them to resume providing medical services.
• Third, hospitals often lack defenses. Hospitals are similar to banks in how much sensitive data they curate, but they don’t have information protection so deeply rooted in their pedigree. Their purpose is to provide health care, not guard someone’s assets. This could be why their IT is often understaffed and their vast infrastructures often contain vulnerabilities or run-on legacy systems, offering exploitable points of entry for potential attackers. Some of their medical equipment can also harbor malware without it being detected, such as an MRI scanner that runs on Windows but doesn’t even have an antivirus. Their priority is uptime, not security.

However, healthcare institutions can still significantly reduce the risk of an attack by implementing a few security measures:

• The first is regular and thorough backup of all sensitive data. This is an absolute no-brainer. The likelihood of attacks on healthcare institutions borders on the inevitable and having the ability to recover lost data can save millions of dollars in ransom or damages.
• Next is adopting a zero-trust network access (ZTNA) policy, which on its own brings several benefits. Under ZTNA, users have to use strong authentication, typically reinforced by multiple identity factors (multi-factor authentication). This makes it much harder for attackers to exploit stolen access credentials. In addition, proper ZTNA keeps logs on all access attempts by users, which can be a helpful resource for tracing the progress of the breach during post-compromise analysis and patching up vulnerabilities thus discovered.

ZTNA operates on the least-privilege principle, which means that users can only access those systems they require for their work, but no others. This approach segments the network, confining the attacker only to a pool of systems to exploit, but denying them free rein of the network, causing difficulty escalating the attack further.

• Lastly, healthcare institutions need real-time end-to-end network-centric threat detection. Even with the latest patches and vulnerability updates in place, compromise is likely, and hospitals need to invest in solutions that can detect threat activity in network traffic, such as NDR (network detection and response). Given the exorbitant cost of damage that hospitals suffer as a result of malware and ransomware attacks, the investment pays for itself rapidly.”

Things really need to improve as these events keep happening and it is my perception that little is being done until after the event happens. That needs to change or else I suspect that events like this will become more frequent and more severe.

Security researchers with Cybereason have warned that the Black Basta ransomware-as-a-service group has been observed targeting manufacturing, construction, pharmaceuticals and other industries, in the latest update of the new threat group. Additionally, the ransomware syndicate has developed a Linux variant, designed to attack VMware ESXI virtual machines running on enterprise servers.

Chris Olson, CEO, The Media Trust had this to say:

“Today, data breaches aren’t just about stealing sensitive data for financial gain: they are also a danger to public safety. On average, cyber defenders have less than an hour to stop a ransomware event in progress. In addition to virtualization and cloud computing software, web and mobile apps are increasingly targeted by cyber actors using sophisticated techniques such as obfuscated and polymorphic code to dodge blockers or URL filters. Businesses must pivot to prevention over treatment, monitoring IT and digital infrastructure in real time while working to harden entry points.”

I’ve written about the fact that you have less than an hour to stop a ransomware attack here. That alone makes defending against these attacks a must. I would read the warning and my previous story so that you can harden your enterprise accordingly.

UPDATE: I have additional commentary from Jake Williams who is the Executive Director of Cyber Threat Intelligence for SCYTHE:

The Black Basta threat group is a capable player in ransomware operations. Their capability to encrypt ESXi servers underscores the necessity of security access to hypervisor systems. While Black Basts isn’t the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations. 

Use of commodity malware like Qakbot demonstrates that there is no such thing as a “commodity” malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware. Black Basta highlights just how damaging the outcome can be if commodity malware infections are ignored simply because they were “mitigated” by endpoint protection platforms. Other threat actor malware can be – and often is – in the network.

And I have additional commentary from Robert Shaughnessy, VP, Federal for GRIMM:

“Ransomware-as-a-service (RaaS), including groups like “Black Basta,” is a fast-growing business, with comparisons being made to traditional Software-as-a-Service (SaaS) offerings. It may be more accurate to think of groups like Black Basta as loosely affiliated criminal gangs forming from the leftovers of larger organized criminal organizations. Conti, for example, has been broken up as if a lockpick, alarm specialist, appraiser, and accountant who met in prison decided to rob houses together. Enterprises are the houses, and their data are the jewels. Like home invaders, the Black Basta syndicate is looking for enterprises with a combination of valuable data and vulnerable defenses. With Black Basta, the current thinking is it was formed from former members of Conti and REvil, the leading Ransomware gangs from 2021, and leveraging partnerships including with the QBot malware. As reported recently by Nathan Eddy, writing for DARKReading (https://www.darkreading.com/threat-intelligence/black-basta-ransomware-esxi-servers-active-campaign), one interesting feature of Black Basta is a trend toward encrypting Virtual Machines (VMs) via the VM ESXi hypervisor. Leveraging larger servers, typically acting as ESXi hypervisor host machines, provides Black Basta with access to much more powerful processing and memory pools than a single workstation would typically have, resulting in faster encryption times and reducing the overall Time to Ransom. This makes it substantially harder for defenders to detect, isolate, and remediate attacks. Even though emerging ransomware gangs are beginning to use novel Tools, Techniques, and Procedures (TTPs), including VM hypervisor attacks, they are not invincible. As with most ransomware campaigns, a good defense against Black Basta starts with basic cyber hygiene: conduct regular in-depth threat assessments, ensure complete enterprise visibility, keep all systems properly patched, employ a zero-trust model across the enterprise, and closely monitor systems for the earliest signs of atypical utilization and access rights modifications.”

Reuters is reporting that Lithuania has been hit by a cyber attack. Specifically that Lithuanian state and a some private institutions were hit by a denial-of-service cyber attack on Monday the National Cyber Security Centre said in a statement released by the defence ministry. Considering that the country is in a “feud” with Russia over scansions related to Russia’s invasion of Ukraine, it’s likely not a shock that this happened. Nor is it a shock that a Russian linked hacker group has claimed responsibility for the attack.

Chris Clymer who is a Director & CISO at Inversion6 had this comment:

Every significant military power in the world has developed cyber capabilities. These have evolved from espionage tools into full fledged weapons to be used as part of a coordinated military response. Targeting another country with these arguably constitutes an act of war, but one less severe than kinetic attacks with missiles and tanks.  Russia has a collection of theoretically autonomous groups like Killnet which give it the ability to strike at its enemies while still denying responsibility – not a new tactic.  This year alone, Killnet has reportedly targeted Romania, Moldova, Czech Republic, and Italy with Lithuania now added to the list. This harassment will continue, and what’s more interesting is that it doesn’t seem to have targeted the US and major European powers as strongly as first expected. With what we know of internet infrastructure, it’s hard to believe this is because those targets are stronger. Perhaps the Russians are trying to stay focused on targets it feels it can afford to antagonize.

Clearly we live in an era where the battlefield includes cyberspace. Thus it makes anyone and everyone a target. Thus now is a really, really good time for everyone to review their cyber defences so that they aren’t the next target.