One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2103299 |
| Date de publication | 2020-11-19 16:23:50 (vue: 2020-12-15 21:05:42) |
| Titre | Healthcare Orgs: What You Need to Know About TrickBot and Ryuk |
| Texte |  In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.
In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?
The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???
What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:
C:\Windows\
C:\Windows\SysWOW64\
C:\Users\[Username]\AppData\Roaming\
From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.
BazarLoader and Ryuk ransomware
CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.
???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???
BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject l |
| Envoyé | Oui |
| Condensat | 180 2018 2019 2020 256 about access according achieve activities activity actor actors addition address advisory aes after against agencies agency agreements allow also amount anchor another appdata appear application applications are around associated attack attackers attacks attempts authored average backdoor backup banking bat bazar bazarbackdoor bazarloader because become began believed bitcoin blended body both bureau business but byte c2s called campaigns can capability chris cipher cisa clicked close closely combined comes command commands commonly communicate communications comprehensive conduct confidential consideration contact content conti continuity control copied copy corporations covid created credential cryptomining cto current customers cyber cyberattackers cyberattacks cybercrime cybercriminals cybersecurity dangerous data date day days defend delete deletion department deployed deployment deploys determining developers difficult digitally directories: directory discoverable discovered discovery disrupt disruption dns document downloads drive drops during early efforts email emails emergencies employer encourage encrypt engineering ensure especially establish even every executable execute executed executing execution exfiltration exploitation extremely fbi federal file files find first flaw flaws following found founder from full gain gaps gets given google handle handling harvesting has have health healthcare here hermes hhs high hospitals host hosting housed housing how hph human illegal imminent implements include including increased increasingly infect infected infection infiltrated information infrastructure initiation install instructions invest investigation issues its keep key know known large late laterally latest learn least led like limit line link links loader located long looking looks machine made mail make makes malicious malware minutes modules monetize money more most move much myriad names native need network networks new news norm note noted notes now obfuscate obfuscated october offshoot often once one open operators opportunity organizations orgs: pandemic; particularly patching payload pdf percent permissions persistence personal phishing placed places plan plans point policies potential powerful prevent program programdata protected protecting providers provides public ransom ransomware read really realm recipient recovery remain remediate remediation report represent request researchers result review roaming rsa run runs ryuk ryukreadme sale same says scan scheduled scripts sector security self send sensitive servers service services shared should simply single social software something source specific splash state steal steps subject subscribing successful successfully such suggest suite suspicious system syswow64 tactics take takes target targeted targeting tasks technique techniques theft them these threat threats through together too tool tools tracker tracking traffic trickbot trojans trust try undetected until used user username users uses using usually utilizing value vectors veracode victim victims vulnerabilities wallet warning well what when where which windows within work write wysopal x0r your yourself ヲcredible ヲtrickbot |
| Tags | Ransomware Malware Tool Threat Patching |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.