The Health Cybersecurity Coordination Center has published a sector alert to advise on mitigating defenses against threat actors in the US and UK, which initially targeted customer relations, process and technology outsourcing firms in 2022 – and has since moved to gaming, hospitality, retail, manufacturing and financial sectors.
The distributed spider, also known by other names such as Octo Tempest, has become known for advanced social engineering techniques, including voice phishing and the apply of artificial intelligence to spoof victims’ votes and SIM swapping to gain initial access to targeted organizations.
Why it matters
As amended Threat actor profile Released by Healthcare HC3 on October 24, distributed Spider agents engage in data extortion and evade detection, often living off the land and modifying their tactics, techniques, and procedures to avoid detection. These threat actors used various remote monitoring and management tools, benefited from multiple information thefts, and then deployed various ransomware into the environments of victims mainly for financial gain.
The agency links to specific mitigation and control measures it says Health Systems should be familiar with now. They belong to them Global financial institutions have implemented mitigation measures in response to distributed spider activity developed by the Financial Services Sharing and Analysis Center, Joint recommendations The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency offered last year and more.
Updated information from CISA’s previous advisory in HC3’s modern alert on the group’s arsenal includes 23 legitimate tools – along with AnyDesk, ConnectWise Controller, LogMein, TeamViewer and others – and a dozen malware strains distributed spider workers can apply when they’re ready to deploy malware.
“They then use malicious tools like Mimikatz and Secret Dump to escalate privileges,” HC3 said of one of many recent campaigns discussed in the alert.
Distributed Spider threat actors seek to move laterally through victim networks to “disable security and recovery services, expose data, and conduct ransomware operations,” so detection and suppression controls are necessary to monitor cloned login portals.
FS-ISAC recommended engaging in or building a “brand protection service that monitors in real-time to register your brand impersonation domain.”
HC3 also noted that threat actors are primarily believed to be aged 19-22. The arrested members came from U.S. locations such as Kentucky and Florida to the West Midlands in England and Dundee, Scotland in the United Kingdom, according to the alert.
The bigger trend
According to SpyCloud, a cybercrime analytics firm, infostealer infections precede ransomware events for many ransomware victim companies in North America and 61% of last year’s data breachesinvolving over 343 million stolen credentials, were related to infostealer malware.
In April, HC3 notified the industry of mitigations to defend against voice fraud, which uses vote spoofing from employees who reach aid desks in the healthcare system to ultimately steal electronic transfers of provider funds.
Voice spearphishing techniques used to manipulate an administrator into providing access to systems through a telephone call or other voice communication involves social engineering to establish a trusted source and artificial intelligence to improve the quality of exploits.
“It is important to note that threat actors may also attempt to use AI voice spoofing techniques for social engineering purposes, making remote identity verification more difficult with these technological advances,” HC3 said.
HC3 was also reported in alarm This distributed Spider – also known as UNC3944 – hit the hospitality and entertainment sector last year with a voice scam, before the Alphv/Blackcat ransomware deployment.
In December, the U.S. Department of Justice claimed to have taken over the ransomware gang’s infrastructure, but then Blackcat claimed to have extorted 6-bytes of healthcare data in February in a seismic attack that disrupted healthcare operations across the country.
On the album
“During the campaign, the distributed Spider used targeted socialization techniques, attempted to bypass popular endpoint security tools, and deployed ransomware for financial gain,” HC3 said.
HIMSS Healthcare Cybersecurity Forum will be held October 31-November 1 in Washington, DC Find out more and register.