Friday, December 6, 2024
HomeCyber AttackMicrosoft Warns Of Vanilla Tempest Hackers Attacking Healthcare Sector

Microsoft Warns Of Vanilla Tempest Hackers Attacking Healthcare Sector

Published on

SIEM as a Service

Microsoft has identified a new attack vector employed by the financially motivated threat actor Vanilla Tempest.

This actor has been observed leveraging the INC ransomware to target healthcare organizations within the United States. 

Specifically, Vanilla Tempest is exploiting vulnerabilities in healthcare systems to deploy INC ransomware.

- Advertisement - SIEM as a Service

This malware encrypts sensitive data and demands a ransom payment for decryption, which poses a significant threat to the continuity of healthcare services and patient privacy.

The ransomware group Vanilla Tempest, formerly known as DEV-0832 and Vice Society, has been active since at least early 2021 and has targeted various sectors, including education, healthcare, IT, and manufacturing, using multiple ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. 

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

As Vice Society, they were known for using Hello Kitty/Five Hands and Zeppelin ransomware.

In August 2023, CheckPoint linked Vice Society to the Rhysida ransomware gang, also known for targeting healthcare, to sell patient data stolen from Lurie Children’s Hospital in Chicago.

They had identified Vanilla Tempest, a ransomware affiliate, as targeting U.S. healthcare organizations with INC Ransomware attacks.

These attacks have been active since July 2023 and have compromised various organizations, including Yamaha Motor Philippines, Xerox Business Solutions, and the NHS. 

In May 2024, a threat actor attempted to sell the source code of INC Ransom’s Windows and Linux/ESXi encryption versions on a hacking forum, indicating a potential for further proliferation and customization of the ransomware.

Microsoft reported that Vanilla Tempest, a financially motivated threat actor, has used INC ransomware to attack the U.S. healthcare sector.

The attackers gained access through Storm-0494, which infected the victim’s systems with Gootloader. 

Once inside, they backdoored the systems with Supper malware and deployed legitimate tools, AnyDesk and MEGA.

This highlights the increasing sophistication of cyber threats and the need for robust security measures in the healthcare industry.

The attackers used RDP and WMI tools to spread the INC ransomware throughout the victim’s network. 

The ransomware disrupted IT and phone systems, compromised patient information databases, and forced the healthcare system to reschedule appointments and procedures, similar to the recent cyberattack against Michigan’s McLaren Health Care hospitals, which also used the INC ransomware strain.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...