Our threat intelligence this week highlighted the continued targeting of the healthcare sector by ransomware groups. An advisory issued by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services on 26 October 2022 warned that the ransomware group Daixin Team has been targeting the US Healthcare and Public Health (HPH) sector. Since June 2022, Daixin Team has compromised several HPH organisations and stolen patient health information and personally identifiable information to add additional pressure on victims – a technique known as ‘double extortion’.

In 2020, several ransomware groups released statements pledging to avoid targeting operations against the healthcare sector in response to the COVID-19 pandemic. As the peak of the pandemic is largely considered to be over in many Western countries, with lockdown restrictions having been lifted and low rates of COVID-related hospital admissions, the Orpheus Intelligence Repository indicates that ransomware groups have resumed targeting the healthcare sector in 2022, with a particular spike in August. Compromises by Daixin Team and Hive demonstrate that the healthcare sector remains a key target for ransomware groups due to the wealth of sensitive data it holds and its susceptibility to downtime, which has the potential to disrupt critical services.

Key Vulnerabilities

  1. CVE-2022-3723
    A zero-day vulnerability (CVSS: N/A|OVSS: N/A) affecting Google Chrome which could allow adversaries to read sensitive information of other applications, access memory regions to crash other applications, or perform remote code execution. Chrome users are advised to update to version 107.0.5304.87/88, which fixes this seventh zero-day vulnerability disclosed since the start of the year. This vulnerability has not yet been assigned a CVSS score (and therefore, an OVSS score) as Google are limiting access to further details until the majority of users have updated their Chrome instance. We will update the vulnerability scores as soon as this information becomes available.
  2. CVE-2020-3153
    A vulnerability (CVSS: 6.5|OVSS: 83) affecting the installer component of Cisco AnyConnect Secure Mobility Client for Windows, which could allow an authenticated local adversary to copy malicious files to arbitrary locations with system-level privileges. This vulnerability enables Dynamic Link Library (DLL) hijacking attacks, whereby adversaries inject malicious code into applications via malicious DLLs. Cisco has recently released a security update this month to address the vulnerability in version 4.10.06079.
  3. CVE-2021-39144
    A remote code execution vulnerability (CVSS: 8.5|OVSS: 39) in XStream, an open-source library used for converting objects into byte streams in a process known as serialisation. An advisory published by VMware details that an unauthenticated endpoint that leverages XStream for input serialisation in VMware Cloud Foundation provides a vector for adversaries to perform remote code execution with root privileges. VMware has recently released an update this month to address the vulnerability in its VMware Cloud Foundation products.

Key Intelligence Reports

  1. US government warns healthcare sector of Daixin Team using ransomware
    In an advisory released on 26 October 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services warned that the group tracked as Daixin Team is targeting the US Healthcare and Public Health (HPH) sector with ransomware. Read full report >>
  2. Adversaries exploit Windows zero-day vulnerability to bypass security warnings
    A new Windows zero-day vulnerability that enables adversaries to abuse malicious stand-alone JavaScript files to bypass Mark-of-the-Web (MoTW) security warnings is being exploited in ransomware operations. Security researchers have published a Proof-of-Concept (PoC) exploit in the public domain, demonstrating the efficacy of the exploit. Read full report >>
  3. BlackByte ransomware operators deploy new exfiltration tool Exbyte to expedite data theft
    Affiliates of the BlackByte Ransomware-as-a-Service (RaaS) gang have deployed a new customised exfiltration tool, tracked as Exbyte, to expedite the theft of data from target networks during operations. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)