DNS NXDOMAIN DDoS Attacks on the Healthcare Sector
The Health Sector Cybersecurity Coordination Center (HC3) released an advisory concerning a threat actor that is performing targeted distributed denial of service (DDoS) attacks on the healthcare industry in the U.S. The attacks entail sending to networks and servers a flood of fake Domain Name Server (DNS) requests for domains that do not exist (NXDOMAINs). Because DNS servers are overloaded, they are unable to process legit DNS requests. These attacks have begun in November 2022.
DNS servers locate web resources and find the IP addresses of the requested resources to permit connection. Upon receiving a request, a DNS Proxy Server contacts the DNS Authoritative Server. When the IP address of that web resource is found, the information will be sent to allow a connection. When there’s a DNS NXDOMAIN flood DDoS attack, requests for non-existent domains will flood the DNS Proxy Server. Then, the server’s resources will be used up for processing the NXDOMAIN requests with the DNS Authoritative server. So, the DNS Authoritative Server will utilize its resources addressing the queries.
A botnet under the attacker’s control often sends these requests to the DNS Proxy server. Based on the extent of the attack, legit DNS requests will slow down or perhaps become totally blocked, therefore keeping legitimate users from getting access to a website or web apps.
These attacks are fairly short-lived, happening from a few hours to a couple of days. When a healthcare company’s domain is attacked, patients may not be able to access the consultation scheduling apps ànd patient portals. The healthcare company’s website may also be inaccessible. At the same time, employees may not be able to access web apps.
Typically, these attacks occur with the following signs:
- A lot of DNS queries for non-existent hostnames from legitimate domains
- UDP packets encapsulated in IPv4 and IPv6
- Extensively distributed source IPs
- Possibly spoofed source IPs
- DNS servers having many NXDOMAIN errors
It is difficult to block these attacks because the devices that are part of the botnet are usually extensively distributed with several thousand devices. Although blocking an attack may be impossible, it’s possible to limit the impact of attacks through the following mitigations:
- Blackhole routing or taking out suspected servers and domains
- Enforcing DNS Response Rate Limiting
- Blocking additional requests from the IP address of a client for a limited time period
- Making sure that cache refresh works
- Decreasing the timeout for name lookup so as to make resources in the DNS resolver available
- Applying longer time-to-live (TTL) on existing records
- Imposing rate limiting on traffic when servers are overwhelmed
Although there’s no confirmation by HC3 with regards to the source of these attacks, it’s likely the hacktivist group, Killnet, is targeting the healthcare sector because of the support for Ukraine by the U.S. Congress. Since January 2022, Killnet has been active and has recently increased its attacks on the U.S healthcare industry.
Money Message Ransomware Group Attacks PharMerica and BrightSpring Health Services
Recently, the Money Message ransomware group posted on its data leak site that it stole over 2 million records from PharMerica, a Kentucky pharmacy network, and BrightSpring Health Services, its parent company, during an attack that occurred on March 28, 2023. The stolen information contained patient names, dates of birth, and Social Security numbers.
It was confirmed by BrightSpring Health Services that it has an ongoing investigation of a cybersecurity incident and third-party cybersecurity specialists are assisting in the case. BrightSpring stated the attack had not impacted its operations. To date, the investigation has not yet confirmed how many persons were affected nor the extent that patient data was affected. The impacted files are still under review and the company will issue notification letters as soon as possible.
Cyberattack on Sarah D. Culbertson Memorial Hospital
Sarah D. Culbertson Memorial Hospital based in Rushville, IL confirmed the full restoration of its IT systems after it encountered a cyberattack on March 2023. The hospital noticed a disruption in its system on March 30, 2023. It had to shut down the systems to limit the impact of the attack and engaged third-party cybersecurity specialists to look into the attack and find out the scope of affected patient data.
Because there was no breached access to the majority of its IT systems during the attack and throughout the breach response, the hospital’s ED services remained operational and there was no negative impact on patient care. The hospital will issue notifications to affected persons after determining which patient data was compromised during the attack.
Over 15,000 St. Luke’s Health System Patients Affected by Mailing Error
St. Luke’s Health System sent notifications to 15,246 patients concerning an impermissible disclosure of their protected health information (PHI). The exposure was due to a technical error involving a mailing that resulted in the sending of letters to the wrong mailing addresses. The incorrect patients received letters that included the following information: name and number of guarantors, patient’s name, encounter-specific account number, date of service, balance status, and outstanding balance. St. Luke’s Health System mentioned that the accounts were not part of the collections.
St Luke’s Health System has identified and fixed the error. Extra safety measures were applied to identify the same errors before mailing the letters. As a safeguard against data misuse, the accounts of impacted persons were reset to give extra time to resolve balances, and impacted persons were provided free identity theft protection services for one year.