Fraud Management & Cybercrime , Healthcare , Industry Specific

Feds Warn of Godzilla Webshell Threats to Health Sector

Stealthy Backdoor Publicly Available on GitHub Can Be Weaponized for Larger Attacks
Feds Warn of Godzilla Webshell Threats to Health Sector
Federal authorities are warning the healthcare sector of threats involving Godzilla webshell

Godzilla webshell, a Chinese-language backdoor known for its stealth and ability to execute commands and manipulate files, is publicly available on GitHub, and federal authorities have issued a stern warning to the healthcare sector to prepare for this threat and inevitable cyberattacks.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert Tuesday said it "implores" all healthcare organizations to review and take risk mitigation actions to defend against attacks using Godzilla webshell.

The American Hospital Association also posted an alert about the backdoor based on HHS HC3's warning. The group fears that threat actors will use in ransomware attacks to steal protected health information and deploy malware to disrupt critical hospital operations, the AHA's Scott Gee told Information Security Media Group.

"Hospitals and the healthcare sector continue to be the most often attacked sector," said Gee, deputy national advisor for cybersecurity and risk at AHA. "The Godzilla webshell is a particularly insidious threat, in that it is publicly available and actively updated and maintained, which makes it more difficult to detect."

Godzilla webshell has been attributed to Chinese nation-state threat actors with relatively high confidence, and it has been used to target a number of industries, including the health sector, HHS HC3 said in its alert.

"It is publicly available and therefore accessible for use by any number of bad actors, and should be treated as a serious threat," HHS HC3 said.

The Chinese-language backdoor was created by an individual who goes by the online handle BeichenDream, which claims Godzilla was created in response to existing webshells that are often more easily detected in attacks, HHS HC3 said.

The agency said the webshell can help attackers manage and manipulate files, including "uploading, downloading, deleting and modifying files on a victim system."

"Godzilla avoids detection by using advanced encryption standard encryption for its network traffic, which makes it more difficult to detect. Godzilla is considered highly capable and full of functionality," HHS HC3 said.

But Godzilla - like any webshell - also supports the execution of files and commands. "It allows for reconnaissance, such as the collection of details related to operating systems, network configurations, and versions of software and applications. It facilitates the maintenance of persistent access."

Also because BeichenDream maintains Godzilla, including its code, on the publically accessible repository Github, "the means it is relatively trivial for another threat actor - foreign government, cybercriminal gang or anyone else - to acquire, modify and utilize the code in accordance with their unique purposes," HHS HC3 warned.

Federal government officials are aware of several previous attacks and campaigns using Godzilla webshell, HHS HC3 said.

That includes two related campaigns in November 2021 that were the subject of other threat warnings.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned of advanced persistent threat actors using Godzilla in a series of attacks exploiting a known authentication bypass vulnerability, or CVE-2021-40539 in Zoho's ManageEngine ADSelfService Plus, a self-service password management and single sign-on platform (see: NSA Reports Espionage Group Breaches Critical Systems).

Then also in November 2021, Microsoft and Palo Alto both identified a second related campaign leveraging Godzilla, exploiting the same CVE-2021-40539 vulnerability. Microsoft attributed these attacks to a group identified as DEV-0322 operating out of China, based on observed infrastructure, victimology, tactics and procedures. Palo Alto reported observing the use of leased infrastructure in the U.S. to carry out these attacks, which included targeting at least nine organizations, including in the healthcare sector.

Also, in February 2023, researchers at AhnLab Security Emergency Response Center reported an attack campaign carried out by the APT Dalbit - also known as m00nlight - targeting victims with Godzilla and other cyber weapons, HHS HC3 said. Those attacks hit 50 organizations in several sector, including the pharmaceutical industry.

While the Health-Information Sharing and Analysis Center has seen an increase in recent reports of ransomware and malware incidents impacting the global healthcare sector, it has had "no direct sightings" of Godzilla webshell so far, said Errol Weiss, chief security officer of Health-ISAC.

Nonetheless, Weiss said he's glad HHS issued the warning about Godzilla. "I would encourage all organizations, no matter what sector they're in, to follow the recommendations in the bulletin," he said.

Those include ADSelfService Plus user organizations applying latest software updates and patches.

AHA's Gee said detecting webshells also "requires a comprehensive defense-in-depth approach using tools like network segmentation, network traffic analysis, and endpoint detection and response."

Health-ISAC's Weiss recommends healthcare organizations to review and implement the voluntary Cybersecurity Performance Goals published by HHS in January (see: HHS Details New Cyber Performance Goals for Health Sector).

"Implementing the CPGs and participating in an information sharing community would help greatly improve the security posture of an organization."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.