HC3 warns HCOs to fortify against cybercriminals FIN11 now

The agency says that FIN11 uses a variety of TTPs and has gained access to more organizations than it is able to monetize, choosing to initiate zero-day exploits based on an organization's location and security posture.
By Andrea Fox
11:12 AM

Given FIN11’s history of conducting widespread campaigns exploiting zero-day vulnerabilities to steal data and deploy ransomware in commonly used software in the healthcare sector, HCOs should "consider FIN11 a top priority for their security teams."

WHY IT MATTERS

HC3 released a new threat actor profile last week about FIN11, a cybercriminal collective originating from the Commonwealth of Independent States.

"FIN11 often runs high-volume operations mainly targeting companies in various industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP)," the agency said in the profile.

FIN11 overlaps with Odinaff, Sectoj04, TA505, TEMP.Warlock, Lace Tempest, DEV-0950 Hive0065 and Group G0092; HC3 analysts list a number of malware associations and all known tactics, techniques and procedures. 

FIN11 may have been involved in recent mass exploitation of vulnerabilities in the MOVEit and other file transfer software tools, and several other vulnerabilities, since the onset of the COVID-19 pandemic, according to a report in the HIPAA Journal.

THE LARGER TREND

HC3 said the recent exploitation of a zero-day vulnerability in the MOVEit Transfer secure managed file transfer software is attributed to FIN11. 

"The list of organizations that have disclosed data breaches following these attacks include a national public healthcare system," the analysts said.

Last week a joint advisory from Cybersecurity and Infrastructure Security Agency and FBI warned health systems and others of Clop MFT ransomware TTPs.

CISA's summary said CL0P is using LEMURLOOT, a web shell written in C# that is designed to target the MOVEit Transfer platform, and added this vulnerability to the Known Exploited Vulnerabilities Catalog.

ON THE RECORD

While HC3 cannot confirm exactly how many and which CL0P ransomware attacks may be attributed to FIN11, HC3 has observed around 30 incidents involving CL0P ransomware in the U.S. [healthcare and public health sector] since 2021," the agency said in the report. 

"These affected organizations either provided direct patient care or were considered health plans and/or payers."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.