Ankura Cyber Threat Intelligence Bulletin: August – September 2022

Over the past sixty days, Ankura’s Cyber Threat Investigations & Expert Services (CTIX) Team of analysts has compiled key learnings about the latest global threats and current cyber trends into an in-depth report: The Cyber Threat Intelligence Bulletin. This report provides high-level executives, technical analysts, and everyday readers with the latest intel and insights from our expert analysts.

Download the report for an in-depth look at the key cyber trends to watch and help safeguard your organization from constantly evolving cyber threats with the latest cyber intelligence, ransomware, and threat insights.

 Our latest report explains the following observations in detail:

Law Enforcement Works with Threat Intelligence to Prosecute Human Traffickers

In the age of high-speed internet and social media, criminals have evolved to use information technology to bolster their criminal enterprises and human traffickers are no different. Whether it be through the clearnet or dark web, human traffickers have leveraged the internet to scale their operations, forcing law enforcement to reevaluate how to best combat this problem. In response to the changes in trafficker tactics, techniques, and procedures (TTPs), governments across the world have responded with legislation and policies in an attempt to better thwart the efforts of these criminals. Researchers from Recorded Future’s Insikt Group have published compelling reports as a proof-of-concept (PoC) for a methodology on how law enforcement agencies and investigators can utilize real-time threat intelligence to leverage sources of data in order to aid in tracking, mitigating, and potentially prosecuting human sex traffickers. Download the full report for additional details on law enforcement efforts to prosecute human traffickers and more on the Insikt Group’s findings.

Emerging Threat Organization “MONTI”: Sister Organization or Imposter Threat Group?

Over the past several weeks a new, potentially imposter, threat organization has mimicked the tactics, techniques, procedures (TTPs), and infrastructure of the Conti Ransomware Group. Tracked as MONTI, this doppelganger organization emerged in the threat landscape in July 2022 after compromising a company and encrypting approximately twenty (20) hosting devices and a multi-host VMWare ESXi instance tied to over twenty (20) additional servers. While the July attack pushed the group into the limelight, analysts believe that attacks from the doppelganger organization go back even further into the early summer of 2022. Similarities discovered between Conti Ransomware and the alleged spinoff Monti Ransomware include attack TTPs alongside the reuse of Conti-attributed malicious payloads, deployed tools, and ransom notes. Additionally, the encrypted files exfiltrated by Monti contain nearly identical encryption, which could indicate code re-usage. Read the full report to find out what CTIX analysts expect to see from this group in the future.

Figure 1: Conti Ransom Note

Figure 2: Monti Ransom Note

Iranian State-Sponsored Threat Organization’s Attack Timeline Targeting the Albanian Government

In July 2022, nation-state Iranian threat actors, identified by the FBI as “Homeland Justice”, launched a “destructive cyber-attack” against the Government of NATO-member Albania in which the group acquired initial access to the victim network approximately fourteen (14) months before (May of 2021). During this period, the threat actors continuously accessed and exfiltrated email content. The peak activity was observed between May and June of 2022, where actors conducted lateral movements, network reconnaissance, and credential harvesting.

This attack and eventual data dumps were targeted against the Albania-based Iranian dissident group Mujahideen E-Khalq (MEK), otherwise known as the People’s Mojahedin Organization of Iran. MEK is a “controversial Iranian resistance group” that was exiled to Albania and once listed by the United States as a Foreign Terrorist Organization for activity in the 1970s but was later removed in late 2012. Albania eventually severed diplomatic ties with Iran on September 7, 2022, and is suspected to be the first country to ever have done so due to cyber-related attacks. For a more detailed analysis of this attack and its ramifications, download our full report.

 Figure: Homeland Justice Ransom Note Image

Banning Ransomware Payments Becomes Hot-Button Issue in State Legislature

There is a debate occurring in courtrooms across the United States regarding the ethics and impacts of allowing businesses to make ransomware payments. North Carolina and Florida have broken new ground earlier this year passing laws that prohibit state agencies from paying cyber extortion ransom demands. While these two (2) states have been leading the way in ransomware laws, at least twelve (12) other states have addressed ransomware in some way, adding criminal penalties for those involved and requiring public entities to report ransomware incidents. Download the full report to discover what experts think of government ransomware payment bans and the potential effects they could have on ransomware incidents.

