Advisory Type: IT Security
Severity: Critical
Summary: PDS is providing the following communication to build awareness of a credible threat to healthcare organizations nationwide.
March 21, 2020 – PDS was advised by Sikich LLP and the Wisconsin Cyber Threat Response Alliance (WICTRA) of an active threat against healthcare organizations nationwide from the below list of IP addresses.
To receive the list of identified IP addresses please contact PDS at – pds@pdsit.net
We strongly advise healthcare organizations consider blacklisting the list of IP addresses and, if possible, search network activity logs for the past 72-96 hours for evidence of contact from these IP addresses. If evidence is found of any communications from these IP addresses, WICTRA would appreciate that information.
More information about WICTRA is available via their web site at https://sites.google.com/wictra.org/wictra/home. Or contact:
GERALD J. EASTMAN
President, CEO & Founder
WI Cyber Threat Response Alliance (501c3)
info@wictra.org
FAQS
Who is the primary authority generating this alert, and list of IPs?
PDS was made aware of the list from Wisconsin Cyber Threat Response Alliance (WICTRA) and from our partner; Sikich. WICTRA and the Milwaukee Office of the FBI are working with the information and investigating.
Is there some sort of detail that I can reference?
We have shared are the most current information. The only other detail we have is that all the IP addresses were generated from a Mimecast source. We received the IP addresses and have added the Geo Country information.
There are US IPs here, so how do we know we are not blocking services we may need?
While there are no assurances, there are some inferences we can make. First, the blacklist would be an inbound filter, not necessarily an outbound. So by setting the inbound Blacklist no communication initiated by the organization outbound will be affected.
By inference, because the information came from Mimecast filters, there is a high probability that the alerts were a result of email or possibly web filtering communications. Taking the inference one step further, email malware or phishing activity is less likely to come from trusted sources. Similarly, if the alerts resulted from content in URL responses it is most likely from advertising sources, and improbable that it is from B2B style sources.
What is the criteria for assigning it the criticality that WICTRA assigned? What’s the attack vector?
We do not currently have that information but will add all up-to-date information here as we get it.
How can I help determine whether we are vulnerable to whatever this is?
We know this is limited information, and its use assumes a certain amount of risk. Without more detail it is difficult to know the relative vulnerability. There are some known factors that can be added to the equation:
- We know that this activity involved a healthcare organization
- We know that healthcare nationwide is currently being targeted with ransomware
Our goal is to help our community stay safe during these challenging times. PDS will keep you informed as we learn more specifics regarding this threat. Please check back for updates, we will update this page with the latest information as we receive it.
Tamara Korbel MBA CHCIO
Executive Director, Enterprise Solutions and Chief Information Security Officer
