TLP White: This week, Hacking Healthcare begins by breaking down the possible ramifications of a new report stating ransomware actors are interested in, and capable of, buying into the zero-day market. We then examine a new Europol report on serious and organized crime that has some interesting things to say about the structure and activities of the European Union (EU) cybercrime ecosystem. Finally, we cover Iran’s state-sponsored cyberattacks and detail what might drive even more activity in the near future.
Author’s Note: Yours truly will be at the H-ISAC Summit in San Diego next week. For those of you who will be making the trip, I hope I have the opportunity to meet you.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)


Pdf version:

Hacking Healthcare 11.23.2021 TLP Amber


Text version:

Welcome back to Hacking Healthcare.


1. Ransomware Actors and Zero Days

Ransomware continues to be a lucrative and widespread endeavor, but researchers at Digital Shadows suggest that at least some ransomware actors may not be content with tried and tested methods and are looking for new ways to leverage the fortunes they have gained. In a recently published report, Digital Shadows suggests that there is increasing interest among cybercriminals to enter the zero-day marketplace, and the ramifications could be significant.
This new report suggests that some of the more mature ransomware groups have been so successful that they are now in a financial position to seriously consider purchasing zero-day vulnerabilities and that sellers/developers of such vulnerabilities have moved to engage with them in cybercriminal forums. This would be a concerning development, as the purchase of zero-day vulnerabilities is an activity historically tied only to resource-rich nation-state actors. This exclusivity has largely been a product of the price tag for zero-day vulnerabilities, which can reach into the many millions depending on sophistication and applicability.
You would be right to question why cybercriminals would have any interest in spending millions of dollars on purchasing a zero-day vulnerability when the current process of leveraging longstanding well-known vulnerabilities appears to be working just fine. The rationale appears to be the consideration of an “exploit-as-a-service” model that would “would allow capable threat actors to ‘lease’ zero-day exploits to other cybercriminals to conduct their attacks.” The report notes that zero-day sellers/developers could look to rent out and test zero-days with this approach. This would allow them to confirm the validity of their product while also making money until a definitive buyer could be found.
Action & Analysis
**Membership required**

2. Europol: EU Serious and Organized Crime Threat Assessment

Europol, the European Union’s (EU) law enforcement agency, recently released its Serious and Organised Crime Threat Assessment report. Designed as a “a forward-looking document that assesses shifts in the serious and organised crime landscape,” the report covers a wide range of activities, including a breakdown of Europol’s perspective on the cybercrime environment. Some of the key takeaways from the report are worth exploring in more depth.
The 108-page report “provides an overview of the current state of knowledge on criminal networks and their operations” and is based on “data provided to Europol by Member States and partners.” While much of the report details more traditional criminal enterprises, the sections on cybercrime are fascinating and help to illuminate the structure of EU cybercriminal organizations. Some of the more interesting findings from the report include:
• – The number of cybercriminal networks is relatively low, which could be because “cybercrime involves many criminals operating individually and not in the framework of established networks.”
• – As a result of increased competition and access to online communication tools, violence as a service appears to be increasing and Europol has reason to believe that     “violence may become more common to traditionally non-violent criminal activities such as excise fraud or cybercrime.”
• – “ Virtually all criminal activities now feature some online components, such as digital solutions facilitating criminal communications.”
• – “Law enforcement successes in taking down popular market places, in combination with cyberattacks on platforms, exit fraud or voluntary closures, appear to have generated some distrust among users and may have slowed down the growth of this online environment.”
• – The belief that critical infrastructure will continue to be targeted in the coming years.
• – “Cybercrime is attractive to criminals due to the potential profits, limited risk of detection and prosecution, which if successful often only results in low sentences.”
• – Europol expects cybercriminal activity related to COVID-19 vaccines to surge, including attacks on pharmaceutical research.
• – Worldwide economic trouble may “result in a significant increase in the number of individuals engaging in cybercrime or offering cybercrime-related services.”

The freely available report repeats itself occasionally but is straightforward and easily accessible. We encourage those interested in learning more about the findings above, or in the interplay between cybercrime and other crime, to read the full report.
Action & Analysis
**Membership required**

3. Rise in Cyber Attacks from Iran

On November 17th, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with their Australian and UK counterparts, the Australian Cyber Security Centre and the UK’s National Cyber Security Centre. The advisory warns that Iranian government-sponsored advanced persistent threat actors (APT) actors are leveraging vulnerabilities in both Microsoft Exchange and Fortinet (a major California-based cybersecurity vendor) in order to gain access to a range of U.S. critical infrastructure organizations in the transport and public health sectors, as well as to some organizations in Australia.

This access enabled various malicious follow-on operations, including data exfiltration, extortion, and ransomware deployment. The malicious activity was observed beginning in March of this year and continuing through the end of October. Notably, in June the group exploited a Fortinet appliance to access environment control networks associated with a children’s hospital in the United States. Additional details on the impact of this specific attack have yet to be published.
A day prior to the federal advisory’s publication, Microsoft’s Threat Intelligence Center (MSTIC) presented a report at CyberWarCon 2021 on the recent trends in Iranian threat actor activity. In its presentation, MSTIC noted the sophistication and persistence of the Iranian nation-state operators, and their increasing utilization of ransomware to either collect funds or disrupt their targets.

The Microsoft researchers observed at least six different Iranian hacking groups using ransomware to “achieve their strategic objectives.” While they did not highlight industry-specific targeting trends, Microsoft researchers noted in a separate report that these Iranian APT groups had been implicated in prior malicious cyber activity, including social engineering attacks during the 2020 U.S. presidential election. The broadening scope of their attacks indicates a desire to both gain access and cause harm to different private industries and government sectors throughout the United States and across different supply chains.
Action & Analysis
**Membership required**


Tuesday, November 23rd:
– No relevant hearings

Wednesday, November 24th:
– No relevant hearings

Thursday, November 25th:
– No relevant hearings

International Hearings/Meetings –
– No relevant meetings


Conferences, Webinars, and Summits –

Contact us: follow @HealthISAC, and email at

Translate »