Threat Actor of the Month: Worok

ESET researchers discovered a new cluster of the long-active TA428 identified as “Worok.” TA428 is a Chinese advanced persistence threat (APT) group first identified by Proofpoint researchers in July 2019 during “Operation LagTime IT”, a malicious attack campaign targeted against government IT agencies in East Asia. Download the full report for an in-depth look at Worok’s tactics and objectives, and insights from our analysts about the anticipated future impact of this group.

New List of Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Explore our latest list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

Hospital Antitrust Skirmish Over Economist

IMS_expert_blktype-transparent

Antitrust law is designed to help the Davids of the world maintain a level playing field with the Goliaths. That objective was realized when Boise, Idaho-based hospital operator St. Alphonsus Health System, Inc. (“St. Al’s”) sued rival St. Luke’s Health System, Ltd. (“St. Luke’s”), to block St. Luke’s acquisition of the Saltzer Medical Group (“Saltzer”), one of Idaho’s largest and oldest independent medical groups.

St. Al’s argued that St. Luke’s acquisition of Saltzer would give St. Luke’s such a dominant market share of the adult primary care market in Nampa, Idaho that it could raise prices and block referrals to St. Al’s by having Saltzer steer patients to St. Luke’s. St. Al’s fears certainly seemed well-founded: Saltzer accounted for 43% of the adult primary care physicians, and about 90% of the pediatric physicians in the Nampa market. Since St. Luke’s accounted for about 24% of the primary care physicians in Nampa, the combined entity would have about 67% of the adult primary care physicians in Nampa.

The Federal Trade Commission (FTC) and Idaho Attorney General (AG) launched their own investigations and ultimately joined St. Al’s lawsuit. Things didn’t go well initially for St. Al’s as the judge refused to preliminarily enjoin the acquisition, concluding that St. Al’s was unlikely to suffer irreparable harm before a trial could be held in the case. St. Luke’s proceeded to complete the transaction.

However, in January 2014, after a bench trial, the judge concluded that the deal would have anti-competitive effects in terms of raising health care costs due to the increased negotiating leverage of the combined entity. The judge directed St. Luke’s to unwind the transaction, and divest itself of Saltzer’s assets. St. Luke’s has appealed to the Ninth Circuit. At oral argument, St. Luke’s contended that the trial court had failed to adequately consider the deal’s benefits.

Along the way, the trial court had an opportunity to decide a motion by the FTC and Idaho AG to exclude the testimony of St. Luke’s economist, Dr. Alain Enthoven, concerning the quality-related benefits of the acquisition. Saint Alphonsus Med. Ctr. – Nampa, Inc. v. St. Luke’s Health Sys., Ltd., No. 1:12-CV-00560-BLW, 2013 WL 5637743 (D. Idaho Oct. 15, 2013). A major thrust of the objection was that Dr. Enthoven had not read any of St. Luke’s physician service agreements (“PSA’s”), and therefore could not credibly testify as to “whether the acquisition creates the requisite integration to achieve the purportedly greatest benefits of integrated patient care.”

The Court denied the motion. After reviewing the facts shared in the decision, the argument seems like a stretch and we feel the Court reached the right result. As the Court observed, despite not having read the PSA’s, Dr. Enthoven interviewed six top executives from St. Luke’s and Saltzer, and reviewed thirty depositions. The Court believed this effort enabled Dr. Enthoven to testify credibly concerning the quality-enhancing benefits of moving away from the fee-for-service model of compensation and toward the quality-based model of compensation.

The judge also rejected the FTC’s contention that Dr. Enthoven was unqualified to testify regarding how the use of health information technology, such as electronic medical records, promotes higher quality care in light of Dr. Enthoven’s admission at his deposition that he was not a “healthcare IT expert.” Observing that Dr. Enthoven was testifying as an economist, not a programmer, the judge ruled that Dr. Enthoven was qualified to explain how various healthcare IT tools promoted higher  quality care even if he didn’t understand the mechanics of how those tools worked. This conclusion also seems correct, and not really a close call at all.

Do you agree with our conclusion that the Court made the right call in denying the motion to exclude Dr. Enthoven’s expert testimony?

ARTICLE BY

OF