Healthcare Industry Under Attack… Nasty Strain of Malware Resurfaces and Challenges Security Operations Team with Rapid Mutations
[vc_row parallax=”” parallax_image=”” row_type=”row” type=”full_width” anchor=”” in_content_menu=”” content_menu_title=”” content_menu_icon=”” text_align=”left” video=”” video_overlay=”” video_overlay_image=”” video_webm=”” video_mp4=”” video_ogv=”” video_image=”” background_image=”” section_height=”” background_color=”” border_color=”” padding=”” padding_top=”” padding_bottom=”” more_button_label=”” less_button_label=”” button_position=”” color=”” css_animation=”” transition_delay=””][vc_column width=”1/1″][vc_column_text]Attivo Networks has worked closely with many healthcare organizations over the last year to add inside-the-network detection for when prevention systems have failed. This blog takes a closer look at what organizations are finding and what healthcare security operations teams can do to better defend their companies from these ever evolving variants of malware.
Customer: Regional Healthcare Provider
The security operations team had detected a particularly nasty strain of malware. They had been able to isolate the malware, but due to its ever-changing nature, were having trouble containing it and identifying new infections.
They were able to utilize the Attivo Deception Platform to gather much needed forensic intelligence on the fast changing malware by loading it into the BOTsink engagement server and intentionally infecting it to determine how it was behaving.
- Provided a safe quarantined environment to watch the malware develop.
- Including analysis of auto-replication and updating of prevention systems with C&C addresses to prevent data exfiltration
- They were able to watch the malware laterally propagate within the BOTSink and infect the other Windows ES
- Malware proven to be QAKBOT distributed via the RIG Exploit Kit.
- YaraRule and Virus Total Reports for threat intelligence sharing
- Important Note: Attivo has seen this impact other Attivo customers, confirming that this is not an isolated incident and that this strain of malware appears to be targeting healthcare
This organization had best-in-class prevention system. Why were they not able to prevent and quickly remediate this attack without Attivo?
- New malware strain was unable to be detected by signature-based systems
- While moving laterally the malware changed itself a number of times
- The web exploits utilized legitimate looking java scripts and bypassed other security prevention systems.
- Qakbot Malware… It’s Back, Nastier Than Ever and with a BullsEye on Healthcare
- Deception-based Threat Detection for Healthcare
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise