Get in Touch Close Menu

Sapphire MSSP – HSE Conti Ransomware Attack

18 May 2021

In the early hours of May 14th it was revealed that a sophisticated ransomware attack had taken place against the IT systems of the Irish Health Service Executive (HSE). Information is still coming to light, but it is known that a human-operated, externally based threat group deployed a variant of the ‘Conti’ ransomware this ransomware is considered the successor of the dangerous ‘Ryuk’.

The focus of the operation was to access central servers storing sensitive information for both exfiltration and encryption. All HSE IT systems were shut down to mitigate the spread of the ransomware and provide an opportunity for internal HSE resources and the third parties they have engaged to assess the scope of the attack and implement recovery procedures.

The point of ingress for the attack currently appears to be the shared patient registration system that is common to all HSE operated institutes. It is suspected that a zero-day exploit was leveraged against this system to gain access and deploy the ransomware. Use of a zero-day exploit may be an indication of an Advanced Persistent Threat (APT) type of involvement, as often only these groups have the skills and resources required to successfully identify and exploit such vulnerabilities. The presence of a Cobalt Strike Beacon was also suspected. Cobalt Strike is a tool used by threat actors to execute targeted attacks against enterprise environments.

The Sapphire Security Operations Centre (SOC) is continuing to monitor the situation, engaging with our threat intelligence resources to identify threat indicators and will respond to developments and additional information as it becomes available.

The threat indicators available for ‘Conti’ have been integrated into the SOC, with custom rules and alerting implemented. These rules will alert analysts to the presence of files related to ‘Conti’ as well as communication with C2 sites, URLs, specific user agents and changes to files indicating they have been encrypted by the ransomware. The Sapphire SOC is also monitoring activity from a vast array of tools used by attackers including Cobalt Strike.

Sapphire will continue to gather threat intelligence from a range of sources, including from our threat intelligence partners who collect intelligence from open and closed sources. As more information becomes available, emphasis will shift from definable and known indicators such as hash values and IP addresses, to behavioural identification, helping to provide further detection when the specifics of the ransomware and indicators of compromise have been further changed or adapted.

Zero-day vulnerabilities whilst rare, can offer attackers a method of successful exploitation. Mitigating steps can be taken to limit the likelihood of success:

  • External Facing services, such as portals and registration pages and their hosts should be kept updated with the latest Operating System and application patches, and configured securely.
  • Internet-facing remote access should be restricted and placed behind a Next Generation Firewall, enforcing encryption and supporting multi-factor authentication.
  • Granular roll-based access control (RBAC) will reduce the likelihood of any one account being able to perform the entire attack.
  • Deploying Endpoint Detection and Response (EDR) can be used to prevent malware and exploits targeting zero-day vulnerabilities.
  • Multiple back-ups should be produced with at least one stored offline. Back-up data should be regularly tested for reliability.

Related Articles

How to Secure a Website – 8 Tips for Success | Sapphire
10 June 2021

Frequently, websites have outdated software containing known security vulnerabilities this is a security risk that can be avoided. Carrying out regular software updates and ensuring that you are using the latest version of the software will typically remediate these issues by installing security patches and increasing your website security.

Find Out More
NOBELIUM Phishing Campaign | Sapphire
9 June 2021

On May 27th, the Microsoft Threat Intelligence Centre (MSTIC) announced that ‘NOBELIUM’, the threat actor behind the SolarWinds compromise, had instigated another attack in the form of a persistent and evolving phishing campaign. Conducted in increasingly complex stages, this campaign has been active since January 2021. This is since the MSTIC first became aware of the operation.

Find Out More
Security Operations Center Best Practices
21 May 2021

A Security Operations Centre (SOC) is a service that is used to monitor, detect, and respond to security incidents and events across an organisation’s infrastructure. Cyber-attacks and data breaches, organisations, companies, are an inevitable part of our digital world and enterprises of all sizes need to place emphasis on their ability to detect and respond […]

Find Out More