Home / Industry

Beyond Healthcare IoCs: Threat Expansion and EHR Impersonation Detection

The healthcare industry has had a rough couple of years since the COVID-19 pandemic started. But this didn’t stop threat actors from attacking the sector, with several healthcare organizations targeted by ransomware, data breach, and other cyber attacks.

Early detection and response can help protect medical facilities and systems, starting with identifying indicators of compromise (IoCs)—a critical process detailed by Armis in their Internet of Medical Things (IoMT) Playbook.

Inspired by this, WhoisXML API researchers decided to investigate the IoCs by gleaning data from one of the Federal Bureau of Investigation (FBI) flash reports identified in the playbook. In particular, we analyzed and expanded the list of IoCs related to Cuba ransomware, which targeted private and public healthcare organizations, among many others.

We also investigated how the top electronic health record (EHR) software companies listed by Forbes were represented in the DNS to detect cybersquatting domains that could serve as vehicles for phishing attacks. Among our key findings are:

  • 90+ Cuba ransomware IoCs comprising IP addresses and domain names published by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in their joint Cybersecurity Advisory (CSA) and on AlienVault OTX
  • 1,700+ artifacts or connected domains that share the IoCs’ IP hosts and name server and registrant details
  • 9% of these artifacts were already flagged as malicious
  • 1,700+ cybersquatting domains containing the names of the top EHR software providers, only 10 of which could be publicly attributed to legitimate companies

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Cuba Ransomware IoCs: Collection, Contextualization, and Expansion

Cuba ransomware actors have attacked more than a hundred entities in critical sectors, including healthcare. CISA reported that the cybercriminals demanded US$145 million and received US$60 million in ransom payments.

To gather targeted DNS threat intelligence relevant to Cuba ransomware, we collected 76 IP addresses and 20 domains tagged as threat IoCs by CISA and AlienVault. We then subjected the IP addresses to reverse IP lookups and found 26 related properties.

Next, we sought to obtain the WHOIS associations of the domains identified as IoCs. Since most of their current WHOIS records were redacted, we turned to WHOIS History Lookup and found that almost all had public WHOIS records until late 2017. Before that, many of them shared the exact registrant details. Most of the IoCs also used the same name servers.

The table below shows some of the recurring WHOIS record details among the IoCs and the number of domains sharing them.

Historical WHOIS DetailsNumber of IoCs Sharing the Record Details
Name servers: ***.cnmsn.com | ***.msn.com7
Name servers: ***.xtremeweb.de | ***.xtremeweb.de7
Registrant name: ***** Ziedonis
Registrant email: *****[email protected]
3
Registrant name: ***** Kazuewsky
Registrant email: *****[email protected]
4

Armed with this contextual information, we performed reverse WHOIS searches that yielded 1,731 connected domains. These properties shared the IoCs’ name server, registrant name, and email address at one point in their registration.

We found 1,757 artifacts connected to the Cuba ransomware IoCs via IP resolution and WHOIS record details. About 9.4% of these artifacts were flagged as malicious. A couple of these malicious domains actively hosted live websites as shown below.

We also detected suspicious content hosted on some of the artifacts that haven’t been reported as malicious. For instance, anigota[.]com hosted a Windows look-alike website, while jussionsharepoint[.]com appeared to offer several applications possibly imitating official Microsoft apps. The website screenshots are shown below.

These types of content can provide essential details since CISA warned that Cuba ransomware might have ties with the RomCom threat actors who are known to host Trojanized versions of legitimate applications.

EHR Software Vendor Impersonation: Possible Phishing Attack Vehicles

One of the ways the Cuba ransomware or other threat actors for that matter gain initial access to target systems is through phishing. Cybersquatting domains are common phishing vehicles.

For the healthcare industry, the possible attacks include EHR software provider impersonation, where threat actors register domains that imitate the EHR software vendor’s domain. We found 1,743 such domains using Domains & Subdomains Discovery.

These domains spoofed the top EHR software providers named by Forbes, including AdvancedMD EHR, AthenaHealth, DrChrono, eClinicalWorks, Kareo Clinical, Netsmart myUnity, NextGen, and Practice Fusion. The table below shows the number of cybersquatting domains found under each company and the search string used.

EHR Software ProviderOfficial DomainSearch String UsedNumber of Cybersquatting Domains Found
AdvancedMD EHRadvancedmd[.]comadvancedmd119
AthenaHealthathenahealth[.]comathenahealth313
DrChronodrchrono[.]comdrchrono73
eClinicalWorkseclinicalworks[.]comeclinicalworks138
Kareo Clinicalkareo[.]comkareo (excludingkareoke)713
Netsmart myUnityntst[.]comntst + unity61
NextGennextgen[.]comnextgen + health204
Practice Fusionpracticefusion[.]compracticefusion122

Only 10 of these cybersquatting domains could be publicly attributed to the imitated EHR software vendor based on their WHOIS registrant details. Furthermore, two cybersquatting domains were already reported as malicious.

Several cybersquatting domains actively hosted questionable content. For example, athenahealthlogin[.]info featured AthenaHealth’s brand colors and login elements. However, the legitimate AthenaHealth login page was hosted on a subdomain and had a different design. Below is a side-by-side comparison of the two sites.


Identifying IoCs can help security teams and solutions detect and prevent cyber attacks. However, most IP addresses and domains tagged as IoCs are part of a larger infrastructure that threat actors may use sporadically. Providing IP resolution and ownership context to these properties can help map out malicious infrastructures, enabling security teams and solutions to have a broader view of the threat.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com