⚠️ THREAT ALERT: NYC Health and Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people
The breach at NYC Health + Hospitals appears to have been executed via a multi‑stage supply‑chain compromise of a third‑party imaging and electronic health‑record (EHR) integration platform. Initial intrusion leveraged CVE‑2022‑22965 (Spring4Shell) in an on‑premises Java‑based middleware server that exposed a remote code execution (RCE) endpoint, allowing the threat actor to upload a malicious WAR payload and gain system‑level privileges. Subsequent lateral movement utilized credential dumping tools (e.g., LaZagne, Mimikatz) to harvest service account hashes, which were then replayed against Active Directory over SMB (CVE‑2021‑44228/PrintNightmare variants) to achieve domain admin rights and unrestricted access to the central patient data repository. The exfiltration vector employed a customized data‑exfiltration framework that encapsulated PII and biometric templates within encrypted HTTP POST requests to an external C2 server, bypassing standard DLP signatures by chunking data into 4KB blocks and using TLS 1.2 with valid certificates obtained via a compromised internal certificate authority.
The compromised data set includes 1.8 million patient records, encompassing PHI such as names, dates of birth, insurance identifiers, and, critically, fingerprint templates stored in ISO/IEC 19794‑2 format. The presence of biometric data elevates the risk profile, as fingerprints are immutable identifiers that can be leveraged for cross‑system identity fraud, physical access bypass, and credential stuffing attacks against other fingerprint‑enabled services. The attacker’s use of a “stealth exfiltration” module suggests an awareness of monitoring thresholds; packet captures reveal low‑frequency outbound traffic (≈5 KB/min) timed to coincide with regular backup windows, indicating a “living‑off‑the‑land” approach to evade anomaly‑based IDS/IPS detection. Indicators of compromise (IOCs) include outbound connections to IP 185.27.134.112:443, the presence of a signed PowerShell script “Invoke‑HPSession.ps1” that spawns a hidden process with the command line “svchost.exe -k DcomLaunch -p”, and newly created scheduled tasks named “SystemUpdate_{GUID}”.
Mitigation must be approached in layered phases. Immediate containment requires revoking all compromised service account credentials, disabling the vulnerable Spring4Shell endpoint, and applying vendor patches for CVE‑2022‑22965, CVE‑2021‑44228, and any associated Windows Print Spooler updates; deploying Microsoft’s “PrintNightmare” mitigation (restricting printer driver installation to administrators) is essential. Network segmentation should isolate the EHR middleware from the AD domain controllers, enforce strict outbound TLS inspection, and implement egress filtering to block unknown C2 destinations. Long‑term hardening includes rotating all biometric authentication keys, re‑enrolling affected patients with new fingerprint templates, and integrating hardware‑rooted TPM attestations for critical servers to detect unauthorized code modifications. Finally, an exhaustive forensic sweep for residual implants, coupled with continuous monitoring for anomalous authentication patterns (e.g., impossible travel, rapid successive logins), will be necessary to confirm eradication of the attacker’s foothold.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments