2 min read

Federal authorities warn healthcare sector about Godzilla webshell threat

Federal authorities warn healthcare sector about Godzilla webshell threat

The US Department of Health and Human Services (HHS) has issued an urgent warning to healthcare organizations about the Godzilla webshell, a Chinese-developed cyber threat known for its advanced command execution and file manipulation capabilities.

 

What happened  

In an alert released Tuesday, HHS' Health Sector Cybersecurity Coordination Center (HC3) urged all healthcare entities to strengthen their cyber defenses against the Godzilla webshell. 

According to the alert, this backdoor tool allows threat actors to perform actions like uploading, downloading, and deleting files. Due to its availability and creator’s ongoing maintenance, it remains highly adaptable and challenging to detect. The American Hospital Association (AHA) followed up with its own warning, with deputy national advisor Scott Gee describing Godzilla as a major cybersecurity threat due to its ease of access and use by malicious actors.

 

The backstory  

The warning follows previous alerts in November 2021, when the Cybersecurity and Infrastructure Security Agency (CISA), along with Microsoft and Palo Alto, reported on using Godzilla in cyber campaigns. These attacks targeted vulnerabilities in Zoho's ManageEngine ADSelfService Plus, impacting healthcare and other industries. In February 2023, AhnLab Security Emergency Response Center also reported on attacks deploying Godzilla, hitting organizations across sectors like healthcare and pharmaceuticals.

 

Going deeper  

Godzilla is a sophisticated Chinese-language backdoor created by BeichenDream. It stands out from other malware variants due to its Advanced Encryption Standard (AES) encryption of network traffic that evades standard detection methods. Godzilla is a highly capable webshell, allowing attackers to manage files on compromised systems (uploading, downloading, deleting, and modifying) and execute files and commands. 

Attackers can also conduct reconnaissance, gathering details on operating systems, network configurations, and software versions. Furthermore, Godzilla can executefilelesslyin memory, leaving minimal traces and ensuring persistent access.

While some reports suggest that Godzilla is tied to the Chinese government, this has not yet been confirmed since it is certainly possible that a wide range of attackers, from cyber criminals to foreign governments, use it since its code has already been openly published

Ultimately, these combined factors make Godzilla a major threat requiring sophisticated detection and defense methods.

 

What was said  

HHS HC3 described Godzilla ashighly capable and full of functionality,stating itshould be treated as a serious threat.Errol Weiss, chief security officer of Health-ISAC, also expressed support for HHS’s warning, urging healthcare organizations to adopt recommended cybersecurity measures.

 

In the know  

A webshell is a malicious script attackers upload to a web server to gain unauthorized access and control over the system. A webshell like Godzilla serves as a backdoor, allowing unauthorized access and control over a compromised system.

Publicly available webshells are particularly dangerous, allowing anyone with malicious intent to launch attacks using these tools.

 

Why it matters  

The maintenance and public accessibility of Godzilla on GitHub is a major threat to healthcare operations. Given its functionality and stealth, threat actors can cause service disruptions, deploy ransomware, and access protected health information (PHI), causing severe operational and patient safety risks.

 

The bottom line  

Healthcare organizations must apply software patches, strengthen endpoint detection, and follow the HHS’ recommendations to mitigate this risk.

 

FAQs

Can a webshell affect healthcare systems?

Yes, they can compromise patients’ protected health information (PHI) and disrupt healthcare operations.

 

Why is the healthcare sector a major target for cyberattacks?

Healthcare facilities handle individuals’ sensitive personal and medical data and operate with minimal downtime, making them attractive targets for cybercriminals.

 

Can email encryption improve healthcare cybersecurity?

Yes, HIPAA compliant email solutions, like Paubox, offer advanced encryption that converts email content into a secure format only authorized recipients can access. Ultimately, it prevents unauthorized PHI disclosure that leads to costly data breaches and costly HIPAA fines.