Ransomware roundup: TimisoaraHackerTeam (THT) attacks cancer centers; KillNet’s ‘Sudanese’ member; 101K ChatGPT accounts infostolen; LockBit attacker arrested on Federal charges

TimisoaraHackerTeam (THT) attacked an unnamed US cancer center with malware in June, demanding a ransom of 10 bitcoins ($300,176). The Central European, possibly Romanian-based group (named after a Romanian town), was uncovered in 2018 and was last tracked to an April 2021 attack on a French hospital. The malware vectors in using legitimate software from Microsoft Bitlocker and Jetico’s BestCrypt. Reports state that it targeted Fortinet’s FortiOS SSL-VPN to exploit CVE-2022-42475, a heap-based buffer overflow vulnerability that allows remote attackers to execute code or commands using specially crafted requests. THT may be linked to other malefactors such as DeepBlueMagic and China-based APT41 based on software used and style in notes. DeepBlueMagic disabled an Israeli medical center, Hillel Yaffe, in October 2021. 

The cancer center and Heimdal Security were able to reclaim the hacked records through the use of decryption software as they were only partially encrypted, avoiding the ransomware payment. HHS’ Office of Critical Infrastructure Protection has issued its notification with details on the attack here (PDF). SC Magazine, Healthcare Dive

KillNet, the Russia-based agglomeration of anti-Western hacktivist groups, has a possible new member in the interestingly named Anonymous Sudan. Their modus operandi is to use distributed denial of service (DDoS) attacks in response to the anti-Islamic views or actions of Western, to date 24 Australian, organizations, but the DDoS claims are smokescreens that not only tie up cyberdefense resources and generally spread panic and disinformation, but also gain publicity for the group. Cyber researchers CyberCX noted that their DDoS attacks have been intense, but unusual in that Sudan (the country) apparently has not instigated the attacks nor have the attacks been monetized. SC Magazine

Surprise, surprise–infostealers using malware to get into ChatGPT accounts. Once into the accounts, the malware infects browsers to collect saved credentials, bank card details, crypto wallet information, cookies, browsing history, and other information. Most of the affected devices are in Asia-Pacific. The malware is for sale on the dark web, with most of the 101,134 accounts tallied by Group-IB were breached by Raccoon/RecordBreaker (78,348), while the remainder were hit by Vidar (12,984) and RedLine (6,773). ChatGPT is being downloaded individually and often introduced into enterprise systems from personal devices without the usual IT security and vetting. LLM models for now are unsecured and for hackers, it’s ‘happy time’.  SC Magazine

But sometimes the bad actors get caught and dragged back to New Jersey. The FBI finally caught up to Russian national Ruslan Magomedovich Astamirov, who is accused of being part of the ransomware gang dubbed LockNet. The two counts filed in the Federal District of New Jersey center on conspiracy to commit fraud and related activity in connection with computers, plus the ever-popular conspiracy to commit wire fraud for the usual extortion of money and property between 2020 and 2023. The attacks were on businesses based in West Palm Beach, France, Tokyo, and Virginia, and received about $90 million in ransom payments. Astamirov sent emails and owned IP addresses, including Amazon and Microsoft accounts used in the fraud. NJ was chosen as the location for the Court since there was one LockBit victim in Essex County. SC Magazine, Criminal Complaint filed against Astamirov (PDF)

Killnet racks up 22 more healthcare cybervictims and data thefts; whitepaper on best defense practices

Ransomware attacks keep rolling through healthcare organizations. The latest tally just for Killnet, the rogue group of pro-Russian hacktivists, is up to 22 hospitals from Los Angeles to Egg Harbor, NJ. Becker’s HealthIT on Tuesday reported on 17 listed by BetterCyber on 31 January with another six yesterday. (BetterCyber’s Twitter feed subtracted Dartmouth Health Cheshire Medical Center from the victim list yesterday, thus 22.) Most affected are regional and community hospitals.

