On October 28th, the Department of Health and Human Services (HHS) coordinated a call with Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
The HHS, CISA, and FBI shared credible information about an increased and imminent cyber threat to US hospitals and healthcare providers. The joint government team has issued written documentation including preventative steps and mitigation strategies the sector can take to avoid becoming a victim of these attacks. Read the Joint Cybersecurity Advisory coauthored by the HHS, CISA, and FBI.
CISA and HHS will be sharing this information in order to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
The threat appears to be related to the attempted takedown of the TrickBot botnet. You can read details here. According to security researchers Trickbot has been damaging to health care organizations and is lashing out with increased ransom demands, and detonation of ransomware is happening almost immediately after penetrating a network.
We recommend that you take the following steps:
- Run a compromise assessment of your environment now… to look for signs of adversarial activity
- Review your runbooks if you have them
- Remove all single factor authentication in your environment
- Make sure you are on Active Directory 2012 R2 or higher
- Ensure all domain admins are in protected group users
- Disable domain admin authentication on workstations
- Limit personal email on company assets
- Expedite patching
- Get a Ransomware runbook if you do not already have one
- Get an incident response retainer if you do not have one
- Aggressively deploy endpoint protection, multi-factor authentication
- Put network segmentation in your plans and start deploying
We recommend you review the Joint Cybersecurity Advisory document and implement all actions as soon as reasonably possible. Please feel free to contact us or email us with any questions to firstname.lastname@example.org.