These already known flaws used by the hackers of the Brest University Hospital

Estimated read time 3 min read

These already known flaws used by the hackers of the Brest University Hospital

Anssi had already regretted it: it is with the old flaws that we make the best attacks. The cyber-firefighter of the State has just indirectly added a layer on this theme by publishing, through his center for monitoring, warning and response to computer attacks (CERT-FR), an informative report on the computer attack that targeted the university hospital center (CHU) of Brest in March 2023.

Because in this fifteen-page document, the experts of the Anssi remind indeed that the attackers relied in particular on a chain of known vulnerabilities to try to maximize the damage. This “demonstrates the importance of having double authentication and a vulnerability patching policy, especially the most classic ones, to avoid privilege escalation,” summarizes Jean-Sylvain Chavanne, the head of information systems security at the Brest University Hospital, on LinkedIn.

Five known vulnerabilities targeted

The hackers had first managed to penetrate the computer network using the credentials of a health professional. This access had probably been obtained opportunistically thanks to a stealer, these information-stealing software programs. Once back in the sheepfold, the hackers then tried to elevate their privileges by exploiting two known vulnerabilities in Windows, reported in 2022 and in 2023, without success.

Then, after targeting the Active directory forest, a grouping of several domains, the hackers tried with the Mimikatz tool to exploit, again in vain, three old flaws, PrintNightmare, BlueKeep and ZeroLogon. The first, discovered in 2021, allows the execution of arbitrary code via the print spooler, this queuing service for documents to be printed. The second, which dates from 2019, targets the remote desktop protocol, while the third, discovered in August 2020, attacks the Netlogon Remote Protocol protocol.

Thirty ransomware attacks

So bad pickaxe for the hackers, who couldn’t – for this time? – go through these breaches. But these hackers are far from being blues. Anssi experts linked the attack on the Brest University Hospital, which ended well, without encryption or data theft, to the FIN12 group. Cybercriminals known to target companies likely to pay high ransoms and the healthcare sector.

Already spotted by the cybersecurity company Mandiant and the publisher Microsoft, these hackers are believed to be involved in ransomware attacks against about thirty organizations between 2020 and 2023, according to the Anssi. Active since at least the year 2019, these cybercriminals are suspected of having juggled with a handful of ransomware, including Ryuk, Conti, Hive, Nokoyawa, Play and Royal. These are all signs of a close integration into the ecosystem of cybercriminals.

You May Also Like

More From Author