The Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory suggesting North Korean state-sponsored cyber actors are using the Maui ransomware to target Healthcare and Public Health (HPH) Sector organizations in the US.
According to the document – a joint effort between CISA, the Federal Bureau of Investigation (FBI) and the Department of the Treasury (Treasury) – the threat actors have been engaging in these campaigns since at least May 2021.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services and intranet services,” reads the advisory.
“In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.”
From a technical standpoint, CISA said the ransomware appears to be designed for manual execution by a remote actor. It would also use a combination of Advanced Encryption Standard (AES), RSA and XOR encryption to encrypt target files.
“When we look at what ransomware does, it leverages a user’s (or entity when dealing with non-humans or machines) access within an organization to encrypt and steal sensitive files,” David Mahdi, chief strategy officer at cyber company Sectigo tells Infosecurity Magazine, commenting on the news.
“The authentication given to a user defines the level of damage the hacker will do. Therefore, a zero-trust, identity-first approach is critical. To prevent ransomware, you can’t just lock down data, you need a clear method of verifying all identities within an organization, whether human or machine and what parts of it they are allowed to access.”
CISA also wrote that while the initial access vectors for Maui-related incidents are currently unknown, HPH organizations can take various steps to limit the impact of its cyber-attacks.
These include installing updates for operating systems, software and firmware as soon as they are released, securing and monitoring remote desktop protocol (RDP) and other potentially risky services closely and implementing user training programs and phishing exercises.
CISA also recommended the use of multi-factor authentication (MFA) for as many services as possible, auditing user accounts with administrative or elevated privileges and installing and regularly updating antivirus and antimalware software on all hosts, among other things.
“How can one stop ransomware attacks in their tracks?” Mahdi asked.
“The answer is combining identity-first principles with least-privilege data access security, all while leveraging a variety of cybersecurity best practices and technologies [...] Focusing on identity and access privileges drastically mitigates the damage that ransomware attacks can have on the healthcare industry in the long run.”