ModPipe POS Malware: New Hooking Targets Extract Card Data
Jun 02, 2022
by Sean Straw

Wed, Aug 10, 2022
In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022, dropping the final nail in the coffin for the “truce” some criminal groups instituted earlier in the COVID pandemic. Ransomware helped to fuel this uptick against healthcare as attacks increased this quarter to once again become the top threat, followed closely by email compromise.
While Kroll continued to see actors exploiting vulnerabilities and phishing schemes to launch ransomware, in Q2 a ransomware incident was most likely to begin via external remote services. Kroll observed 700% increase in external remote services such as remote desktop protocol (RDP) and virtual private networks (VPN) being used for initial access in the quarter. Of ransomware incidents beginning with phishing, Kroll observed an uptick in the use of Qakbot malware as a delivery mechanism, particularly for new ransomware groups like Black Basta.
The recent shift to targeting the healthcare industry comes alongside the persistence of ransomware as an incident type and the rise in external remote services being used as an initial access method, giving us an indication of where attackers may focus in coming months. All organizations—especially those in healthcare—would do well to test the resilience of their external remote services and preparedness for ransomware.
Healthcare overtook professional services as the top targeted sector in Q2, accounting for 21% of all Kroll cases, compared to only 11% in Q1 2022. Common threat incident types impacting the healthcare sector included ransomware (33%), unauthorized access (28%) and email compromise (28%).
Of the ransomware cases, it was common to see a double extortion tactic in which actors exfiltrated data prior to network encryption and then threatened to leak the stolen data as leverage during negotiations. Phishing is a common initial access method for incidents impacting the healthcare sector.
An employee at a healthcare organization received a spoofed email from an outside contact purporting to contain a data file that a team member had previously requested. Unknown to the user, the email originated from an IP address associated with the Qakbot Command and Control (C2) and provided a .ZIP file which contained further malicious files, introducing Qakbot into their systems. Once inside the network, the actor deployed Cobalt Strike malware. Threat actors moved within the network for approximately 15 days, making their way into multiple user machines and exfiltrating over 20GB of data before deploying Black Basta ransomware.
Derek Rieck, Associate Managing Director in the Cyber Risk practice at Kroll, comments,
“Historically, healthcare is an attractive target to ransomware groups, as the disruption of critical networks impacting life-saving services may encourage organizations to pay ransom demands. This is intensified by the double extortion tactic, where threatening to publish confidential information, such as protected health information (PHI), can further intimidate victims.”
“Q2 2022 was the first time that we have seen such growth in the volume of attacks against this sector,” Rieck continued. “The percentage of incidents almost doubled, whereas we have seen fairly consistent levels previously. This could be linked to the perceived recovery of the health care industry after the impact of COVID-19, perhaps causing some ransomware groups to end their hiatus against health and medical organizations.”
Phishing attacks continued to evolve in Q2, as Kroll observed threat actors using old and new malware such as Qakbot and Bumblebee. There was an uptick in the use of Qakbot malware as a delivery mechanism for ransomware, particularly from new ransomware groups like Black Basta. Consequently, Qakbot should be treated as a precursor to a ransomware event.
In this quarter, authors of the Qakbot malware added an additional step to the trojan’s infection chain, an HTML attachment that negates the need for a fetch of final payload from a comand and control server. After arriving as an HTML attachment in a phishing email, the infection chain is as follows:
Mark Nicholls, Chief Research Officer in the Cyber Risk practice at Kroll, comments,
“As more incidents are stopped by security monitoring tools such as Endpoint Detection and Response (EDR) and anti-virus, threat actors are lengthening attack chains to further evade detection. This highlights the importance of Managed Detection and Response (MDR) solutions that can identify suspicious activity. It also provides a compelling argument as to why MDR should be combined with other security best practices, such as user education. Users should be trained to recognize and avoid such suspicious download processes.”
While phishing remained the top initial access method across all threat incident types, Kroll observed significant increases in external remote services being compromised and CVEs being exploited for initial access. External remote services were used for initial access 700% more this quarter and CVEs were exploited for initial access 46% more in Q2.
External remote services have historically been a common access vector for ransomware groups. At the height of the pandemic in 2020, Kroll reported that open RDP vulnerabilities of popular VPN systems (Citrix NetScaler CVE-2019-19781 and Pulse VPN-CVE-2019-11510) were the most common precursors to ransomware attacks.
The majority of incidents in Q2 2022, beginning with access via remote services or CVE exploitation, led to a ransomware attack. This highlights the popularity of compromising external remote services with ransomware threat actor groups, and supports the fact that both ransomware and external remote services, as initial attack vectors, increased this quarter.