According to SC Media’s report on an HHS Cybersecurity Coordination Center (HC3) Alert, health and personal data were ‘exfiltrated’ onto the Killnet list. Quite oddly, and this Editor is sure it’s just a coincidence, the HC3 analyst note linked is offline; on a search to cross-check the link, the HHS pages show up in index form. Also Becker’s HealthIT 1 Feb 

The attacks were DDoS (distributed denial of service), described by HC3 as “thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems.” This ties up IT and slows down services such as websites or information portals. The danger in DDoS attacks, as noted in previous coverage [TTA 22 Dec 22] is that DDoS can be cover for other cybercrimes or information gathering in preparation for same. 

How can a healthcare organization ‘keep calm’ and lessen the impact of cyberattack, as it’s ‘not if, but when?’ A whitepaper by Cynerio,  focuses on microsegmentation, a network security technique that logically divides the data center into distinct security segments down to the individual workload/workflow level, and then defines security controls. (In marketing, market profiling down to buyer personas is similar.) The paper looks at how organizations should focus on four areas: visibility, risk mitigation, real-time defense, and regulatory compliance, then work through multiple considerations. Happily, the whitepaper (no registration required) is mostly understandable to those outside of IT. It also provides three case studies and checklists. Cynerio is a NYC-based healthcare-focused cybersecurity management company that helps hospitals to manage risk and secure their IoT, IoMT, and unmanaged IT and mobile devices.

‘KillNet’ Russian hacktivist group targeting US, UK health info in Ukraine revenge: HHS HC3 report

Warnings about DDoS (distributed denial of service) ramped up at the end of last year–only three weeks ago. Here’s one reason why.KillNet” is a pro-Russian hacktivist (hackers who advance a cause) group that recently claimed responsibility for DDoS attacks as payback for US and UK military support of Ukraine. A senior member of KillNet with the nom de guerre Killmilk has threatened the US in general “with the sale of the health and personal data of the American people because of the Ukraine policy of the US Congress”. 

The US Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3)’s Analyst Note (link to PDF) gave two examples of KillNet claims:

  • A “US-based healthcare organization that supports members of the US military and claimed to possess a large amount of user data from that organization”
  • Hacking threats against the NHS, specifically ventilators in hospitals and the Ministry of Health. This was in reaction to the May 2022 arrest of a 23-year-old alleged KillNet member accused of being connected to attacks on Romanian government websites. KillNet demanded his release in return for not attacking. Daily Mail  

Other institutions are hardly exempt. In the UK, KillNet DDoS attacks in November reportedly affected Bankers Automated Clearing Service (BACS), the London Stock Exchange, and the official website of the Prince of Wales. Computer Weekly

DDoS attacks are their leading weapon. KillNet uses publicly available DDoS scripts and IP stressers for most of its operations although it has its own. Before aligning with Russian state interests, it was a hacking-for-hire operation available for $1,350 per month, including a single botnet with a capacity of 500GB per second and 15 computers. This Editor noted previously that DDoS attacks may be a convenient cover or smokescreen for other cybercrime activity. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks may be taking place. [TTA 22 Dec 22].

This updates an earlier Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Advisory (CSA) jointly issued by the US, UK, Australia, and New Zealand (the Five Eyes group), that broadly assessed multiple threats from Russian state organizations such as the Federal Security Service (FSB) and the Foreign Intelligence Service (SVR), as well as cybercrime groups like KillNet which have aligned themselves for the duration with Russia. KillNet has grown over the past year and now has subgroups organized under Cyber Special Forces of the Russian Federation and LEGION 2.0. SOC Radar

The best defense is a good offense. HC3’s advice on preparation to mitigate a DDoS threat includes enabling web application firewalls to mitigate application-level DDoS attacks and implementing a multi-content delivery network (CDN) solution to minimize the threat of DDoS attacks by distributing and balancing web traffic across a network. The HC3 Analyst Note is heavily footnoted with other sources for additional incidents. SC Media, Cybernews