An attack against a U.S. cancer center this month by an obscure ransomware group has sparked a warning to the healthcare sector about the threat actor’s “rarely used and very effective” techniques.

While the group, which calls itself TimisoaraHackerTeam (THT), is not widely known, it has a history of attacking medical facilities by exploiting known vulnerabilities and using a living-off-the-land approach to minimize detection.

In a notification (PDF) about this month’s cancer center attack, the Department of Health & Human Services’ Healthcare Sector Cybersecurity Coordination Center (HC3) said THT was first discovered by researchers in July 2018 and had targeted healthcare organizations around the world.

“Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector,” the notification said.

HC3 did not name the THT’s latest target but said the attack on the cancer center “rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients”.

Research into THT’s tactics, techniques, and procedures (TTPs) suggested a link between it and a suspected Chinese malware groups including DeepBlueMagic and APT41, both of which have a history of targeting healthcare organizations. It is not clear, however, if the groups shared members or simply used similar methods.

What is a LOTL attack?

Adopting a living-off-the-land (LOTL) approach allowed the groups to encrypt files without being detected by security solutions. A LOTL attack, sometimes described as a fileless malware attack, is a type of adversarial technique that utilizes applications that are considered friendly and are not red-flagged as malicious. For example an attack may include Windows tools such as PowerShell and Windows Management Instrumentation (WMI) to open up a system to a malware attack.

“Rather than use custom built tools to encrypt the files of the victims like many ransomware groups, THT's characteristic tactic of abusing legitimate tools like Microsoft Bitlocker and Jetico's BestCrypt makes them unique among threat actors,” the notification said.

HC3 said THT’s ransomware attacks seemed to target healthcare organizations with medium to large servers and the group often employed Common Vulnerability Exploitations (CVEs) against vulnerable VPNs to gain initial remote access into a victim’s network.

THT exploits instances of unpatched bug

“THT will usually authenticate into the network using administrative level credentials obtained via vulnerabilities exploitation. Once THT gains initial access into a victim’s network, they will look to move laterally around the network,” HC3 said.

“The threat group also utilizes [now patched] zero-day vulnerability found in Microsoft Exchange servers found in early 2021 and recent vulnerabilities in Fortinet firewalls.”

That was the case in THT’s latest attack on the cancer center, where it targeted Fortinet’s FortiOS SSL-VPN to exploit CVE-2022-42475, a heap-based buffer overflow vulnerability that allows remote attackers to execute code or commands using specially crafted requests.

TimisoaraHackerTeam gets its name from the Romanian town of Timisoara and researchers say examination of THT’s source code suggests it was produced by Romanian speakers.

According to HC3’s notification, an April 2021 attack on a French hospital has been “loosely attributed” to THT while an August 2021 attack on Hillel Yaffe Medical Center in Israel was the “most infamous” one carried out by DeepBlueMagic.

“The [Hillel Yaffe] incident paralyzed the majority of the hospital’s computer systems, resulting not only in the theft of large amounts of data, including confidential patient information, but also an inability to access patient files and the patient registry system, and nonfunctional electric doors,” HC3 said. “In a matter of days, the targeting of the medical center, which was attributed to DeepBlueMagic, spurred an additional nine attacks on other hospitals and health organizations in the country, resulting in the largest cyber attack ever launched on the Israeli health sector.”