In previous quarters, out of the most popular initial access methods, external remote services accounted for a much smaller proportion of the overall amount. Several factors may account for the recent rise in the use of external remote services, including on-going botnet disruptions, making it harder for ransomware operators to leverage botnets as a method of initial infection. MDR tools are also catching more malware and so external remote services are used as a way to avoid detection. Kroll observed several cases in Q2 where organizations were compromised due to legacy systems or unpatched vulnerabilities.
In a BlackCat ransomware situation, Kroll’s forensic review identified that actors had scanned the victim’s VMware server more than 10 days before returning to access the system via the Log4Shell vulnerability. Once inside the system, actors deployed multiple tools to maintain persistence, including PSTools, ZohoAssist, Total Software Deployment, PDQ Install and Mimikatz to collect credentials. Once credentials were obtained via Mimikatz, the actors used ScreenConnect across hundreds of endpoints to collect and exfiltrate data.
Another event investigated by Kroll began as a singular incident regarding a demand from the SunCrypt ransomware gang. Additional forensic analysis identified the earlier presence of AvosLocker encryption and LockBit 2.0 encryption on their network. Due to anti-detection methods used by various actors once inside the network, evidence was largely destroyed to determine root access. Kroll did observe the threat actor using Domain Admin level credentials while inside the network. A threat actor later communicated that the organization’s VPN was vulnerable to an exploit patched in 2018 and that an admin password was of weak security.
Stephen Green, Vice President in the Cyber Risk practice at Kroll, comments, “It is interesting to see the rise in ransomware combined with the rise in external remote services used as an initial access point for attackers. Not always do we have such a clear correlation between an incident and the root cause of how they first got in.”
“As many organizations transition to a hybrid style of working,” said Green, “identifying the vulnerabilities that external remote services present is critical. Many of the remote systems that we rely on were set up in haste as a reaction to COVID-19 and the widespread work-from-home advice given by governments around the world. Their implementation may have been rushed and less due diligence may have been completed compared to normal circumstances. Now is the time to readdress these environments and build resilience for a longer-term remote strategy.”
After a series of high-profile leaks, Conti ransomware’s actor-controlled site and chat negotiations page went dark on June 23. Kroll data mirrored this decline in Conti activity with associated ransomware cases accounting for only 18% in Q2 compared with 20% in Q1 and 35% in Q4. Likewise, Kroll saw a drop in LockBit 2.0 activity during the quarter.
Variants on the rise included the previously mentioned Black Basta ransomware gang. Observed by Kroll as leveraging Qakbot malware for access, Black Basta’s first post on underground forums referenced their willingness to buy access into corporate networks, likely recruiting initial access brokers to support their activities. Other groups that increased their activity during Q2 included BlackCat, QuantumLocker and Hive.
Supporting Kroll’s findings that the healthcare sector is being targeted by ransomware groups, the U.S. Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note in April indicating that the Hive ransomware group was aggressively targeting the healthcare sector. The Hive ransomware group is known to leverage remote services for access.
Across the board, ransomware groups continue to use tried and tested techniques to compromise their victim’s environments, taking advantage of security weaknesses to gain footholds into systems and launch malicious payloads. This makes maintaining and building cyber resilience a priority to avoid being compromised by a ransomware attack.
In relation to the trends Kroll is seeing around initial access methods, organizations would be wise to pay close attention to the security around remote services. Implementing multi-factor authentication on these systems and keeping remote services inaccessible from the internet is advisable. Furthermore, maintaining a regular patching, testing and vulnerability scanning schedule, particularly for vulnerabilities in VPNs and RDP services.
Security efforts should be prioritized in the healthcare sector. Checking that backups are available and recovery capabilities are tested, as well as having manual alternatives for electronic tasks (that can maintain continuity of critical functions in the wake of a network attack or outage) is essential.
It is concerning to see healthcare rise so dramatically up the most targeted industry list, especially at a time when services are undoubtedly under pressure, recovering from the strained environment caused by COVID-19. Though always disruptive, ransomware’s ability to grind company operations to a halt, becomes more devastating in an environment where business continuity means saving lives.
Kroll saw an increase in threat actors targeting remote services for initial access into networks in Q2. There were also longer, more evasive attack chains led by actors aiming to launch malware such as Qakbot, and Kroll continued to see activity around high-profile vulnerabilities such as Log4J.
The key takeaway from Q2 2022 is not to neglect remote services in your cyber strategy. With many offices approaching a new hybrid working environment, systems that were hastily deployed at the start of the pandemic may now need revisiting to avoid them becoming a security vulnerability and initial access point for cyberattacks.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Enlist experienced responders to handle the entire security incident lifecycle.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivaled incident expertise.
Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.