The Health Sector Cybersecurity Coordination Center (HC3), which was created by the Department of Health and Human Services, is sounding the alarm on two ransomware groups that are actively targeting the healthcare sector: Cl0p and LockBit.
In recent months, the groups have been exploiting three known software vulnerabilities in cyberattacks they have waged against healthcare businesses across the country.
Two of the vulnerabilities, CVE-2023-27351 and CVE-2023-27350, are used in a popular print management software called PaperCut, which has more than 100 million users worldwide. These vulnerabilities allow hackers to eschew authentication.
The other vulnerability, CVE-2023-0669, comes from GoAnywhere, a managed file transfer product made by Forta. The GoAnywhere vulnerability is classified as a severe cybersecurity threat — the software “suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object,” according to the vulnerability disclosure filing in the National Vulnerability Database.
This is not the first time either ransomware gang has prompted the federal government to issue an alert.
HC3 issued an alert dedicated to Cl0p — which it says “unabashedly and almost exclusively targets the healthcare sector” — in February. This was after the group claimed responsibility for a 10-day hacking spree impacting 130 organizations, many of which were in the healthcare sector. Cl0P leveraged the GoAnywhere vulnerability during this attack.
One of the affected organizations included Tennessee-based Community Health Systems. The health system estimates that 1 million of its patients’ information was breached as a result of the cyberattack.
Cl0p attacks usually involve the group stealing data so it can extort companies into paying a ransom, according to HC3.
In a March alert, federal officials warned businesses that LockBit 3.0 ransomware is more advanced than its previous versions and can dismantle malware detection. LockBit 3.0 gains access to an organization’s network via remote desktop protocol exploitation, and it shares similarities with other ransomware gangs like Blackmatter and Blackcat.
In the most recent federal alert issued about Cl0p and LockBit, HC3 blamed the groups for an uptick in cybercriminal activity occurring over the past couple of months.
“Industry experts also noted that the recent increase in ransomware attacks this past March was attributed to the exploitation of the GoAnywhere MTF vulnerability. There was a 91% increase in attacks since February 2023, with 459 attacks recorded in March alone,” the alert read.
PaperCut users should immediately upgrade and patch their servers in an effort to protect the software’s vulnerabilities from being remotely exploited, the alert recommended.
“This includes blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the server’s firewall to restrict management access solely to the server and prevent potential network breaches,” HC3 said in its report.
As for users of GoAnywhere, HC3’s alert suggested they rotate their master encryption key, delete suspicious accounts, go over audit logs and reset all credentials.
Photo: JuSun, Getty Images