<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.gmail-il
{mso-style-name:gmail-il;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">The Cybersecurity and Infrastructure Security Agency (CISA) provided the attached indicator bulletin for awareness of indicators of compromise (IOCs) tied to a recent ransomware attack on a public
healthcare organization. The IOCs tied to this attack and actor group can be found in the attached files. These files will
<b>NOT</b> be posted to HSIN.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial",sans-serif;color:black">This <span class="gmail-il">information</span> is provided “as-is” from a trusted third party. Please note that CISA cannot
guarantee the validity of the <span class="gmail-il">information</span>, but the organization is a trusted partner and has provided timely and accurate <span class="gmail-il">information</span> in the <span class="gmail-il">past</span>. If unfamiliar with
Traffic Light Protocol (TLP), TLP:AMBER means that recipients may only share TLP:AMBER <span class="gmail-il">information</span> with members of their own organization, and with clients or customers who need to know the <span class="gmail-il">information</span> to
protect themselves or prevent further harm. <b><u>Accordingly, this <span class="gmail-il">information</span> should not be uploaded to any public-facing platforms, to include platforms like VirusTotal, and should not be shared with the cybersecurity community
at large. </u></b>Please contact CISA with any questions about distribution at: CyberLiaison_SLTT@cisa.dhs.gov.</span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif">Summary:</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">On January 11, 2022, a trusted third party reported a possible ransomware case. The constituent successfully blocked the attempt before the threat actor managed</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">to deploy ransomware. In VPN logs they saw references to a US medical facility and perceived attempts to connect to the US medical entity's Citrix Gateway. It is suspected the actors had valid
credentials to the Citrix Gateway. They observed deny/drop notifications in the logs and labeled as suspicious any</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">attempts or traffic from the provided IP range.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">The trusted third party suspected with low confidence the actor may be the "Hive" based on related cases and overlaps in infrastructure. The Hive, which is a threat group of possibly Russian
speaking individuals, was first observed in June 2021. They likely operate as an affiliate-based ransomware group. TTPs include initial compromise through phishing and RDP, double extortion ransomware, human operated attacks, use of legitimate commercial applications,
and utilization of their own closed-source ransomware.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cyber Security Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_1" src="cid:image001.png@01D80E9A.809301E0"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>