The medical community has been warned: On October 28, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Health and Human Services (HHS) published Ransomware Activity Targeting the Healthcare and Public Health Sector to alert the community that malicious actors are once again using the Ryuk ransomware against medical organizations.
The federal advisory’s analysis highlights how the anchor_dns tool at the core of the Ryuk campaign uses DNS as the control plane to execute PowerShell command scripts that lay at the heart of the attack. All security pros know that DNS serves as the main control plane by which most adversaries send commands to compromised machines as described in the MITRE ATT&CK framework. But more significantly, this campaign shows that adversaries are exploiting DNS for data exfiltration, which follows the path of other malware campaigns focused around retail point of sale campaigns. Organizations rarely focus on DNS, preferring to use next-generation firewalls and other security platforms to focus on HTTP and email. Anchor_dns avoids those platforms by focusing on DNS as a means to smuggle out data undetected, knowing that most traditional security platforms lack the means to differentiate between legitimate and malicious DNS requests.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.