[CDP-development] CISA - Indicator Bulletin: SLTT Network Targeted with Ransomware - TLP: AMBER

Fri Jan 21 07:43:49 PST 2022

FYSA

The Cybersecurity and Infrastructure Security Agency (CISA) provided the attached indicator bulletin for awareness of indicators of compromise (IOCs) tied to a recent ransomware attack on a public healthcare organization. The IOCs tied to this attack and actor group can be found in the attached files. These files will NOT be posted to HSIN.
This information is provided “as-is” from a trusted third party. Please note that CISA cannot guarantee the validity of the information, but the organization is a trusted partner and has provided timely and accurate information in the past. If unfamiliar with Traffic Light Protocol (TLP), TLP:AMBER means that recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Accordingly, this information should not be uploaded to any public-facing platforms, to include platforms like VirusTotal, and should not be shared with the cybersecurity community at large. Please contact CISA with any questions about distribution at: CyberLiaison_SLTT at cisa.dhs.gov.
Summary:
On January 11, 2022, a trusted third party reported a possible ransomware case. The constituent successfully blocked the attempt before the threat actor managed
to deploy ransomware. In VPN logs they saw references to a US medical facility and perceived attempts to connect to the US medical entity's Citrix Gateway. It is suspected the actors had valid credentials to the Citrix Gateway. They observed deny/drop notifications in the logs and labeled as suspicious any
attempts or traffic from the provided IP range.

The trusted third party suspected with low confidence the actor may be the "Hive" based on related cases and overlaps in infrastructure. The Hive, which is a threat group of possibly Russian speaking individuals, was first observed in June 2021. They likely operate as an affiliate-based ransomware group. TTPs include initial compromise through phishing and RDP, double extortion ransomware, human operated attacks, use of legitimate commercial applications, and utilization of their own closed-source ransomware.

Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D80E9A.809301E0]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/7dfae74a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/7dfae74a/attachment-0001.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TLP-AMBER IB-22-10007 Healthcare Organization Network Targeted with Ransomware.txt
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/7dfae74a/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TLP-AMBER IB-22-10007.csv
Type: application/octet-stream
Size: 1364 bytes
Desc: TLP-AMBER IB-22-10007.csv
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/7dfae74a/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TLP-AMBER IB-22-10007.stix.xml
Type: application/xml
Size: 23928 bytes
Desc: TLP-AMBER IB-22-10007.stix.xml
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220121/7dfae74a/attachment-0001.wsdl>