Attivo Networks has worked closely with many healthcare organizations over the last year to add inside-the-network detection for when prevention systems have failed. This blog takes a closer look at what organizations are finding and what healthcare security operations teams can do to better defend their companies from these ever evolving variants of malware.
Customer: Regional Healthcare Provider
The security operations team had detected a particularly nasty strain of malware. They had been able to isolate the malware, but due to its ever-changing nature, were having trouble containing it and identifying new infections.
They were able to utilize the Attivo Deception Platform to gather much needed forensic intelligence on the fast changing malware by loading it into the BOTsink engagement server and intentionally infecting it to determine how it was behaving.
- Provided a safe quarantined environment to watch the malware develop.
- Including analysis of auto-replication and updating of prevention systems with C&C addresses to prevent data exfiltration
- They were able to watch the malware laterally propagate within the BOTSink and infect the other Windows ES
- Malware proven to be QAKBOT distributed via the RIG Exploit Kit.
- YaraRule and Virus Total Reports for threat intelligence sharing
- Important Note: Attivo has seen this impact other Attivo customers, confirming that this is not an isolated incident and that this strain of malware appears to be targeting healthcare
This organization had best-in-class prevention system. Why were they not able to prevent and quickly remediate this attack without Attivo?
- New malware strain was unable to be detected by signature-based systems
- While moving laterally the malware changed itself a number of times
- The web exploits utilized legitimate looking java scripts and bypassed other security prevention systems.