Threat Management, Threat Intelligence

Healthcare and Finance Suffer Most Cyberattacks

Share
Hacker attack computer hardware microchip while process data

During the summer of 2023, cyberattacks rose significantly, according to data from the new quarterly BlackBerry Global Threat Intelligence Report, November 2023 edition.

The report, which covers the period of June through August, found that companies in the healthcare and finance sectors suffered the brunt of these attacks, while government and critical infrastructure organizations also experienced more attempted intrusions this summer.

Here’s a closer look at the threats and events that impacted each industry.

Finance

Threat actors launched more than 420,000 attacks on financial institutions from June through August, with commodity malware such as Lumma Stealer and Vidar information stealer heavily targeting financial institutions. Attackers also exploited a vulnerability in Progress Software’s legitimate MOVEit file transfer software.

In July, four European banking giants — Comdirect, the third-largest bank in Germany; Postbank, with 700 locations; and ING Bank, the 13th-largest bank in the industry — were breached by attackers exploiting the MOVEit vulnerability.

Healthcare

The healthcare industry suffered more than 179,000 attacks in the three months covered by the report. These attacks were spread across Canada, the U.S., Australia, Japan, India and several South American and Latin American countries. Infostealers and ransomware attacks were common.

Perhaps the most damaging healthcare attack, in terms of outcome, was on Spring Valley St. Margaret’s Hospital in Illinois. After a ransomware attack, the hospital (including its clinics, online portal, and facilities at both its locations) was forced to permanently close its doors to the public.

Government

More than 100,000 attacks were launched at government agencies, nearly 50% higher than the prior report. A number of U.S. government agencies, including the U.S. Department of Energy (DOE), were breached by attackers exploiting the MOVEit vulnerability. Clop ransomware, which is sold largely as a ransomware-as-a-service (RaaS), has been actively targeting governments, as were infostealers such as RedLine, RacconStealer v2, Vidar, and Lumma Stealer.   

Critical infrastructure

Critical infrastructure is increasingly a target of both state-sponsored and financially motivated threat actors. BlackBerry Cybersecurity solutions thwarted over 75,000 attacks against critical infrastructure around the world during this reporting period. Ukrainian electrical utilities and other critical infrastructure facilities, as well as government and law enforcement agencies, were under frequent attack due to current geopolitical events, particularly by the Russian-linked Sofacy Group (APT28).

The LockBit ransomware group was particularly active against critical infrastructure in this reporting period. In July, LockBit claimed responsibility for an attack on the Japanese port of Nagoya, the country’s largest port, which disrupted operations for 48 hours. LockBit also targeted the Montreal Commission des Services Electriques (CSEM), forcing the 100-year-old municipal electricity provider to rebuild its infrastructure.

Predictions

BlackBerry predicts that we will likely see more targeted attacks in response to regional and global conflicts, including the Israel-Hamas war, so we can expect more destructive attacks against public entities, government, and public utilities in the future. These attacks may include, but are not limited to, data exfiltration and destruction, social engineering attacks such as impersonation, and cyber espionage.

Social networks and messaging apps will be used to spread propaganda internationally to ramp up public hatred and mislead citizens of all nations. Messaging apps will also continue to be abused for data exfiltration purposes to bypass traditional DNS monitoring techniques to detect and block C2C (customer-to-customer) connections.

Overall, BlackBerry Cybersecurity solutions blocked more than 3.3 million attacks this reporting period. That’s an average of 26 attacks per minute — more than double the number in the prior reporting period (March through May 2023), which recorded 1.5 million attacks.

Another key finding in the report is a surge in new, unique malware hashes. A 70% jump in new malware samples during the reporting periods indicates that attackers have diversified their tactics, techniques, and procedures (TTPs) in an attempt to specifically access high-value targets.

Backdoor Malware, DDoS and Social Engineering Attacks Jump

Other important findings in the report include:

  • A rise in reverse shell-based backdoor malware, which allows attackers to control a remote system by remotely connecting to a Linux shell, then creating a covert communications channel to issue commands and exfiltrate data from the victim’s network.
  • The most prevalent type of attacks were malware-based distributed denial of service (DDoS) attacks, with the Mirai and Gafgyt botnets used to launch them.
  • Ransomware groups like LockBit, Clop, and ALPHV caused tens of millions of dollars in damages worldwide, as they have learned to evade security by rapidly changing their TTPs. Worse, ransomware campaigns increasingly practice “double extortion” — a strategy to increase the payout by first demanding a ransom to unencrypt the victim’s data, then demanding another payment for not exposing the data online, either publicly to embarrass the victimized company, or on the dark web for sale to other cybercriminals.
  • The use of social engineering remains a popular attack method to bypass security controls. In September, an attacker crippled the MGM Resort International and Caesars Entertainment casinos and hotels by impersonating an employee to obtain access.
  • The Lazarus Group, a sophisticated North Korean-affiliated group, stole millions of dollars in cryptocurrency though attacks against various cryptocurrency services and exchange platforms.

Threat actors also abused both legitimate commercial software tools and malicious ones. For instance, two popular penetration testing tools — Metasploit and Cobalt Strike — have been heavily abused by many threat groups, including ransomware groups that use these tools to exfiltrate data before encrypting it.

In terms of operating systems, Windows attracted the widest range of threats, with RedLine, a .NET compiled infostealer, being the most dominant. Android devices were also heavily targeted, especially by phishing campaigns.

The goal of BlackBerry’s Global Threat Intelligence Reports is to provide exceptional cybersecurity data as well as actionable and contextual cyber threat intelligence that readers can translate into practical threat hunting and detection capabilities. For more detailed information on the leading threat groups and threats, commonly exploited vulnerabilities, and common MITRE techniques and countermeasures read the complete BlackBerry Global Threat Intelligence Report, November 2023.

Guest blog courtesy of BlackBerry Cybersecurity. Read more BlackBerry Cybersecurity blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.