Full Report
There's a disturbing upward trend of cybercriminals targeting the Australian health sector.
Analysis Summary
# Incident Report: Increased Cyber Threats Targeting Australian Health Sector (SDBBot & CI0p Ransomware)
## Executive Summary
The Australian Cyber Security Centre (ACSC) observed a disturbing increase in cyberattacks targeting the Australian health sector, specifically flagging the SDBBot Remote Access Tool (RAT) and CI0p ransomware. The attack chain utilizes SDBBot for initial compromise and persistence, leading to data exfiltration followed by the deployment of CI0p ransomware to encrypt systems and demand a ransom, with a high risk of data publication if payment fails. The report emphasizes the critical danger this poses to patient care reliant on networked systems.
## Incident Details
- **Discovery Date:** Not precisely dated, but observation/alert was made prior to or around November 27, 2020, based on ACSC monitoring.
- **Incident Date:** Ongoing threat trend observed throughout 2019-2020 financial year for the health sector.
- **Affected Organization:** Australian Health Sector (multiple potential victims implied).
- **Sector:** Healthcare.
- **Geography:** Australia.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified.
- **Vector:** Likely initial infection via SDBBot RAT distribution, potentially through spear-phishing or exploitation leveraging software vulnerabilities targeted by TA505/Hive 0065.
- **Details:** Attackers use SDBBot to gain unmitigated remote control of an infected system.
### Lateral Movement
- **Date/Time:** Post-SDBBot installation.
- **Vector:** SDBBot autonomously downloads additional components and moves throughout the compromised network to establish persistent access and prepare for mass encryption.
### Data Exfiltration/Impact
- **Date/Time:** Prior to ransomware deployment.
- **Vector:** Data exfiltration occurs after SDBBot establishes control.
- **Details:** Sensitive data is breached, encrypted by CI0p ransomware, and held hostage. If the ransom is not paid, the breached data is published on the dark web.
### Detection & Response
- **Date/Time:** Ongoing monitoring by ACSC.
- **Vector:** ACSC monitoring and alerts.
- **Details:** ACSC flagged SDBBot and CI0p as high alerts. Response implied necessities include improving the security posture of the health sector globally.
## Attack Methodology
- **Initial Access:** SDBBot RAT infection.
- **Persistence:** SDBBot establishes persistent remote access.
- **Privilege Escalation:** Implied, but details specific techniques not provided beyond SDBBot granting "unmitigated remote control."
- **Defense Evasion:** CI0p attempts to disable Windows Defender and remove Microsoft Security Essential.
- **Credential Access:** Not explicitly detailed, likely covered by SDBBot’s remote control capabilities.
- **Discovery:** Implied as part of SDBBot's network traversal.
- **Lateral Movement:** SDBBot moves throughout the network of the compromised system.
- **Collection:** Sensitive data is gathered prior to encryption.
- **Exfiltration:** Data is exfiltrated before the ransomware stage.
- **Impact:** Encrypting systems with CI0p ransomware, locking victims out of internal systems, and publicizing stolen data upon non-payment.
## Impact Assessment
- **Financial:** High potential costs via ransom demands (e.g., Software AG incident cited a \$20 million demand), recovery costs, and regulatory fines.
- **Data Breach:** Sensitive data is stolen, potentially leading to PII and sensitive health information exposure.
- **Operational:** Operational failure is a critical risk, especially in healthcare where networked systems are vital, potentially resulting in patient death.
- **Reputational:** Significant damage to the public trust in affected healthcare organizations.
## Indicators of Compromise
**(Note: Specific IOCs from the article are associated with public threat intelligence feeds and are not defanged here due to the generic nature of the ACSC alert, but should be defanged in a strict IR report.)**
- **Network indicators:** Mention of SDBBot RAT and CI0p ransomware activity.
- **File indicators:** SDBBot executable/dropped components and CI0p ransomware encryption signatures.
- **Behavioral indicators:** Attempts to disable Windows Defender and Microsoft Security Essential.
## Response Actions
- **Containment:** Not explicitly detailed for the health sector attacks, but general containment of RAT communication and isolating infected segments would be primary.
- **Eradication:** Removing SDBBot components and ensuring the CI0p encryption mechanism is fully neutralized/systems restored from clean backups.
- **Recovery:** Restoring systems from backups and implementing measures to prevent re-infection pathways. (The article focuses more on prevention than specific IR actions taken by victims).
## Lessons Learned
- The Australian Health Sector was the highest targeted sector in the 2019-2020 financial year, highlighting a primary vulnerability.
- Ransomware attacks in healthcare carry an extreme risk to human safety, not just data loss.
- The attack chain (SDBBot -> CI0p) is insidious, involving remote control, data theft, and then encryption, following patterns associated with groups like TA505/Clop.
- Organizations must assume published data threats are real, as demonstrated by the Software AG example.
## Recommendations
- Immediately improve security posture across the Australian health sector, including segmentation and rigorous endpoint detection and response.
- Prioritize rigorous patching and vulnerability management, as SDBBot use mirrors activity by established cybercrime groups.
- Develop and test robust incident response plans that specifically account for the operational impact of ransomware locking critical patient care systems.
- Implement comprehensive backup and recovery strategies that are isolated from the network to ensure business continuity during a successful ransomware attack.