The boozy names might sound like the kind of thing conjured up in a frat-house common room, but malware families Kegtap, Singlemalt and Winekey are being used to gain initial network access in potentially lethal ransomware attacks on healthcare organizations in the midst of a global pandemic, researchers said in newly released findings.
The shot? The rampant spread of COVID-19 has put a tremendous strain on the U.S. healthcare system. The chaser? Cybercriminals are getting better than ever at exploiting that life-and-death crisis to turn a profit.
Who could use a drink?
Mandiant published a report this week laying out the signature tactics of the Kegtap/BEERBOT, Singlemalt/STILLBOT and Winekey/CORKBOT attacks, which researchers said have targeted hospitals, retirement communities and medical centers “… demonstrating a clear disregard for human life,” the report added.
Mandiant researchers observed the ransomware being used to hit a variety of sectors and organizations, in addition to healthcare, and found a few commonalities.
The Malware
Phishing emails, designed to mimic everyday business functions like contracts, personnel paperwork or complaints are sent with a link, not to a malware payload, but to a Google doc, PDF or some other document which would contain the in-line link to the malware.
“Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies,” the report said. “Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.”
Kegtap, Singlemalt and Winekey (a.k.a. Bazar variants) act as first-stage loaders, which establish a foothold on a device before fetching malware for the next stage of the attack.
In this case, the criminals use them to download common penetration-testing frameworks like Cobalt Strike, Beacon and/or Powertrick to establish a presence. Following initial compromise, Cobalt Strike helps maintain the malware’s presence after reboot, the report said, and Beacon is the most often observed backdoor in these attacks.
Cobalt Strike, PowerShell Empire, Powersploit and Medasploit are a group of dual-use tools used for both legitimate tasks as well as nefarious ones, according to Cisco researcher Ben Nahorney. These pen-testing tools are intended to help security professionals identify weaknesses in their network defenses, but in the wrong hands they can supercharge attacks.
Beacon has also been used to deploy “PowerLurk’s Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit and RegShot,” the report said.
The malware then sets about escalating privileges, most often with valid credentials, according to the report, which are obtained through “exported copies of the ntds.dit Active Directory database and system, and security registry hives from a Domain Controller.”
Beacon, along with publicly available tools like Bloodhound, Sharphound or ADfind, is then deployed for reconnaissance, the researchers added, which enabled the actors to move laterally to expand their footprint across the compromised network.
The Ransomware Payload
The main goal of the mission, according to the report, is to deliver a Ryuk payload.
“There is evidence to suggest that Ryuk ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis,” the report continued.
This partnership between the developers behind Kegtap, Singlemalt and Winekey with the group behind Ryuk, makes this group particularly noteworthy. Ryuk is operated by an Eastern European actor called UNC1878 according to Mandiant, and continues to be a prolific threat against healthcare organizations — attacks which Charles Carmakal, senior vice president and CTO of Mandiant says pose unprecedented dangers to the U.S.
UNC1878’s Ryuk Threat
UNC1878’s Ryuk has been linked to ransomware spread throughout a Canadian government health organization and just this week was used in ransomware attacks against multiple healthcare systems, including Klamath Falls, Ore.-based Sky Lakes Medical Center and New York-based St. Lawrence Health System.
In September, Universal Health Services, a nationwide hospital operator, was hit by a ransomware attack suspected to have been Ryuk.
“UNC1878 is one of most brazen, heartless and disruptive threat actors I’ve observed over my career, Carmakal told Threatpost.
“Ransomware attacks on our healthcare system may be the most dangerous cybersecurity threat we’ve ever seen in the United States,” Carmakal continued. “Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase.”
Kegtap, Singlemalt and Winekey have also caught the attention of U.S. Cyber Command, which tweeted the Mandiant report with the comment, “The public and private sectors are united against ransomware, especially those actors targeting medical facilities during a pandemic.”
Stopping Ransomware Attacks on Healthcare
The key to stopping these attacks, according to the Mandiant report, is moving quickly to harden service accounts, prevent the use of privileged accounts for lateral movement, block internet service to servers where possible, block newly registered domains using DNS filers or web proxies, and update and install patches for Windows in addition to the network (including Zerologon, which has been observed in the attacks).
“The surge of malware campaigns on healthcare organizations is one of the most insidious attacks that can be unleashed by malicious actors — especially during a pandemic,” Jeff Horne, CSO at Ordr, told Threatpost by email. “These organizations are especially susceptible because many of their mission-critical, internet-connected devices run vulnerable operating systems that cannot be patched. There are nearly 650 million IoT/IoMT devices operating in the healthcare industry right now, and 82 percent of healthcare organizations have had their IoT/IoMT devices attacked.”
Horne adds these healthcare systems are up against a highly professional, well-equipped adversary and need to adapt an appropriate posture to defend their systems.
“These ‘ransomware-as-a-service’ groups are run by sophisticated and malicious developers operating like a criminal company with organized modern customer-focused services, online support, call centers and payment processors — making a considerable amount of money in the process,” Horne added. “This can’t just be addressed with antivirus software — these are focused, motivated and knowledgeable criminal operators that are targeting vulnerable healthcare organizations by exploiting vulnerabilities, gaining a foothold within their networks, and holding their important data hostage.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.