The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) are warning hospitals and the public health sector at large that they face an “imminent” threat of malware attacks.
The advisory, posted Oct. 28, describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health (HPH) sector to infect systems with malware for financial gain. The advisory specifically mentions the ransomware attacks vectors Ryuk, Conti, TrickBot, and BazarLoader.
In their investigation, CISA, FBI, and HHS found that cybercriminals are targeting the HPH sector with TrickBot and BazarLoader malware, leading to ransomware attacks, data theft, and the disruption of healthcare services. The advisory noted that these threats come at a particularly difficult time for healthcare organizations, given the ongoing COVID-19 pandemic. “Administrators will need to balance this risk when determining their cybersecurity investments,” the advisory said.
TrickBot, which was likely created by the creators of BazarLoader, initially began as a banking trojan. Both TrickBot and BazarLoader are disseminated via phishing campaigns that contain either links to malicious websites that host the malware, or attachments with the malware. The advisory explained that TrickBot “provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.”
In terms of mitigating the threat of malware, CISA, FBI, and HHS “encourage HPH sector organizations to maintain business continuity plans … to minimize service interruptions.” The advisory highlights a handful of best practices, including reviewing or establishing patching plans, security policies, user agreements, and business continuity plans to “ensure they address current threats posed by malicious cyber actors.”