Rhysdia Ransomware Emerges as a Significant Threat to Healthcare Security
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A new ransomware group dubbed Rhysdia has gained notoriety in recent months, following a series of high-impact attacks on the healthcare sector. The group which first emerged in May 2023, has forced several government organizations and cybersecurity companies to closely analyze its activities.
Following its attack on the Chilean Army and Prospect Medical Holdings, which affected 17 hospitals and 166 clinics in the US, the group was deemed as a significant threat to the healthcare and public sector by the U.S. Department of Health and Human Services (HHS).
On August 4, HHS also released an advisory about the ransomware, while security companies like Trend Micro, SentinelOne, and CheckPoint published individual articles analyzing different facets of this malware.
Initial analysis of Rhysdia by SentinelOne showed that it was in early stages of development and missed standard malware features. Their attack techniques also consisted of phishing emails and deployment through cobalt Strike or similar platforms.
The analysis by CheckPoint reveals that the ransomware has close links with the now defunct Vice Society, based on their modus operandi and victim (education and healthcare) targeting method.
The attack technique employed by Rhysdia in this instance included remote desktop protocol, remote PowerShell sessions (WinRM), and use of PsExec for lateral movement. For avoiding detection, the malware was seen to delete logs and forensic artifacts, while SystemBC and AnyDesk was utilized to maintain persistence.
‘’The time to ransom (TTR) of the actors employing Rhysida ransomware is relatively low. It has been eight days from the first signs of lateral movement to the widespread ransomware deployment,’’ revealed CheckPoint analysis.
According to the HHS security bulletin, the ransomware targets are spread across the US, Australia, Western Europe, and South America. In the beginning, their primary targets were the education, manufacturing, government, managed service providers, and technology sector. However, now their primary focus seems to be the healthcare and public health sector.
The rapid spread and threat scope of Rhysdia makes it imperative for organizations to understand and monitor the tools and attack process of this ransomware, thus preventing such attacks in the future.
Phishing Malware EvilProxy Targets MFA-Protected High-Level Executive Accounts
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A popular phishing tool among threat actors, EvilProxy is being used to bypass MFA (multi-factor authentication) protected Microsoft 365 user accounts. The campaign, which was active between March and June 2023, saw around 120,000 phishing emails sent to 1.5 million employees in over 100 organizations globally.
Use of this reverse proxy architecture-based malware has seen a huge uptick of successful cloud account takeover incidents impacting high-level executives over the said period, observed researchers at Proofpoint .
Few of the noteworthy techniques employed by the attackers in this campaign include brand impersonation, multi-step infection chain, and protection against scanning bots.
In this campaign, the popular phishing-as-a-service tool (PhaaS) was used to send spoofed emails impersonating trusted brands like Concur Solutions, DocuSign, and Adobe.
As soon as the receiver clicks on the malicious URL, they are redirected through open redirections like YouTube, followed by several redirections involving malicious cookies and 404 redirects. These steps are employed with the aim to lower the chances of discovery.
Eventually, the target lands on the EvilProxy phishing page which according to the researchers ‘’functions as a reverse proxy, mimicking recipient branding and attempting to handle third-party identity providers.’’
Proofpoint observed that special coding of the user email and hacked legitimate sites were employed by the attackers to evade automatic scanning tools and for uploading their PHP codes to decode the email address of a particular target. Once detected, the target was directed to the actual phishing page, tailor-made for the victim’s organization.
Some of the peculiarities noted in this campaign included a form of ‘safe listing’ where user traffic originating from Turkey was redirected to the safe legitimate site. This made the researchers believe that either the attackers were based out of Turkey or were intentionally avoiding Turkish users. Many VPNs worldwide were also blocked from accessing these phishing sites.
The research also revealed the campaign’s selective target approach, with priority given to ‘’VIP’’ targets. The compromised targets included 39% C-level executives of which 17% were chief financial officers, 9% were CEOs, and the rest were employees that had access to sensitive information and financial data.
On multiple occasions it was observed that the threat actors utilized the My Sign-In feature of compromised Microsoft 365 accounts to establish persistence.
In September 2022, Resecurity had discovered EvilProxy on the dark web, a new PhaaS available for $400 a month.
