Alert - Renewed Cyber Threats to Canadian Health Organizations

Number: AL20-026
Date: 30 October 2020

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

On 28 October 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a Joint Cybersecurity Advisory [1] to highlight credible information regarding an imminent and increased threat to the United States healthcare and public health sectors. The Cyber Centre assesses that this threat extends to Canadian healthcare providers.

DETAILS

Coinciding with the Joint Cybersecurity Advisory was the publication on 28 October 2020, by FireEye, [2] of information regarding campaigns against various organizations, including hospitals and medical centres. Specifically, the FireEye report highlighted tactics, techniques, and procedures employed by the threat actors in these campaigns, as well as campaign indicators.

The COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations when involved in the national response to the pandemic, including but not limited to medical care, research, manufacturing, distribution and policy-making organizations. Specifically:

• Sophisticated threat actors may attempt to steal the intellectual property (IP) of organizations engaged in research and development related to COVID-19, or sensitive data related to Canada’s response to COVID-19; and
• Cyber criminals may take advantage of the COVID-19 pandemic, using the increased pressure being placed on Canadian health organizations to extort ransom payments or mask other compromises.

Ransomware

The impact of ransomware on Canadian organizations involved in supporting Canada’s response to the COVID-19 pandemic could be more severe than in a non-crisis environment. It is therefore recommended that organizations take extra precautions in identifying, as early as possible, potential vulnerabilities and inadequate security controls that may lead to an infection resulting in ransomware being deployed. The Cyber Centre strongly advises that all organizations become familiar with and practice their business continuity plans, including restoring files from back-ups and moving key business elements to back-up infrastructure.

Malicious Actor Tool Evolution

On 4 October, the Cyber Centre reported on the deployment of Ryuk ransomware [3] within Canada, the final stage of exploitation after a victim’s systems have been compromised of tools such as Trickbot. More recently, researchers have identified that malicious actors have begun using new tools and techniques in order to compromise victims more covertly and to deploy ransomware such as Conti, often cited as the successor of Ryuk ransomware.

The first of these tools is BazarLoader, which plays a similar role as Trickbot while being more covert. Like Trickbot, BazarLoader has been observed being used for initial compromise, typically via a phishing email, and providing a backdoor through which additional malware is introduced to the network. BazarLoader appears to be the new preferred vector when a high-value target is being pursued, possibly due to the high detection rates of Trickbot.

Once access to the network is established, Anchor is used to maintain a presence on the network. The Anchor project consists of a framework of tools that allows the actors to leverage multiple methods of malicious activity against higher-profile victims.  This framework is designed to covertly upload tools, and, when complete, to remove evidence of malicious activity. Like BazarLoader, Anchor appears to have close ties to Trickbot.

MITIGATION

In view of these threats, the Cyber Centre recommends that all Canadian health organizations involved in the national response to the pandemic take appropriate measures to ensure that they are actively engaged in cyber defense best practices.

Special consideration should be given to the following publications for guidance:

• Always keep in mind these top 10 security actions:
  • https://cyber.gc.ca/en/top-10-it-security-actions
     
• Technical Approaches to Uncovering and Remediating Malicious Activity:
  • https://cyber.gc.ca/en/guidance/joint-cybersecurity-advisory
     
• Stay aware of ongoing phishing activities related to COVID-19:
  • https://cyber.gc.ca/en/guidance/cyber-hygiene-covid-19
     
• Employees working from home could put a strain on telework services. Ensure appropriate security policies have been put in place, and monitor logs for malicious activity:
  • https://www.cyber.gc.ca/en/guidance/telework-security-issues-itsap10016
  • https://www.cyber.gc.ca/en/guidance/virtual-private-networks-itsap80101
     
• Review recently published Alerts and Advisories highlighting vulnerabilities that may affect your environment:
  • https://cyber.gc.ca/en/alerts-advisories
     
• Organizations that do not have a robust cyber defense capability and could be considered at high risk for this activity are strongly encouraged to consider consulting with private vendors to improve Cyber Defence such as those outlined in the Cyber Centre publication “Cyber Security for Healthcare Organizations: Protecting Yourself Against Common Cyber Attacks (ITSAP.00.131)”:
  • https://cyber.gc.ca/en/guidance/cyber-security-healthcare-organizations-protecting-yourself-against-common-cyber-attacks

INDICATORS OF COMPROMISE

Joint US Cyber Security Alert AA20-302A IOCs [1]:
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A.stix.xml

Abuse.CH Trickbot C2 tracker:
https://feodotracker.abuse.ch/browse/trickbot

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser - UNC1878 Indicators [2]:
https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456

Ryuk Ransomware: Extensive Attack Infrastructure Revealed:
https://community.riskiq.com/article/0bcefe76

REFERENCES

[1] Joint Cybersecurity Advisory - Ransomware Activity Targeting the Healthcare and Public Health Sector (AA20-302A):
https://us-cert.cisa.gov/ncas/alerts/aa20-302a

[2] FireEye Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser:
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

[3] Ryuk Ransomware Campaign:
https://cyber.gc.ca/en/alerts/ryuk-ransomware-campaign

NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Should organizations identify activity associated to that described in this Alert, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).