HHS Publishes Alert Against LokiBot Malware
The Health Sector Cybersecurity Coordination Center (hC3) has publicized an Analyst Note regarding LokiBot – one of the most common and persistent malware variants. LokiBot, also known as Loki PWS, has been employed in attacks on some industries in the last eight years, which include critical infrastructure organizations; nevertheless, there has been a prominent rise in the use of the malware beginning July 2020.
The malware is employed in attacks on Android and Windows gadgets and steals usernames, passwords, and other information from over a hundred different customers, together with cryptocurrency wallets and payment card details. The malware can acquire log keystrokes, screenshots, and snap up cookies and system information, enabling the bypass of multi-factor authentication. The malware likewise creates a backdoor in attacked systems that enables attackers to transmit other malicious payloads including ransomware.
LokiBot was available for sale in 2015 at a cost of $540 and turned out popular because of its fairly affordable price. The malware has become much better at evading security tools, possesses more extensive features, and its price has fallen to only $80, which makes it quite popular with an extensive variety of threat actors. The malware source code was likewise leaked, which enabled threat actors to create their own variants of the malware.
LokiBot is distributed through various techniques, which include phishing, spam, and spear phishing emails, mainly through malicious attachments though malware could be sent out through emails with embedded links to malicious sites. In 2020, during the peak of the pandemic, several threat actors carried out spear-phishing campaigns distributing LokiBot through emails spoofing the World Health Organization that stated it offered crucial details about COVID-19. Besides distribution through email, the malware is spread through malicious sites and instant messaging platforms, and also by taking advantage of unpatched vulnerabilities like the Microsoft Office Support Diagnostic Tool remote code execution vulnerability, CVE-2022-30190 and the Microsoft Office remote code execution vulnerability, CVE-2021-40444.
HC3 has provided a CISA-created Snort signature for the malware and Indicators of Compromise (IoCs) in the Analyst Note https://www.hhs.gov/sites/default/files/lokibot-malware-analyst-note-tlpclear.pdf, together with a number of suggested mitigations and cybersecurity guidelines that ensure it is harder for threat actors to deploy the malware. Because the malware is chiefly transmitted through email, anti-phishing defenses, endpoint security tools, multifactor authentication, and cybersecurity training for employees are a few of the essential tips.
HPH Sector Notified Concerning Remote Access Software Threats
Healthcare experts usually need remote access to their systems and electronic health records, for example for offering remote patient treatment. Although remote access solutions can enhance effectiveness and permit secure access to information, these solutions likewise become a likely entry point into healthcare systems for malicious actors, and cyberattacks taking advantage of vulnerabilities in remote access solutions are increasing.
- Remote access solutions consist of virtual private networks (VPNs) for encrypting connections between internal networks and a user’s device
- Remote desktop software for example Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) permit users and IT support personnel to access computers;
- telehealth systems for video conferencing; and secure messaging applications for secure internal and external communication. Telehealth systems and secure messaging systems may additionally combine with EHRs. All of these tools can enhance efficiency and work output; nevertheless, they bring in risks that must be meticulously handled.
- Remote access solutions consist of virtual private networks (VPNs) for encrypting connections between internal networks and
- a user’s device; remote desktop software for example Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) that permit users and IT support personnel to access computers; telehealth systems for video conferencing; and secure messaging applications for secure internal and external communication. Telehealth systems and secure messaging systems may additionally combine with EHRs. All of these tools can enhance efficiency and work output; nevertheless, they bring in risks that must be meticulously handled.
Vulnerabilities in remote access systems are appealing to malicious actors. By taking advantage of vulnerabilities, threat actors could acquire access to internal systems and steal sensitive information, and they could also disguise their malicious activities amid legitimate users of the applications. Malicious usage of these applications could also not create security notifications because it is hard to differentiate malicious from non-malicious usage.
The Health Sector Cybersecurity and Coordination Center (HC3) has lately released a notification concerning the improper use of remote access tools and has provided guidelines for strengthening security when remote access solutions are utilized. Much like any software tool, remote access solutions may have vulnerabilities that could be taken advantage of Because of the scope to which these solutions are attacked, patching of identified vulnerabilities in remote access systems must be prioritized. Mistakes could likewise be made whenever setting up these tools, for example, using weak passwords makes them vulnerable to cyberattack.
Threat actors usually try to brute-force weak passwords, making login attempts automatically utilizing listings of usernames and often used passwords until the right combo is guessed. There were brute force attacks executed against healthcare companies using botnets, where the malware-corrupted devices that make up the botnet are employed to try various username and password combos. Login information for remote access tools is usually acquired utilizing social engineering tactics, and healthcare staff are fooled into sharing their information. These attacks could be done through email, SMS, instant messaging solutions, or the phone.
As soon as access to healthcare systems is acquired through remote access tools, threat actors could carry out all means of nefarious actions which include downloading malware to give continual access to systems, moving laterally within systems to accomplish a more substantial compromise, stealing sensitive information, and installing ransomware. The AvosLocker threat group is recognized to employ the remote access tool AnyDesk in its cyberattacks. AnyDesk enables the group to get in touch remotely, and bypass security methods by activating a reboot of the gadget in safe mode. This enables the remote access solution to be employed to transmit ransomware even while security features are disabled.
Protecting remote access tools could be a problem since mitigating remote access tool hazards is not as easy as reconfiguring the tools or using patches. In its advisory, HC3 provides a number of suggestions for strengthening security which include utilizing strong authentication with MFA, making sure the tools are normally working using the most recent software program, applying network segmentation to restrict the possibilities for lateral movement, utilizing strong encryption, tracking wood logs of remote access task, using the rule of least privilege, and performing regular security awareness training to train employees on the threats related to remote access tools, social engineering, and phishing.
