In the early hours of May 14th it was revealed that a sophisticated ransomware attack had taken place against the IT systems of the Irish Health Service Executive (HSE). Information is still coming to light, but it is known that a human-operated, externally based threat group deployed a variant of the ‘Conti’ ransomware this ransomware is considered the successor of the dangerous ‘Ryuk’.
The focus of the operation was to access central servers storing sensitive information for both exfiltration and encryption. All HSE IT systems were shut down to mitigate the spread of the ransomware and provide an opportunity for internal HSE resources and the third parties they have engaged to assess the scope of the attack and implement recovery procedures.
The point of ingress for the attack currently appears to be the shared patient registration system that is common to all HSE operated institutes. It is suspected that a zero-day exploit was leveraged against this system to gain access and deploy the ransomware. Use of a zero-day exploit may be an indication of an Advanced Persistent Threat (APT) type of involvement, as often only these groups have the skills and resources required to successfully identify and exploit such vulnerabilities. The presence of a Cobalt Strike Beacon was also suspected. Cobalt Strike is a tool used by threat actors to execute targeted attacks against enterprise environments.
The Sapphire Security Operations Centre (SOC) is continuing to monitor the situation, engaging with our threat intelligence resources to identify threat indicators and will respond to developments and additional information as it becomes available.
The threat indicators available for ‘Conti’ have been integrated into the SOC, with custom rules and alerting implemented. These rules will alert analysts to the presence of files related to ‘Conti’ as well as communication with C2 sites, URLs, specific user agents and changes to files indicating they have been encrypted by the ransomware. The Sapphire SOC is also monitoring activity from a vast array of tools used by attackers including Cobalt Strike.
Sapphire will continue to gather threat intelligence from a range of sources, including from our threat intelligence partners who collect intelligence from open and closed sources. As more information becomes available, emphasis will shift from definable and known indicators such as hash values and IP addresses, to behavioural identification, helping to provide further detection when the specifics of the ransomware and indicators of compromise have been further changed or adapted.
Zero-day vulnerabilities whilst rare, can offer attackers a method of successful exploitation. Mitigating steps can be taken to limit the likelihood of success:
- External Facing services, such as portals and registration pages and their hosts should be kept updated with the latest Operating System and application patches, and configured securely.
- Internet-facing remote access should be restricted and placed behind a Next Generation Firewall, enforcing encryption and supporting multi-factor authentication.
- Granular roll-based access control (RBAC) will reduce the likelihood of any one account being able to perform the entire attack.
- Deploying Endpoint Detection and Response (EDR) can be used to prevent malware and exploits targeting zero-day vulnerabilities.
- Multiple back-ups should be produced with at least one stored offline. Back-up data should be regularly tested for reliability.