IB-22-10007 Healthcare Organization Network Targeted with Ransomware

Department of Homeland Security
Cybersecurity and Infrastructure Security Agency (CISA) 
Reference Number: NPG-15377043
Report Date: 2022-01-11

Notification:

DISCLAIMER: This report is provided "as is" for informational purposes only. The
Department of Homeland Security (DHS) does not provide any warranties of any
kind regarding any information contained within. The DHS does not endorse any
commercial product or service, referenced in this bulletin or otherwise. This
document is distributed as TLP:AMBER: Limited disclosure, restricted to
participants organizations. Recipients may only share TLP:AMBER information with
members of their own organization, and with clients or customers who need to know
the information to protect themselves or prevent further harm.
For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.


Summary:

On January 11, 2022, a trusted third party reported a possible ransomware case.
The constituent successfully blocked the attempt before the threat actor managed
to deploy ransomware. In VPN logs they saw references to a US medical facility
and perceived attempts to connect to the US medical entity's Citrix
Gateway. It is suspected the actors had valid credentials to the Citrix Gateway.
They observed deny/drop notifications in the logs and labeled as suspicious any
attempts or traffic from the provided IP range.

The trusted third party suspected with low confidence the actor may be the
"Hive" based on related cases and overlaps in infrastructure. The Hive, which is
a threat group of possibly Russian speaking individuals, was first observed in
June 2021. They likely operate as an affiliate-based ransomware group. TTPs
include initial compromise through phishing and RDP, double extortion
ransomware, human operated attacks, use of legitimate commercial applications,
and utilization of their own closed-source ransomware.

This activity was observed in the Healthcare and Public Health sector.

The following additional information was derived from trusted third parties and
open-source research:

Domain: ec2-18-157-86-155.eu-central-1.compute.amazonaws.com
Host IP: 207.171.166.22 (US)
Created Date: 2005-08-18
First Seen: 2020-02-10
Registrant: Amazon.com, Inc.
Activity: Associated with C2 Cobalt Strike beaconing; this is a legitimate AWS
domain

Domain: managecloudengine.com
Host IP: 45.67.229.232 (Moldova)
Created Date: 2021-12-10
Registrant: Redacted for Privacy by Registrar
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity

Domain: malonblanco.com
Host IP: 69.49.235.239 (US)
Created Date: 2021-07-26
Registrant: Redacted for Privacy by Registrar
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity

Domain: bellennium.com
Host IP: 159.65.186.190 (US)
Created Date: 2021-07-27
Registrant: Redacted for Privacy by Registrar
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity

Domain: minimephotos.co.uk
Host IP: 18.218.223.142 (US)
Created Date: 2021-07-27
Registrant: N/A
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity

Domain: instance-[ID]-relay.screenconnect.com
Host IP: 52.202.11.141 (US)
Created Date: 2004-10-27
Registrant: ConnectWise
Activity: This domain was used for the ScreenConnect tool; the [ID] is variable
to the instance; ScreenConnect is a legitimate tool with remote access
capabilities that can be used for malicious purposes

IP: 18.157.86.155
Organization: Amazon.com, Inc.
Resolutions: 3
Geolocation: Germany
Activity: Observed as a C2 site for Cobalt Strike Beacon

IP: 83.220.238.139
Organization: PJSC "Vimpelcom"
Resolutions: 0
Geolocation: Russia
Activity: Used to log into the organization's VPN, Public Gateway PJSC
VimpelCom; observed in probing and spam activity

IP: 45.67.230.28
Organization: Webhost LLC
Resolutions: 0
Geolocation: Russia
Activity: Used to log into the organization's VPN

IP: 141.98.103.251
Organization: M247 Ltd
Resolutions: 0
Geolocation: Serbia
Activity: Used to log into the organization's VPN; observed in spam and TOR
node activity

IP: 23.106.160.164
Organization: Leaseweb USA, Inc.
Resolutions: 0
Geolocation: US
Activity: Used to log into the organization's VPN

File: [MD5: bc7c6048bd9850d4997d911499f23f64]
Filename: cache.abf
File Type: Win32 DLL
Detection: Trojan.Win32.Agent; BehavesLike.Win64.Emotet.jh; other
Activity: Cobalt Strike Beacon

File: [MD5: 8899673a73654786e1893faa85afda59]
Filename: ads.exe
File Type: N/A
Detection: N/A
Activity: ScreenConnect tool used to connect via the organization's VPN;
ScreenConnect is a legitimate tool with remote access capabilities that can be
used for malicious purposes


Attack Patterns:
T1053 - Scheduled Task/Job - Persistence
T1021 - Remote Services - Lateral Movement
T1113 - Screen Capture - Collection
T1486 - Data Encrypted for Impact - Impact


Contact CISA Customer Service
Email: soc@us-cert.gov
Phone: 1-888-282-0870
Website:  www.us-cert.gov

CISA continuously strive to improve its products and services.  You can help by
answering a very short series of questions about this product at the following URL:
https://www.us-cert.gov/forms/feedback.