The Health Sector Cybersecurity Coordination Center (HC3) has provided threat intelligence advice regarding the Black Basta ransomware group to aid network defenders to avoid and quickly identify ongoing attacks. The Black Basta group was initially discovered in April 2022 and is identified to carry out ransomware attacks with extortion. The group uses double extortion tactics, extracting sensitive information and encrypting files, then threatens the victim to post the information on its data leak website in case the victim doesn’t pay the ransom. The group is additionally known to perform extortion-only attacks, which means files are not encrypted.
Although the group has been around for a fairly short time, it is obvious that it has substantial experience with ransomware attacks. Within the first two weeks of operation, the group already carried out a minimum of 20 ransomware attacks. This Russian-speaking threat group is thought to be composed of ex-members of the BlackMatter and Conti ransomware operations. It uses the same tactics, techniques, and procedures as those groups and is believed to have associations with the FIN7 threat group. It is very likely that the group has carried out ransomware attacks previously using a different name. A number of security researchers believe Black Basta is Conti rebranded. Conti was formally disbanded in May 2022 and it is believed that the group was divided into a number of smaller groups.
Black Basta has highly competent people well-proficient in carrying out ransomware attacks. The group has executed attacks on a number of healthcare and public sector (HPH) healthcare organizations, which include health information technology firms, healthcare sector service providers, labs and pharmaceutical companies, and health plans. Most of its victims are based in the United States, though the group has begun doing attacks in other nations, primarily the Five Eyes countries (USA, Canada, Australia, the United Kingdom, and New Zealand).
Black Basta is reputed for cautiously selecting its victims and has attacked a lot of critical infrastructure organizations. The attacks are considered to be financially driven, as opposed to being connected to the Russian government, though it is probable that the group at the same time has some kind of political intention in line with the nations that are usually attacked. The group doesn’t depend on one way of attack and frequently uses a distinctive strategy in attacks on particular targets. The group usually purchases access to networks from preliminary access brokers. As soon as access is acquired, the group utilizes different solutions for remote access, escalation of privilege, lateral movement, and data extraction, which include SystemBC, Qakbot/QBot, Mimikatz, Rclone, and ColbaltStrike. Other methods of access are vulnerability exploitation, phishing, Remote Desktop Protocol, malicious downloads, web injections, and repackaged/infected software program installers.
The complete analysis of the group together with the recommended protective measures and mitigations can be read here.
HSCC Publishes Guidance for Healthcare Companies on Handling Legacy Technology Security
The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) released guidance to assist healthcare delivery companies in efficiently controlling cyber risks related to legacy technology. The healthcare industry gives considerable attention to dealing with cybersecurity risks related to older medical devices. However, they aren’t the only kind of legacy technology being used in healthcare. A lot of technologies are employed that likewise become more vulnerable as they get older, and are still utilized after reaching end-of-life and support is no longer available. Technologies consist of FDA-controlled devices, non-FDA-controlled devices, lab equipment, building and facilities technology, and many other technologies.
Although the evident solution from a security standpoint is to upgrade to current, supported systems before the technologies reach their end-of-life, that is frequently not practical or achievable. Rather, healthcare delivery organizations must efficiently handle the potential risks linked to these technologies. Malicious actors can exploit vulnerabilities in these technologies, which could endanger patient privacy and security. Sadly, a lot of healthcare companies that utilize legacy technologies have minimal employees and resources to use for securing these technologies, meaning vulnerabilities could continue indefinitely.
The new guidance called “Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS)” discusses guidelines and gives a number of recommendations for healthcare delivery organizations, medical device producers, and other technology vendors whose merchandise are used in the healthcare industry. The guidance states that all of these organizations are responsible for ensuring legacy technologies may be utilized safely in medical settings while keeping one step ahead of current cyber threats. HSCC urges healthcare delivery organizations, medical device producers, and other technology vendors to come together to efficiently control risk.
The guidance is the outcome of three years of effort by 67 industry and government member groups, which include government representatives,
healthcare delivery organizations, health IT firms, medical device producers, trade groups, and security professionals. The guidance addresses the four key pillars of a comprehensive legacy technology cyber risk management program: communications, cyber risk management, governance, and future-proofing legacy technologies, and consists of general and particular advice for each of those pillars in a quickly actionable format.
CISA Introduces Ransomware Vulnerability Warning Pilot Program
The U.S. Cybersecurity and Infrastructure Agency (CISA) has started a new pilot program because of the increasing ransomware attacks on critical infrastructure organizations. The goal of the pilot program is to aid critical infrastructure organizations in standing against ransomware attacks by repairing exploitable vulnerabilities in their Web-facing systems.
The Ransomware Vulnerability Warning Pilot (RVWP) program is approved by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 and began on January 30, 2023. In this program, CISA performs scans to find out whether Internet-exposed systems have vulnerabilities that can possibly be taken advantage of by ransomware actors to acquire access to their systems. Notifications are then given to those organizations by CISA’s regional cybersecurity staff to notify them that vulnerabilities are present, which will enable them to take prompt action to correct the vulnerabilities before ransomware groups or other malicious actors could exploit them. CISA states critical infrastructure entities may not know that there are exploitable vulnerabilities present in their systems and might just identify unpatched vulnerabilities when they are attacked by ransomware. CISA mentioned the RVWP program harnesses current services, technologies, data sources, and authorities — the Administrative Subpoena Authority awarded to CISA under Section 2009 of the Homeland Security Act of 2022 and CISA’s Cyber Hygiene Vulnerability Scanning Service.
The program is targeted at determining vulnerabilities in Web-facing systems that are recognized to have been taken advantage of by ransomware groups in earlier attacks. With the RVWP program, CISA has actually informed more or less 100 critical infrastructure entities that there are unaddressed ProxyNotShell vulnerabilities in Microsoft Exchange present in their systems. Ransomware gangs widely exploit ProxyNotShell vulnerabilities in the last few months.
Executive Assistant Director for Cybersecurity of CISA Eric Goldstein states that ransomware attacks still bring about untenable levels of damage to companies throughout the country, which include targeting rich, resource-poor organizations such as a lot of school districts and hospitals. “The RVWP will enable CISA to offer prompt and useful data that will directly minimize the presence of harmful ransomware occurrences impacting American companies. Every company must urgently address vulnerabilities discovered by this program and follow solid security measures in line with the U.S. government’s assistance on StopRansomware.gov. CISA additionally urges critical infrastructure organizations to let the U.S. government know about ransomware attacks through the Internet Crime Complaint Center of the FBI or the incident reporting system of CISA.
The RVWP program is an initiative introduced by CISA in the last two years because of ransomware attacks on critical infrastructure organizations and government institutions, which included the attacks on JBS Foods, Kaseya, and the Colonial Pipeline. These endeavors include adding a Ransomware Readiness Assessment (RRA) module to its Cyber Security Evaluation Tool (CSET), the creation of a public-private joint venture called the Joint Cyber Defense Collaborative (JCDC) to proactively collect, assess, and share useful cyber risk data- and the start of its Stop Ransomware website that acts as a one-stop-shop for notifications and ransomware information.