Roundup: CISA, HC3 warn about new ransomware and DDoS exploits
Photo: Los Muertos Crew/Pexels
The Health Sector Cybersecurity Coordination Center, or HC3, warned this week about a new ransomware that has a shared encryption feature designed to entice ransomware with the promise of streamlined data recovery. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency gave other federal agencies until the end of the month to address five specific exploits uncovered on Patch Tuesday. These alerts are just two of the healthcare cybersecurity trends we're watching this week.
NoEscape ransomware and shared encryption
HC3 said in its October 12 analyst note that NoEscape ransomware-as-a-service emerged in May 2023.
Believed to be a rebrand of Avaddon, a defunct ransomware group as of 2021, the unknown developers claim to have developed their malware from scratch, HC3 said.
"Using unique features and aggressive multi-extortion tactics, in just under a year, it has targeted multiple industries, including the healthcare and public health sector."
The alert provides an overview of the group, an analysis of NoEscape’s ransomware attacks, sample MITRE ATT&CK techniques, recommended defense and mitigations, and more.
Nearly 25% of attacks are aimed at U.S. targets, said HC3. "Of the known attack victims, one cybersecurity company noted only two victims in the healthcare sector as having been targeted by NoEscape."
Written in C++, NoEscape is capable of encrypting data on Windows NT 10.0 operating systems and Linux machines, as well as VMware ESXi.
It is unique in that it offers a shared encryption feature seemingly to facilitate quick decryption if a ransom is paid, HC3 said.
"Victims of the ransomware find notes titled “HOW_TO_RECOVER_FILES.TXT” in each folder with encrypted files."
New CISA ransomware resources
The level of ransomware attacks is so pervasive that CISA announced last week that its known exploited vulnerabilities catalog can now be sorted by vulnerabilities "known to be used in ransomware campaigns." It also posted a list of misconfigurations and weaknesses commonly exploited, which also contains information not CVE based.
The agency also highlighted specific vulnerabilities announced earlier this week that it urges organizations to patch or discontinue use of as soon as possible.
While Microsoft announced more than 100 vulnerabilities, CISA said Microsoft Skype for Business's CVE-2023-41763 and WordPad’s CVE-2023-36563.
Skype for Business contains an unspecified vulnerability that allows for privilege escalation, according to CISA.
However, WordPad contains an unspecified vulnerability that allows for information disclosure, which should be of particular concern to HIPAA-covered entities.
Related to Adobe Acrobat and Reader – CVE-2023-21608 – is a use-after-free vulnerability that allows for code execution in the context of the current user, said CISA.
Cisco IOS and IOS XE in Group Encrypted Transport VPN – CVE-2023-20109 – contains an out-of-bounds write vulnerability feature that could allow an authenticated remote attacker who has administrative control of either a group member or a key server to execute malicious code or cause a device to crash.
DDoS attacks via Rapid Reset
While Google and others said that the vulnerability facilitated some of the largest distributed denial-of-service attacks on record, CISA's October 10 alert said the vulnerability – CVE-2023-44487 affecting HTTP/2 – also known as Rapid Reset, has been exploited since August.
The Israeli-Hamas conflict that began October 7 has accelerated DDoS attacks that could potentially affect the U.S. healthcare sector, according to Denise Anderson, president of the Health Information Sharing and Analysis Center in an interview with Information Security Media Group last week. She noted that H-ISAC alerted members to CISA's alert.
In 2016, DDoS attacks increased 13% on healthcare targets, according to a report prepared for Healthcare IT News by Neustar.
We've reached out to a number of international and Israeli-based vendors in the HIT space, but at this time, they are not able to comment on risks to U.S. healthcare organizations.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.