[BreachExchange] France Warns of Stolen Healthcare Credentials

Thu Feb 25 11:02:25 EST 2021

https://www.databreachtoday.com/france-warns-stolen-healthcare-credentials-a-16047

French authorities are warning the country's healthcare sector of the
discovery of a glut of stolen credentials, apparently belonging to
hospitals workers, that were found for sale on the dark web. The alert
comes amid a recent rise in ransomware attacks on hospitals and other
healthcare entities.

In an alert issued this week, the French Ministry of Social Affairs
and Health says it was notified by France's Computer Emergency
Response Team - part of the National Agency for Security of
Information Systems - of the sale on a cybercriminal forum of a list
of 50,000 user accounts - including login/password credentials -
likely belonging to French hospital agents.

The alert notes that the file containing the credentials appears to
have been sold on Feb. 4, and that so far "only a few establishment
domain names have been identified, which have been notified directly."

The alert notes that "it is difficult to accurately describe the
origin of this leak, but the impact that the use of login/agent
password couples can have on the security of institutions' information
systems is more easily evaluable." That includes attempts to connect
to remote means of access, such as Outlook web access and VPN.

"Once the connection is successful, attackers can use all the
resources allocated to the compromised account to break into the
information system," the alert notes.

Recent Incidents

The warning by the health ministry comes as several French hospitals -
including hospitals in Dax and Villefranche-sur-Saone, as well as
French health insurer Mutuelle Nationale des Hospitaliers - have been
hit by ransomware incidents in recent weeks.

In a statement, MNH says it detected an intrusion into its information
system on Feb. 5, quickly determining "a large-scale cyberattack."

MNH says it shut down its computer network and "disconnected" all
applications "to stop the spread of the virus and thus protect the
data of our members, employees and our partners."

The organization's last public update on Feb. 15 noted it was in the
middle of "a long and tedious restoration process."

Ransomware Warnings

In addition to the warning about the stolen hospital credentials, the
French health ministry in its alert also acknowledges that several
healthcare facilities in France have been recent victims of malware
involving Emotet, TrickBot and Ryuk.

"Particular attention should be paid to this because these three
malwares are used in complex chains of attacks that have a strong
impact on the activity of victims," the alert notes.

Additionally, the ministry warns that "scan campaigns from the
infrastructure of the TA505 (Clop ransomware activity cluster) and
UNC1878 (Ryuk ransomware activity cluster) targeting health facilities
were also reported."

The ministry adds that "in particular, potential attackers are looking
for machines with open ssh, mysql and rdp services, and more than
8,000 other ports are also scanned."

Similar Issues

The cyber incidents being experienced by the French healthcare sector
are akin to what healthcare organizations in the U.S., as well as in
some other regions of the world, have been dealing with during the
COVID-19 pandemic, and even prior to that, some experts note.

For instance, last week, South Korean officials warned of attempted
attacks by North Korean hackers to steal COVID-19 vaccine and
treatment data from pharmaceutical maker Pfizer (see: South Korea
Claims North Korea Tried Hacking Pfizer).

The recent alerts by French and South Korean officials come on the
heels of warnings in recent months by global law enforcement agencies,
as well as Microsoft and Kaspersky, about the surge of state-sponsored
hackers targeting COVID-19 drugmakers and supply chain players.

"Based on what has been reported on these events in the French
healthcare sector, it appears to be very similar to what we’ve seen
affecting several verticals, including U.S healthcare," says Tony
Cook, head of threat intelligence at security vendor GuidePoint
Security.

"In many cases ransomware actors are simply scanning for open remote
administration ports, then targeting the underlying service with brute
force attacks," he notes. "It is an easy and effective manner to get
into an environment in which these actors have found great success."

Healthcare entities across many regions of the globe "need to be more
proactive with their security stances, including ensuring regular
tabletops for these scenarios and actively working on aligning to
industry best practices," he adds.

Specifically, healthcare sector entities need to ensure they have
visibility into their environment as well as a clear understanding of
their network, Cook notes.

"That includes deploying an endpoint detection and response solution
to every host in your network, implementing two-factor authentication
on every applicable remote/cloud service - including email - as well
as increasing logging on sensitive assets," he says.

"While the attacks on the French healthcare sector are regrettable, it
is a reminder that ransomware is a global threat which requires global
awareness.