Roundup: CISA, HC3 warn about new ransomware and DDoS exploits

Roundup CISA HC3 warn about new ransomware and DDoS

The Health Sector Cybersecurity Coordination Center, or HC3, warned this week about a new ransomware with a shared encryption feature designed to entice ransomware with the promise of streamlined data recovery. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency gave other federal agencies until the end of the month to address five specific exploits that came to light on Patch Tuesday. These alerts are just two of the healthcare cybersecurity trends we’re monitoring this week.

NoEscape ransomware and shared encryption

HC3 said in its Oct. 12 analyst note that NoEscape ransomware-as-a-service emerged in May 2023.

The unknown developers claim it is a rebrand of Avaddon, a defunct ransomware group from 2021, and claim they developed their malware from scratch, according to HC3.

“Using unique features and aggressive multi-extortion tactics, it has targeted multiple industries, including healthcare and public health, in just under a year.”

The alert provides an overview of the group, an analysis of NoEscape’s ransomware attacks, examples of MITER ATT&CK techniques, recommended defenses and solutions, and more.

Nearly 25% of attacks are aimed at US targets, HC3 said. “Of the known victims of the attack, one cybersecurity firm identified only two healthcare victims targeted by NoEscape.”

Written in C++, NoEscape can encrypt data on Windows NT 10.0 operating systems and Linux machines, as well as VMware ESXi.

It is unique in that it offers a shared encryption feature that appears to facilitate quick decryption if a ransom is paid, according to HC3.

“Victims of the ransomware will find notes titled ‘HOW_TO_RECOVER_FILES.TXT’ in each folder containing encrypted files.”

New CISA ransomware sources

The number of ransomware attacks has become so widespread that CISA announced last week that the catalog of known exploited vulnerabilities can now be sorted by vulnerabilities.known to be used in ransomware campaigns” and posted one list of misconfigurations and weaknesses often exploited and also contains non-CVE information.

The agency also highlighted specific vulnerabilities announced earlier this week that it is urging organizations to patch or stop using as soon as possible.

While Microsoft announced more than 100 vulnerabilities, CISA said Microsoft Skype for Business’s CVE-2023-41763 and WordPad’s CVE-2023-36563.

According to CISA, Skype for Business contains an unspecified vulnerability that allows escalation of privilege.

However, WordPad contains an unspecified vulnerability that could allow information disclosure, which should be of particular concern to HIPAA-covered entities.

Related to Adobe Acrobat and Reader – CVE-2023-21608 – is a use-after-free vulnerability that allows code execution in the context of the current user, according to CISA.

Cisco IOS and IOS a device crashes.

DDoS attacks via Rapid Reset

While Google and others said the vulnerability facilitated this some of the largest distributed denial-of-service attacks everThe October 10 CISA alert stated that the vulnerability – CVE-2023-44487 affecting HTTP/2 – is also known as Quick resethas been operated since August.

The Israel-Hamas conflict that began on Oct. 7 has accelerated DDoS attacks that could potentially impact the U.S. healthcare industry, Denise Anderson, president of the Health Information Sharing and Analysis Center, said in a report. interview with Information Security Media Group last week. She noted that H-ISAC notified members of CISA’s alert.

In 2016, the number of DDoS attacks on healthcare targets increased by 13%, according to a report compiled Healthcare IT news from Neustar.

We have contacted a number of international and Israel-based vendors in the HIT space, but at this time they cannot comment on the risks to US healthcare organizations.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.