France Warns of Stolen Healthcare CredentialsAlert Comes Amid Recent Ransomware Attacks on Hospitals, Others
French authorities are warning the country's healthcare sector of the discovery of a glut of stolen credentials, apparently belonging to hospitals workers, that were found for sale on the dark web. The alert comes amid a recent rise in ransomware attacks on hospitals and other healthcare entities.
See Also: Automating Security Operations
In an alert issued this week, the French Ministry of Social Affairs and Health says it was notified by France's Computer Emergency Response Team - part of the National Agency for Security of Information Systems - of the sale on a cybercriminal forum of a list of 50,000 user accounts - including login/password credentials - likely belonging to French hospital agents.
The alert notes that the file containing the credentials appears to have been sold on Feb. 4, and that so far "only a few establishment domain names have been identified, which have been notified directly."
The alert notes that "it is difficult to accurately describe the origin of this leak, but the impact that the use of login/agent password couples can have on the security of institutions' information systems is more easily evaluable." That includes attempts to connect to remote means of access, such as Outlook web access and VPN.
"Once the connection is successful, attackers can use all the resources allocated to the compromised account to break into the information system," the alert notes.
The warning by the health ministry comes as several French hospitals - including hospitals in Dax and Villefranche-sur-Saone, as well as French health insurer Mutuelle Nationale des Hospitaliers - have been hit by ransomware incidents in recent weeks.
In a statement, MNH says it detected an intrusion into its information system on Feb. 5, quickly determining "a large-scale cyberattack."
MNH says it shut down its computer network and "disconnected" all applications "to stop the spread of the virus and thus protect the data of our members, employees and our partners."
The organization's last public update on Feb. 15 noted it was in the middle of "a long and tedious restoration process."
In addition to the warning about the stolen hospital credentials, the French health ministry in its alert also acknowledges that several healthcare facilities in France have been recent victims of malware involving Emotet, TrickBot and Ryuk.
"Particular attention should be paid to this because these three malwares are used in complex chains of attacks that have a strong impact on the activity of victims," the alert notes.
Additionally, the ministry warns that "scan campaigns from the infrastructure of the TA505 (Clop ransomware activity cluster) and UNC1878 (Ryuk ransomware activity cluster) targeting health facilities were also reported."
The ministry adds that "in particular, potential attackers are looking for machines with open ssh, mysql and rdp services, and more than 8,000 other ports are also scanned."
The cyber incidents being experienced by the French healthcare sector are akin to what healthcare organizations in the U.S., as well as in some other regions of the world, have been dealing with during the COVID-19 pandemic, and even prior to that, some experts note.
For instance, last week, South Korean officials warned of attempted attacks by North Korean hackers to steal COVID-19 vaccine and treatment data from pharmaceutical maker Pfizer (see: South Korea Claims North Korea Tried Hacking Pfizer).
The recent alerts by French and South Korean officials come on the heels of warnings in recent months by global law enforcement agencies, as well as Microsoft and Kaspersky, about the surge of state-sponsored hackers targeting COVID-19 drugmakers and supply chain players.
"Based on what has been reported on these events in the French healthcare sector, it appears to be very similar to what we’ve seen affecting several verticals, including U.S healthcare," says Tony Cook, head of threat intelligence at security vendor GuidePoint Security.
"In many cases ransomware actors are simply scanning for open remote administration ports, then targeting the underlying service with brute force attacks," he notes. "It is an easy and effective manner to get into an environment in which these actors have found great success."
Healthcare entities across many regions of the globe "need to be more proactive with their security stances, including ensuring regular tabletops for these scenarios and actively working on aligning to industry best practices," he adds.
Specifically, healthcare sector entities need to ensure they have visibility into their environment as well as a clear understanding of their network, Cook notes.
"That includes deploying an endpoint detection and response solution to every host in your network, implementing two-factor authentication on every applicable remote/cloud service - including email - as well as increasing logging on sensitive assets," he says.
"While the attacks on the French healthcare sector are regrettable, it is a reminder that ransomware is a global threat which requires global awareness.