Cobalt Strike Infections Haunt Healthcare - Warns HHS

Diving into details

• Some of the gangs that have been deploying Cobalt Strike on healthcare facilities include Mustang Panda, APT10, APT41, and Winnti, among others. 
• HHS stated that Cobalt Strike and similar tools are “noisy” within an environment and can be identified with anti-malware and intrusion prevention systems, which should lead to quick defense. 
• Apart from using Cobalt Strike, threat actors are using PowerShell, Mimikatz, Sysinternals, Brute Ratel, and Anydesk against healthcare facilities.

Latest malicious Cobalt Strike campaigns

• Trend Micro researchers spotted that the Black Basta ransomware gang has been following the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain.
• A modular campaign was found dropping Cobalt Strike beacons on infected endpoints, along with RedLine Stealer and Amadey botnet. 
• Fortiguard Labs observed a rising volume of campaigns targeting both Russia and Ukraine. The phishing emails contain military-themed malicious Excel documents, which ultimately dropped Cobalt Strike via a multi-stage infection.

More threat warnings by HHS

• In September, the HC3 warned against the Evil Corp group propagating the Dridex trojan to gain access to intellectual property from the U.S. healthcare sector.
• Just a few days before the above warning, the agency warned against the Karakurt ransomware group that conducted at least four attacks against the sector.

The bottom line