Preventing Maui ransomware attacks on healthcare organizations: CISA Alert AA22-187A key takeaways

On July 6, 2022, the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert (AA22-178A) titled “North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector”.

What happened?

According to the alert, starting as early as May 2021, North Korea state-sponsored cyber actors have been leveraging Maui ransomware to target healthcare and public health sector organizations in the U.S.

This joint Cybersecurity Advisory (CSA) provides information—including tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs)—on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. To reduce the likelihood of compromise from ransomware operations, the FBI, CISA, and Treasury urge Healthcare and Public Health (HPH) Sector and critical infrastructure organizations to apply the recommendations in the Mitigations section of the Alert. Victims of Maui ransomware should report the incident to their local FBI field office or CISA.

The recent list of state-sponsored attacks keeps growing

North Korea is not alone in its agressions. Over the past several months, Russian state-sponsored actors have targeted Ukraine’s government and critical infrastructure. We’ve also seen a growing trend of attacks on manufacturing and critical infrastructure. Some notable examples include ransomware attacks on Bridgestone Americas and a suspected cyberattack on Japan-based Toyota plants the same day Japan joined western countries in restricting transactions with the Central Bank of the Russian Federation. Given all of the state-sponsored activity, a “SHIELDS UP” advisory also remains in effect.

Protecting the expanded attack surface

State-sponsored attackers are looking for the weakest points to infiltrate organizations. In healthcare and public health sector organizations that means medical, clinical, and other devices and assets (for example, IoMT, IT, cloud, and smart assets) are in play. The goal is simply to get in and then move laterally across the organization.

Timing is everything

Stopping ransomware requires split-second detection and response to malicious activity. The problem is that a host of clinical and medical devices and other assets across healthcare and public health sector environments are unprotected for a variety of reasons. For example, many medical devices can’t accommodate security agents, or they may rely on old, vulnerable operating systems. IT devices may be missing or have misconfigured agents. And  even devices and assets running agents may only be scanned periodically. To protect your growing attack surface from cybercriminals and state-sponsored actors, you need: 

• Comprehensive visibility into all devices and assets with full confidence in data accuracy.
• A full understanding of asset context and typical behavior, including the following details:
  • What is the device?
  • How critical is it to the organization?
  • Where is it physically located?
  • Who owns it?
• The ability to enforce appropriate security policies to protect devices, assets and operations.
• The ability to identify and prioritize risk to optimize remediation activities.
• The ability to reduce impact of security incidents by speeding up time to remediation.

How Armis can help

The Armis Asset Intelligence Platform helps with Maui ransomware and other threats on multiple levels, providing capabilities for addressing key CISA mitigation recommendations. For example, Armis customers can: 

• Automatically discover and classify every asset in the environment without relying on disruptive agents or scans. A complete, unified, authoritative asset inventory of everything enables you to visualize risks and prioritize mitigation of critical vulnerabilities based on their risk to the business.
• Monitor every device and asset in real time. When the Armis platform detects CnC communication that is indicative of Maui ransomware and associated variants, or unusual behavior that is indicative of a ransomware attack, it can automatically send an alert or quarantine the device, breaking the kill chain and stopping further spread of infection.
• Pinpoint and update missing or misconfigured security controls. The Armis platform uncovers gaps in existing security tools and the overall security posture of the organization. 

If you are not an Armis customer, we can still help. We offer a free Quick Asset Visibility Assessment using the Armis platform to help you find and identify assets affected by Maui malware. Our platform works with your existing infrastructure to ensure you have a complete, real-time asset inventory you can rely on.

Given the growing number of nation state sponsored cyber attacks, in addition to ongoing threat campaigns from cybergangs and other bad actors, the ability to monitor and secure every device is critical to protecting patients and ongoing operations. Armis can provide the unified visibility and security you need to stay protected.

Let an Armis expert help you get started in as little as 30 minutes.
Get an Armis Quick Visibility Assessment