Hackers in 2022: Buying Network Access and Using Providers' Tools Against Them



Hackers are gradually changing their tactics to get their hands on patient data from healthcare providers. These days it’s getting more common for large threat actors to simply buy access to a network, and to use the tools we know and trust against us.

Earlier this month the Health Sector Cybersecurity Coordination Center (HC3) released a security brief on “Ransomware Trends in the HPH Sector (Q1 2022).” This is an excellent resource for healthcare providers and the vendors that support them to know where their greatest security threats lie.

During the COVID-19 pandemic, many healthcare organizations had to scramble to adopt remote access and cloud applications, and many of these providers didn’t implement basic security procedures. While taking advantage of these vulnerabilities, Initial Access Brokers (IABs) have been selling remote access to provider networks to cybercriminals online. These IABs haven’t lost any momentum in 2022, and they are continuing to help ransomware groups save time and effort while they coordinate attacks.

When deploying ransomware, hackers are increasingly “Living off the Land.” This means that instead of deploying their own tools and malware, they’re using the tools a provider already has established to work against them. Not only does this help prevent their actions from being spotted by employees, but it also makes it much harder for an antivirus or endpoint detection tool to flag them as suspicious.

The tools that are currently being exploited include:

  • Remote access tools such as AnyDesk, Windows Safe Mode, Atera, ScreenConnect, and ManageEngine
  • Encryption tools such as BitLocker, BestCrypt, and DiskCryptor
  • Open-source tools such as Cobalt Strike, Mimikatz, AdFind, Process Hacker, and MegaSync
  • And many more listed in the brief.


In summary, HC3 provided these five takeaways from Q1 of 2022:

  • Financially-motivated and state-sponsored threat actors are highly likely to continue to evolve their Tactics, Techniques, and Procedures (TTPs) for successful attacks
  • Legitimate tools are likely to continue to be abused/weaponized in ransomware campaigns in an attempt by threat actors to avoid detection
  • Living off the Land (LotL) techniques leveraging legitimate tools are difficult but possible to detect
  • The behavior-based approach that a modern security information and event management (SIEM) tool provides will be able to detect living-off-the-land techniques that signature-based detection cannot
  • Some types of attack techniques cannot be easily mitigated with preventive controls since it is based on the abuse of system features; fortunately, there are detection opportunities for these techniques


HC3 included a list of critical steps to take to mitigate these risks, many of which we have covered in previous materials. As attackers continue to work smarter and faster, your team at Medcurity is here to keep you updated on how best to meet your security and compliance needs to protect your patients. If you have any questions, feel free to reach out to us.