HC3 warns HCOs to fortify against cybercriminals FIN11 now

Given FIN11’s history of conducting widespread campaigns exploiting zero-day vulnerabilities to steal data and deploy ransomware in commonly used software in the healthcare sector, HCOs should “consider FIN11 a top priority for their security teams.”


HC3 released a new threat actor profile last week about FIN11, a cybercriminal collective originating from the Commonwealth of Independent States.

“FIN11 often runs high-volume operations mainly targeting companies in various industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP),” the agency said in the profile.

FIN11 overlaps with Odinaff, Sectoj04, TA505, TEMP.Warlock, Lace Tempest, DEV-0950 Hive0065 and Group G0092; HC3 analysts list a number of malware associations and all known tactics, techniques and procedures. 

FIN11 may have been involved in recent mass exploitation of vulnerabilities in the MOVEit and other file transfer software tools and several other vulnerabilities since the onset of the COVID-19 pandemic, according to a report in the HIPAA Journal.


HC3 said the recent exploitation of a zero-day vulnerability in the MOVEit Transfer secure managed file transfer software is attributed to FIN11. 

“The list of organizations that have disclosed data breaches following these attacks include a national public healthcare system,” the analysts said.

Last week a joint advisory from Cybersecurity and Infrastructure Security Agency and FBI warned health systems and others of Clop MFT ransomware TTPs.

CISA’s summary said CL0P is using LEMURLOOT, a web shell written in C# that is designed to target the MOVEit Transfer platform, and added this vulnerability to the Known Exploited Vulnerabilities Catalog.


While HC3 cannot confirm exactly how many and which CL0P ransomware attacks may be attributed to FIN11, HC3 has observed around 30 incidents involving CL0P ransomware in the U.S. [healthcare and public health sector] since 2021,” the agency said in the report. 

“These affected organizations either provided direct patient care or were considered health plans and/or payers.”

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article