Security researchers report that the BlackCat ransomware group briefly claimed an attack on a major U.S. electronic health record (EHR) vendor, but the entry disappeared within days. STRIKE analysis links possible BlackCat activity to its ExMatter/Fendr exfiltration tool, with evidence suggesting a relatively limited scope on the vendor’s systems. #BlackCat #ExMatter
Keypoints
- BlackCat (ALPHV) added an entry for a major U.S. electronic health record (EHR) vendor to its data leak site on January 17; the entry disappeared by January 21.
- SecurityScorecard STRIKE used traffic data and public TTP reporting to identify possible BlackCat-affiliated activity on target IP addresses.
- Evidence may reflect deployment of the BlackCat exfiltration tool ExMatter/Fendr on the vendor’s systems, though the overall activity appears relatively limited in scope.
- Findings show suspicious traffic to remote-access services with 45 vendor-related IPs sampled; 27 of these were flagged malicious by VirusTotal, including 195.176.3[.]23, a TOR exit node linked to credential-stuffing activity.
- Additional traffic data and possible reconnaissance indicate the potential for credential theft via phishing or information-stealing malware, followed by attempts to authenticate remote-access services using compromised credentials.
- Conclusion: the observed traffic represents a small portion of total activity; the vendor claimed no evidence of data exfiltration, and the breach entry was removed, leaving three possible scenarios (ongoing negotiations, concluded negotiations, or a false/exaggerated claim).
MITRE Techniques
- [T1133] External Remote Services – Three vendor subdomains suggested the use of remote access services; “three vendor subdomains that suggested the use of such services”
- [T1078] Valid Accounts – Initial access via compromised credentials used to access remote services; “compromised credentials to use remote access services for initial access”
- [T1046] Network Service Scanning – Early activity described as low-level scanning and probing of targets before access attempts; “low-level scanning and probing activity”
- [T1090] Proxy – Use of TOR to conceal origins of traffic; “TOR exit node”
- [T1041] Exfiltration Over C2 Channel – Exfiltration to a remote server over port 22; “exfiltrates data to a remote server over port 22”
- [T1566] Phishing – Potential credential acquisition through phishing to obtain remote access; “phishing or by infecting an employee device with information-stealing malware”
- [T1110] Brute Force – Credential-stuffing attacks observed as a technique to gain access; “credential-stuffing attacks”
Indicators of Compromise
- [IP Address] 195.176.3[.]23 – a TOR exit node involved in credential-stuffing activity and potential initial access
- [IP Address] and other vendor IP addresses hosting remote access services – 45 unique vendor IPs sampled, with 27 detected as malicious
- [Port] 22, 2222, 8222 – SSH-related ports used for potential exfiltration tunnels (port 22 specifically open on many DigitalOcean IPs)