Ransomware/Malware Activity
The United States Non-Profit Health Care System Giant Confirms Ransomware Attack
CommonSpirit Health, one of the largest non-profit healthcare systems in the United States, which provides services to over 21 million patients, confirmed on October 13, 2022, that it suffered a ransomware attack early last week which caused widespread IT outages at various hospitals across the United States. On October 3, 2022, CommonSpirit Health stated that it was "managing an IT security issue" that was impacting many electronic health record systems and had taken specific IT systems offline. In the company's latest update regarding the situation, CommonSpirit Health stated that cybersecurity specialists have been engaged to conduct a forensic investigation of the ransomware attack and that efforts are being made to bring all systems back online. No details have been published regarding how the attack occurred, who is responsible for the attack, or if any data has been exfiltrated. CTIX analyst will continue to monitor for details of CommonSpirit Health's ransomware attack as the investigation unfolds and provide updates where applicable.
- The Record: Initial CommonSpirit Health Security Incident Article
- The Record: CommonSpirit Health Security Cyberattack Update Article
- CommonSpirit Health: Update Post
Threat Actor Activity
United States Airports Targeted by Russian-Allied Threat Actors
Killnet threat actors have once again launched a massive, distributed denial-of-service (DDoS) attack against several United States airport websites. Killnet has been one of the most active threat organizations throughout the Russia-Ukraine conflict and continues to make their presence known against their enemies, including the United States. Security analysts at Raidware tracked several outages from this DDoS attack which targeted 24 total airport websites. Phoenix Sky Harbor Airport (PHX), Los Angeles International (LAX), Atlanta International (ATL), and Chicago air travel site "flychicago[.]com" were among the victims to be affected. Killnet actors boasted about the attacks in their Telegram channel shortly after a CNN article was posted about the DDoS incidents. The attacks caused no lasting damage to any of the affected sites; however, cybersecurity experts highlighted that Killnet’s primary motivation is notoriety, as opposed to the actual damage. This is not the first time Killnet has explicitly targeted the United States. In previous months the United States Congress homepage, tax-related websites, and state government websites were also victims of Killnet DDoS attacks. While the Russia-Ukraine conflict continues to grow, cyber-attacks continue to target both sides in parallel. CTIX analysts will continue to monitor threat actor activity across the landscape and will provide additional updates accordingly.
Vulnerabilities
New Alleged Microsoft Exchange Zero-day Vulnerability Used to Deploy Lockbit3.0 Ransomware
Microsoft is currently investigating allegations that a previously unknown Exchange Server zero-day vulnerability was exploited by Lockbit-affiliated threat actors in the summer of 2022 to conduct a ransomware attack. Researchers from the South Korean cybersecurity firm AhnLab were hired by Microsoft to assist with the investigation, following their discovery of the flaw on July 21, 2022. AhnLab researchers allegedly identified the vulnerability after one (1) of their vendors fell victim to a ransomware attack, leading to the exfiltration of approximately 1.3 TB of data. AhnLab analyzed the two (2) compromised servers running Windows Server 2016 Standard and found WebShell files installed just seven (7) days before the vendor had their data encrypted, likely being possible through the exploitation of an unknown vulnerability. Following the download of the WebShell files, the threat actors enabled an RDP connection via SSH tunneling, and then utilized the open source "BloodHound" tool to move laterally across the network and provide visibility into the vendor's Active Directory (AD) environment. The threat actors identified the AD admin account and extracted the credentials using Mimikatz. The investigation showed evidence that multiple IPs associated with VPNs were used for the WebShell calls, and all remote commands to control the ransomware were executed using Wmic. Some researchers have noted that it could be possible that the threat actors exploited the “ProxyNotShell” vulnerability (CVE-2022-41040 and CVE-2022-41082) to facilitate the attack, however, most researchers disagree based on the tactics, techniques, and procedures (TTPs) utilized during the attack. AhnLab stated the attack method, the generated WebShell filename, and the follow-on activity after the WebShell installation suggest that another attacker exploited a different zero-day vulnerability. To add more evidence to the argument that the flaw is a zero-day, the extorted vendor had already fallen victim to an Exchange Server vulnerability exploitation in 2021 and thereby received ongoing technical support from Microsoft via quarterly security patches. If the July 9th Microsoft patch was unable to defend against an attack on the 21st, it is highly likely that this most recent Exchange compromise is the result of an exploited zero-day vulnerability. There is very little technical information about this flaw, and CTIX analysts will monitor the matter and provide an update in a future FLASH issue.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
