August 08, 2019

Indicators of Compromise

GOHSEP and ESF17 held a conference call at 2pm on Wednesday, August 7, 2019.

Threat:  

Ransomware attack in schools – Morehouse, Sabine, Tangipahoa, E. Carroll.

Background:  

“ESF17” is a newly created ESF to coordinate actions and communications with parishes and state agencies related to cyber-attacks.

Highlights:

LSP Cyber Crime Unit (CCU) – collected evidence from 28 computers in last 96 hours; identified 8 networks that have been infected. Will continue to extract Indicators of Compromise. 

DOE – all schools still scheduled to open on time. Map on slide 6 identifies which parishes have completed assessments. State Assistance allocated in the following parishes:  Morehouse, Ouachita, Tangipahoa, and Sabine.  Sabine has been completed.  The end-game is to get folks to the purple (issues resolved).

There are 6 phases identified as a Critical IT Task List for school districts (slide 7) 47 schools have completed all phases receiving “Carbon Black” = finished. 14 schools are in various phases of 2-5. There are a total of 69 Parish School districts.

Indicators of Compromise include the following:

· Traffic to or from Pastebin.com (104.20.209.21) in the previous two weeks

· Any Anti-Virus hits for either Trickbot or Emotet

· New Accounts created with elevated privileges

· Outbound web traffic to ports 445, 447, 449, or 8082

· Outbound and Inbound traffic to ports 5985 or 16993

· Unusual remote connections either through RDP, LogMeIn, or TeamViewer

· Installed services with unusual names/created scheduled tasks with unusual names or paths

· Unusual files in user’s roaming directories

· Advapi32.dll process being used as a hook for Explorer.exe

· The presence of ad_driver.sys in \\C\Users\ADMINI~1\AppData\Local\Temp\1\

· Creation of new user accounts with broad privileges

· Odd processes such as svchost.exe tied to open ports, including port 80

ASPR TRACIE has identified resources for Cybersecurity Checklists for Healthcare Facilities:

View the Update:

UFOUO_LA-SAFE_CCU_Ryuk_Indicators_Update-080719[2].pdf 

Request:

Infected organizations are encouraged to not pay a ransom to criminal actors. Organizations who believe they have observed the following Indicators of Compromise should contact the fusion center at 1-800-434-8007 or lafusion.center@la.gov.

 

About the Louisiana Ambulance Alliance

The Louisiana Ambulance Alliance (LAA) is a diverse group of EMS providers who promote emergency medical transport as a distinct concern in Louisiana; serve as a forum for a unified voice for healthcare providers, public officials, healthcare workers, educators and consumers working to improve emergency medical transport in Louisiana; provide a forum for the exchange and distribution of ideas and information related to the improvement of emergency medical transport; serve as an advocate for emergency medical transport, promoting improved health status and improvements to the health system for residents of Louisiana; and encourage the development of appropriate health resources for Louisiana. 

To learn more about LAA, visit www.LouisianaAmbulanceAlliance.org. For up-to-date information, news and updates, follow us on FacebookInstagram and Twitter.