Fortalice Solutions continues to monitor a pro-Russia hacking group, known as “KillNet,” that is targeting U.S. hospital systems and executing distributed denial of service (DDoS) attacks (see our previous Client Advisory). The threat actor emerged shortly after Russia’s invasion of Ukraine last February. Since then, the group has launched numerous high-profile DDoS attacks on critical infrastructure organizations in the United States and other countries that KillNet perceives as hostile to Russian interests in Ukraine.
Fortalice has been monitoring this fluid situation and wants to offer a follow-up advisory for our clients given that KillNet has significantly modified and escalated its approach and tactics. Early this morning, KillNet claims to have successfully obtained internal and/or physical access to at least one U.S. hospital system. While some claims are unvalidated, there are proactive measures to counter possible attacks that hospital systems across the United States can adopt immediately.
• Monday, January 30: KillNet attacked at least 14 websites of prominent hospital systems across the United States, knocking their public-facing websites offline temporarily.
• Tuesday, January 31: The threat actor released a list of 50 additional healthcare facilities – one hospital system per state – that the group said it was targeting. The strategy of releasing a hospitals “hitlist” is in line with its approach during previous attacks across the globe in 2022.
• Wednesday, February 1: KillNet posted a recruitment “call to action” for bad actors – domestic and international – to join the threat actor’s ongoing hacking efforts. This approach represents an alarming change in the group’s tactics, as KillNet has not previously publicly recruited bad actors to join its pro-Russian group. To be clear, KillNet’s new strategy of recruiting likeminded individuals is troubling. The potential for adding “boots on the ground” creates an entirely new and deeply concerning attack pattern for the group.
• Thursday, February 2: Leveraging its Telegram channel, KillNet announces it has executed the “largest DDoS attack” on the U.S. Healthcare system. Additionally, the group posted a picture on social media, which KillNet purports to be a threat actor in a U.S. healthcare facility’s system or network. While authorities have not yet corroborated or verified this picture, it is cause for a concern as it represents a substantial escalation from the threat actor’s previous DDoS attacks. It is also an indication that the hacktivist group may be looking to build its profile and expand its influence with other like-minded pro-Russian hacking groups.
As Killnet evolves its techniques it is important to keep in mind that DDoS attacks can be a pre-cursor for a much more serious attack. To that end, Fortalice has observed bad threat actors who use a DDoS attack as a smoke screen for a larger, stealthier, and potentially costlier attack. Currently, there are no standard indicators of compromise (IOCs) for this type of attack. That said, Fortalice recommends that your organization focuses its cybersecurity attention on the following areas:
Monitoring is an essential part of preventing DDoS attacks and other future attacks masked by a DDoS attack. Areas of specific focus for monitoring for these types of attacks are:
1. Significant increase in web traffic: These types of attacks often result in a degradation or loss of service to external websites. Understanding your baseline traffic volume and alerting on a delta of +/- 15% (for example) is a good way to monitor for an attack.
2. Increase in help desk or trouble tickets: These types of attacks are designed to cause disruption to an environment, if there is a sudden increase in users reporting issues there may be an emerging issue.
3. Increase vigilance on remote access gateways: A bad actor will often access an environment through its remote access system. Ensuring all virtual private networks (VPN) are functional and are protected with multi-factor authentication (MFA) provides a layer of protection. Additionally, monitoring authentication attempts to remote access may provide insight into a larger scale attack.
4. Threat Hunting: Leveraging internal resources or a 3rd party to perform a holistic review of the environment looking for specific indication of compromise is a way of finding bad actors and reducing their dwell time.
5. Increase alerting scrutiny on network-based Intrusion Detection Systems (IDS) and Intrusion prevention Systems (IPS): Alerts from these network tools should have up-to-date signatures and should be monitored for anomalous traffic.
Follow these steps to enable your organization to prevent DDoS attacks.
1. Web Application Firewall (WAF): A WAF can be used to monitor for and block the anomalous behavior associated with DDoS attacks.
2. Block traffic based on Geo Location: Filtering traffic to include only countries where you do business can help limit the amount of web requests the environment receives.
3. Deny traffic that is not required: Only allowing traffic you expect (HTTPS for example) through a “default deny” security posture will help reduce superfluous requests.
4. Review privileged accounts in your environment: Attackers who gain access to an environment will often try to establish persistence. Do you have some new accounts or other accounts you can remove?
Currently, there are no indications or confirmed indications that KillNet has gained internal access. However, organizations should always stay one step ahead bad actors by:
1. Increasing user awareness: Equipping users with a note to be mindful of security best practice is an important strategy to keep users focused. Statistically, a business email compromise (BEC) via phishing is the most commonly used entry point into an environment. Hospitals and hospital systems should remind medical staff to logout of devices or remove their access cards to ensure bad actors cannot leverage their access to cause harm. Finally, organizations in all sectors should remind their physical security staff to be on the lookout for anomalous behavior that could help security identify a potential bad actor within your organization’s physical location.
2. Having and testing your incident response plan (IRP): Having defined roles and responsibilities in the event of an incident is critical in proactively identifying gaps in controls and coverage.
3. Monitor internal network devices: Leveraging a tool like network access control (NAC) to identify and classify “new” devices placed on the network will ensure that if a bad actor were to gain access they would be discovered (or blocked) quickly.
4. Authentication for privileged accounts: Having a strong unique password combined with a wholistic approach for multi-factor authentication (MFA) for privileged accounts can help contain an incident and keep it from spreading throughout the environment.
It is no secret that the healthcare industry across the globe has faced numerous challenges from COVID-19 to employee shortages. Adopting a holistic cybersecurity roadmap is essential to protect patient data and the ability to provide around the clock care. A 2022 report by Comcast Business found that 73% of DDoS attacks in 2021 were conducted on healthcare, government, finance, and education websites.
Protecting your organization from DDoS attacks can mitigate other cybersecurity risks, as well. Fortalice stands ready to assist your organization assess its current risk and road map its future cybersecurity posture. You can reach our Fortalice team at email@example.com.
• Fortalice Solutions Client Advisory: Hospital Systems Targeted by KillNet
• DHS Health Sector Cybersecurity Coordination Center (HC3) Advisory: KillNet Analyst Note
Increasingly, cyber actors are employing LOTL attack, which blend (and obscure) their nefarious activities with legitimate tools and infrastructure already found (and regularly used) in your environment to mask their presence while greatly minimizing their chances of detection and attribution. Typically, the introduction of a third-part application generates an alert to the host from an endpoint detection and response (EXR) product. Unfortunately, LOTL enables the actor to skirt detection more easily and effectively.
On June 1, Progress Software (Progress) announced it had identified a vulnerability in its MOVEit File Transfer Tool. The vulnerability allowed cybercriminals to exploit a critical SQL injection that could lead to escalated privileges and potential unauthorized access to the environment.