{"id":1514,"date":"2022-07-07T11:05:59","date_gmt":"2022-07-07T04:05:59","guid":{"rendered":"https:\/\/dt-corp.com.vn\/?p=1514"},"modified":"2022-07-07T11:05:59","modified_gmt":"2022-07-07T04:05:59","slug":"north-korean-attackers-targeting-healthcare-orgs-with-maui-ransomware","status":"publish","type":"post","link":"https:\/\/dt-corp.com.vn\/?p=1514","title":{"rendered":"North Korean Attackers Targeting Healthcare Orgs with Maui Ransomware"},"content":{"rendered":"
\n

A new Cybersecurity Advisory via the FBI, CISA, and the U.S. Treasury is warning that cyber actors with the DPRK have been using the ransomware since May 2021.<\/p>\n<\/div>\n

Cyberattacks, unfortunately for many years now, have made working at healthcare organizations a challenge. That in and of itself isn’t news but the U.S. government is warning that of late, some attackers, based in North Korea, have made it even harder by deploying a relatively new strain of ransomware on systems that\u2019s been taking out servers responsible for many essential, day-to-day activities, like helping managing electronic health records (EHRs) and medical imaging.<\/p>\n

In\u00a0a joint advisory<\/a>\u00a0published by three government agencies \u2013 the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the U.S. Treasury Department \u2013 the U.S. warned organizations in the healthcare and public health sector on Wednesday that North Korean attackers have been carrying out attacks with Maui, a strain of ransomware.<\/p>\n

Adversaries have been using the ransomware in attacks to encrypt servers used in routine hospital and healthcare work, like those responsible for medical imaging, accessing EHRs, diagnostics services, and facilitating intranet services.<\/p>\n

While the FBI didn\u2019t disclose exactly which organizations were hit or how exactly their systems were breached. It did say that in some cases, the attacks led to lengthy disruptions, something that\u00a0as previous incidents<\/a>\u00a0have shown, can have an adverse effect on patient health and morale.<\/p>\n

It\u2019s unclear what\u2019s prompted the advisory. The FBI claims it has been responding to incidents involving Maui since May 2021 but it doesn\u2019t specify how many incidents it has seen in 2022 so far.<\/p>\n

As some experts, including Mandiant\u2019s John Hultquist,\u00a0have theorized on Twitter<\/a>, it wouldn\u2019t be a surprise if attackers were attempting to monetize their remaining access – access initially gained in the middle of the COVID-19 pandemic – as their cyber espionage efforts are winding down.<\/p>\n

The joint advisory cites research on Maui\u00a0recently carried out by Stairwell,<\/a>\u00a0a company that helps security teams carry out threat hunting, detection, and response. In it, researchers posit the ransomware \u2013 which uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption – has been designed for manual execution by a remote actor using a command-line interface to interact with it and identify which files are worth encrypting.<\/p>\n

“We believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts,” Silas Cutler, a principal reverse engineer with the firm wrote today.<\/p>\n

While Stairwell claims the earlier identified copy of the malware was collected by its researchers, it contained a compilation timestamp of April 15, 2021, a date which coincides to the FBI\u2019s claim that attacks date back to May 2021.<\/p>\n

To mitigate the ransomware, the government groups are encouraging organizations to review indicators of compromise associated with Maui, in addition to following best practices like limiting access to data, turning off network device management interfaces, and securing personally identifiable information and other stored data, including PHI, to industry regulations.<\/p>\n

by\u00a0Chris Brook<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A new Cybersecurity Advisory via the FBI, CISA, and the U.S. Treasury is warning that cyber actors with the DPRK have been using the ransomware since May 2021. Cyberattacks, unfortunately for many years","protected":false},"author":3,"featured_media":1515,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[13],"tags":[],"class_list":["post-1514","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/dt-corp.com.vn\/wp-content\/uploads\/2022\/07\/Screenshot-43.png","_links":{"self":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1514"}],"version-history":[{"count":1,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1514\/revisions"}],"predecessor-version":[{"id":1516,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1514\/revisions\/1516"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/media\/1515"}],"wp:attachment":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}