Rhysida ransomware group strikes healthcare institutions

SISA Weekly Threat Watch - 21 August 2023

This past week, the cybersecurity landscape witnessed notable trends in malicious activities. From healthcare-focused ransomware operations to cloud-based phishing attacks and expansive proxy networks, threat actors demonstrated their adaptability and persistence. These incidents spotlight the ongoing need for robust security practices and proactive defense strategies in the face of ever-evolving cyber threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Healthcare sector targeted by Rhysida ransomware operation

Rhysida is a ransomware-as-a-service (RaaS) group that is still in its early stages of development, first emerging in May. Rhysida drew attention for the first time after leaking documents stolen from the Chilean Army (Ejército de Chile) on its data leak site in June. The threat group, previously known for targeting the education, government, manufacturing, and tech industries, among others — has begun conducting attacks on healthcare and public health organizations in North and South America, Western Europe, and Australia.

Rhysida deploys PowerShell and Cobalt Strike scripts as well as a locker after first gaining access via phishing emails. The PowerShell scripts used by Rhysida to cease AV processes, erase shadow copies, and change RDP (Remote Desktop Protocol) setups are an intriguing finding from security investigators, demonstrating the locker’s active evolution. Meanwhile, Rhysida has been linked by researchers to the Vice Society ransomware gang due to similarities between both groups’ extortion site publishing times and targeting patterns. To safeguard critical assets and data from such ransomware attacks, it is recommended to deploy email security solutions, utilize behavior-based detection mechanisms, and actively monitor and apply security patches for popular vulnerabilities.

2. Whirlpool malware reported as part of recent Barracuda ESG breaches

A new report by the Cybersecurity and Infrastructure Security Agency (CISA) disclosed the existence of a new backdoor malware called Whirlpool that a malicious cyber group deployed in the recent breaches targeting Barracuda Email Security Gateway (ESG) devices. Barracuda ESG versions to are affected by the critical severity (CVSS v3: 9.8) remote command injection vulnerability CVE-2023-2868. The attacks, which began in October 2022, were subsequently found to have been responsible for the installation of the malicious software known as SeaSide, Saltwater, and other previously unidentified threats. Since then, CISA has released more information on another malware called Submariner that was used in the attacks.

Recently, CISA disclosed the discovery of another backdoor malware named ‘Whirlpool’ that was found to be used in the attacks on Barracuda ESG devices. The malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell. Organizations are recommended to maintain up-to-date antivirus signatures and engines, disable File and Printer sharing services, enforce a strong password policy, and monitor users’ web browsing habits to avoid being a victim to such attacks.

3. Monti ransomware targets VMware ESXi servers with new Linux locker

After a brief hiatus, the Monti ransomware group has resumed operations and is employing a new Linux locker for its attacks targeting VMware ESXi servers. According to the researchers, the new Linux locker, Ransom.Linux.MONTI.THGOCBC, clearly differs from the earlier variations. In other words, preceding variations were primarily based on stolen Conti source code, but the current version features a separate encryptor.

The ‘-size,’ ‘-log,’ and ‘-vmlist’ parameters have been eliminated from the new Linux Locker, but a new ‘-type=soft’ parameter has been added. This should more subtly stop VMware ESXi servers likely to escape being discovered. Also added is a ‘–whitelist’ parameter that instructs the locker to skip special VMware ESXi servers on the host. It is recommended to implement multifactor authentication (MFA) to impede attackers from progressing horizontally within a network and gaining access to sensitive data. Additionally, adhere to the 3-2-1 guideline when generating backups for crucial files. This guideline entails creating three backup copies in two distinct file formats, with one copy stored at a separate location. This approach ensures redundancy and minimizes the possibility of data loss.

4. Cloudflare R2 used by threat actors to host phishing pages

Cloudflare R2 is a data storage service for the cloud, similar to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage. The use of Cloudflare R2 by threat actors to host phishing pages has seen a significant increase of 61-fold in the past six months. According to security researchers, the majority of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps.

In addition to abusing Cloudflare R2 to disseminate static phishing sites, the phishing operations discovered make advantage of the company’s Turnstile service, a CAPTCHA substitute, to hide such pages behind anti-bot barriers in order to avoid detection. By failing the CAPTCHA test, it stops internet scanners like urlscan.io from accessing the real phishing site. Users are advised to always access important pages, such as their banking portal or webmail, by typing the URL directly into the web browser instead of using search engines or clicking any other links. It is also recommended to use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall in categories that can present higher risk, like Newly Observed and Newly Registered Domains.

5. Stealthy malware forms expansive 400,000-node proxy network

Security researchers have discovered a massive campaign that secretly installed proxy server apps on approximately 400,000 Windows systems. Recent investigations revealed a massive campaign targeting both Windows and macOS systems. A distinct link was observed between the proxyware targeting Windows systems and the AdLoad malware that was aimed at macOS devices. The infection’s genesis is often traced back to cracked software and games, acting as Trojan horses.

When users unsuspectingly execute a loader hidden within these applications, it kicks off the infection process. This loader then autonomously downloads and installs the proxy application in the background, meticulously ensuring that the user remains oblivious. Once the proxy application nestles into the system, it does not operate in isolation. It initiates communication with a Command and Control (C2) server, sending specific parameters to register itself and thereby becoming a cog in the larger botnet machinery. It is recommended to check for the presence of a “Digital Pulse” executable in the “%AppData%” directory or a similarly named Registry key at “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”. If found, it should be deleted. Additionally, refrain from downloading and executing pirated software or programs from unreliable sources to stay protected from such attacks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider