Advisory on Snatch Ransomware and the Lazarus Group

Feds Release Snatch Ransomware Alert After an Attack on Hospital

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint security alert regarding Snatch ransomware. The Snatch ransomware group carried out an attack on a hospital in Maine and has professed to attack the Florida Department of Veterans Affairs. The group presents a considerable threat to the healthcare and public health (HPH) sector.

Snatch ransomware isn’t another new ransomware variant. It was first discovered in 2018, however, CISA and the FBI state the group has lately been seen employing new tactics, techniques, and procedures (TTPs) for its attacks. The issued advisory could have been due to increased attacks in the last couple of months. Snatch ransomware was employed in an attack on Mount Desert Island Hospital in May 2023 and the group recently exposed over 260GB of stolen data, and the group has attacked a number of critical infrastructure industries.

Snatch ransomware uses the ransomware-as-a-service (RaaS) model for its operations, where the group recruits affiliates to carry out attacks in return for a percentage of any ransom payments earned. The affiliates frequently alter their strategies and use new TTPs since cybercriminal trends evolve and in step with the accomplishments of other RaaS groups. The ransomware has been under active improvement since the middle of 2021. The ransomware group conducts double extortion strategies, exfiltrating files before encryption and issuing threats to expose the stolen information on the group’s data leak website in case no ransom is paid. Based on CISA and the FBI, Snatch actors were seen buying data stolen by other ransomware groups and have threatened to expose the information on their own data leak website when it does not receive ransom payment.

The primary methods utilized for preliminary access are brute force attacks on Remote Desktop Protocol (RDP) endpoints and stolen data that were bought from other threat actors in dark web marketplaces. Success is attained by getting access to admin accounts and setting up links over port 443 directed to their command-and-control server set up on a Russian hosting service. Affiliates were noticed utilizing legit red team tools like the Metasploit platform and Cobalt Strike for locating data and lateral movement.

There is a usually longer dwell time compared to other ransomware groups for Snatch actors who are being seen using around 3 months within networks prior to ransomware deployment. The group is noticed avoiding antivirus solutions by employing a custom-made ransomware variant that causes devices to reboot in Safe Mode and then carries out file encryption when a handful of services are functioning.

CISA and the FBI have provided technical information on the cyberattacks, Indicators of Compromise (IoCs), and suggested mitigations in the security advisory to assist network defenders boost their defenses and identify ongoing attacks.

Lazarus Group Exploits ManageEngine Vulnerability to Attack Healthcare Companies

U.S. Healthcare companies have been cautioned about a vulnerability in Zoho’s ManageEngine products that the Lazarus Group, a North Korean state-sponsored threat actor, is actively exploiting.

The vulnerability is monitored as CVE-2022-47966 and impacts 24 ManageEngine products. An attacker can exploit the vulnerability if a SAML single-sign-on is activated or is enabled in a ManageEngine product that is vulnerable. A threat actor can exploit the vulnerability successfully through a remote execute code.

The Lazarus Group has been taking advantage of the vulnerability to download a remote access trojan (RAT) called QuiteRAT, which is thought to be the replacement of MagicRAT. A number of attacks had a new malware tool known as CollectionRAT. The two malware variants enable the threat actor to do a variety of actions, such as arbitrary command injection. Based on experts at Cisco Talos, the Lazarus Group has targeted Internet backbone infrastructure as well as healthcare companies in the United States and Europe since February, with the initial attacks beginning within 5 days after publishing a proof-of-concept exploit.

Zoho introduced patches for every impacted product in October 2022 and advised prompt patching. CISA listed the vulnerability in its January 2023 Known Exploited Vulnerabilities Catalog; nevertheless, a lot of companies were not quick to patch.

The Health Sector Cybersecurity Coordination Center has published Indicators of Compromise (IoCs) in a Sector Advisory on September 18, 2023 and firmly urges all healthcare companies to make sure that they are using the latest ManageEngine version.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.