New Alerts for Healthcare Cybersecurity Threats

Healthcare organizations face an ever-evolving cybersecurity threat landscape with new ransomware groups and attack methods consistently emerging. The U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center issued new alerts for healthcare cybersecurity threats.

Below are the threats the federal agency is calling attention to:

Godzilla Webshell

Godzilla Webshell is a Chinese-language backdoor used by cyber threat actors to execute commands, manipulate files, and engage in other harmful and malicious activity on victim systems as part of a larger cyberattack. The weapon has been used to target healthcare and other industries. It is publicly available, making it accessible to any number of bad actors, and should be treated as a serious threat.

Godzilla avoids detection by using Advanced Encryption Standard encryption for its network traffic. It facilitates file management and manipulation, including uploading, downloading, deleting, and modifying files on a victim system. Godzilla enables the collection of details related to operating systems, network configurations, and versions of software and applications.

Federal agencies have said it’s not practical to promote defense and mitigation steps due to the high functionality and continuous development of Godzilla.

Learn more about Godzilla Webshell.

Scattered Spider

Scattered Spider is a financially motivated threat actor that has used malware, ransomware including ALPHV/BlackCat, and other strategies to target organizations in multiple industries, including healthcare. The group has been active since 2022 and is believed to be made up of people based in the UK and US. Scattered Spider also utilizes advanced social engineering techniques, including voice phishing and leveraging AI to spoof victims’ voices to obtain initial access to targeted organizations. Federal agencies claim the group uses social engineering to attack healthcare IT help desks. The American Hospital Association (AHA) issued a warning about this type of attack in January 2024.

The FBI and CISA recommended the below mitigations to defend against Scattered Spider:

• Implementing application controls.
• Implementing FIDO/WebAuth authentication or Public Key Infrastructure (PKI)-based MFA.
• Strictly limiting the use of Remote Desktop Protocol (RDP) and other remote desktop services.

Learn more about Scattered Spider.

Living off the Land

Living off the Land (LOTL) cyber-attacks involve intruders using legitimate software and functions available in the system to perform malicious actions. Threat actors search the target systems for tools they can use to bypass traditional security measures and disguise their actions as legitimate system processes. LOTL attacks are particularly effective against healthcare systems that rely on a wide range of trusted tools and technologies. These attacks can be more effective than traditional malware attacks because they are more difficult to detect with security tools, and they grant the attacker more time to escalate privileges, steal data, and set backdoors for future access.

Recommended strategies to prevent LOTL attacks include:

Limit the Use of Scripting Languages: LOTL attacks rely on scripting languages to execute malicious code, limiting the use of scripting languages or implementing strict controls can reduce the risk of these attacks.
Implement Least-privilege Access Controls: Limiting access to sensitive data and resources can help reduce the risk of LOTL attacks by ensuring that users only have access to the data and resources they need to perform their job functions.
Adopt Zero-Trust Architecture: In a zero-trust architecture, no entity is automatically trusted. Instead, every access request is thoroughly verified before granting access.
User & Entity Behavioral Analytics Tools: These tools can analyze and create a baseline of typical user and entity activities over a period, providing a basis for deviations from normal behavior. Organizations can also use these tools for account monitoring, as account monitoring and management controls can detect and prevent unauthorized activities by providing full visibility into work environments.
Indicators of Attack (IOAs): Indicators of attack (IOAs) can reduce the risk of LOTL attacks. IOAs include signs such as code execution, lateral movements, and actions that appear to disguise the intruder’s true intent.

Learn more about Living off the Land.

Vendor Vulnerabilities

The recent alerts for healthcare cybersecurity threats also included warnings about Oracle’s Fusion Middleware and its ADF Faces framework and F5 Networks’ BIG-IP software and hardware.

CompliancePoint has a team of experienced professionals dedicated to helping healthcare organizations design and implement effective cybersecurity programs. We also help our customers achieve HIPAA compliance and HITRUST certification. Reach out to us at connect@compliancepoint.com to learn more about our services.