Anssi had already regretted it: it is with old flaws that we make the best attacks. The State cyber fire brigade has just indirectly added a layer to this theme by publishing, through its monitoring, alert and response center for computer attacks (CERT-FR), an informative report on the The computer attack which targeted the Brest university hospital center (CHU) in March 2023.
Because in this fifteen-page document, Anssi experts recall that the attackers relied in particular on a series of known vulnerabilities to try to maximize the damage. This “demonstrates the importance of having double authentication and a vulnerability patching policy, especially the most classic ones, to avoid privilege escalations,” summarizes Jean-Sylvain Chavanne, head of system security at LinkedIn, on LinkedIn. information from Brest University Hospital.
Five known vulnerabilities targeted
The hackers first managed to penetrate the computer network using the credentials of a healthcare professional. This access had probably been obtained opportunistically thanks to a stealer, this software that steals information. Once back in the fold, the hackers then attempted to elevate their privileges by exploiting two known vulnerabilities in Windows, reported in 2022 and 2023, without success.
Then, after targeting the Active directory forest, a grouping of several domains, the hackers tried with the Mimikatz tool to exploit, again in vain, three old flaws, PrintNightmare, BlueKeep and ZeroLogon. The first, discovered in 2021, allows the execution of arbitrary code via the print spooler, this service for queuing documents to be printed. The second, which dates from 2019, targets the remote desktop protocol, while the third, discovered in August 2020, attacks the Netlogon Remote Protocol.
Thirty ransomware attacks
So bad for the hackers, who couldn’t – for this time? – pass through these gaps. But these hackers are far from blues. Anssi experts linked the attack on Brest University Hospital, which ended well, without encryption or data theft, to the FIN12 group. Cybercriminals known to target businesses likely to pay high ransoms and the healthcare industry.
Already spotted by the cybersecurity company Mandiant and the publisher Microsoft, these hackers would be involved in ransomware attacks against around thirty organizations between 2020 and 2023, according to Anssi. Active since at least 2019, these cybercriminals are suspected of having juggled a handful of ransomware, including Ryuk, Conti, Hive, Nokoyawa, Play and Royal. These are all signs of close insertion into the cybercriminal ecosystem.