American Hospital Association Urges Organizations to Review Microsoft Malware Warning

The American Hospital Association (AHA) has urged healthcare organizations to review a recent Microsoft blog post that warns of a new malware variant that has been used by an Advanced Persistent Threat (APT) actor to attack critical infrastructure organizations in Ukraine.

The Microsoft Threat Intelligence Center detected a new destructive malware variant on January 13, 2022, that was being used by a previously unknown threat actor which Microsoft is tracking as DEV-0586. Microsoft has not found any notable associations with other tracked threat groups and the attacks so far have been limited to government, non-profit, and information technology organizations in Ukraine; however, there is a risk that the malware may be used in more widespread attacks.

The malware, dubbed WhisperGate by Microsoft, masquerades as ransomware. After executing on a system, a ransom note is displayed but there is no mechanism for recovering data. The malware is actually a Master Boot Record (MBR) wiper, which loads to the C:\PerfLogs, C:\ProgramData, C:\, and C:\temp folders. The malware, often named stage1.exe, executes when the device is powered down and destructs the MBR.

The MBR is the part of the hard drive which tells the computer how to load the operating system. The malware overwrites the MBR on a system to prevent the operating system from loading and displays a fake ransom note stating the victim should pay a $10,000 ransom to the attacker’s Bitcoin wallet. The wallet address is included in the note. Payment should not be made as there is no method of recovery.

Microsoft says a file corrupter malware has also been used in the attacks. The file, named stage2.exe, downloads the next-stage malware which is executed in the memory and corrupts a wide range of file types in certain directories on the system to ensure they cannot be restored.

Microsoft has provided indicators of compromise (IoCs) in the blog post that can be used to detect a potential intrusion. Microsoft urges organizations to review authentication activity for remote access infrastructure, especially for accounts with single-factor authentication to confirm authenticity. Any anomalous activity should be investigated.

Microsoft also recommends implementing multi-factor authentication and ensuring it is enforced for all remote connectivity, and to enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent any modification of the MBR/VBR.

Officials in Ukraine announced over the weekend that they have uncovered evidence that the attacks have been conducted by Belarus, which has strong ties with Russia. Threat actors have previously targeted critical infrastructure in Ukraine with a wiper malware called NotPetya. The attacks then spread rapidly around the world causing major disruption and data loss.

“As we have seen in the past, destructive malware targeting the Ukraine can spread rapidly across the globe. It is again strongly recommended to assess any direct, 3rd party business associate connections and email contacts in the Ukraine and that region of the world. Consider blocking such connections,” said John Riggi, AHA national advisor for cybersecurity and risk. “Geo-fencing for all inbound and outbound traffic related to Ukraine and that region may help mitigate direct cyber risk presented by this threat, it will have limited impact in reducing indirect risk, in which the malware transits through other nations, proxies and third parties. Thus, increased monitoring of networks and incident-response preparedness is also strongly recommended.”

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn https://www.linkedin.com/in/ryancoyne/ and follow on Twitter https://twitter.com/ryancoyne