Among the ever gushing river of stolen personal information, one data type has solidified its position as the caviar of personal credentials, and is now sought by a broad variety of nefarious individuals and organizations. Medical data has risen to the top of the identity theft pile, and as such medical facilities are encountering an ongoing surge in malware designed to steal those private credentials.
Earlier this year, we explored the MEDJACK report, compiled by deception-focused security firm, TrapX. Their initial MEDJACK report (sign-up required) illustrated a broad range of attacks focused on medical facilities throughout the country, with a focus on hospital medical devices. TrapX found “extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA),” as well as notifying hospital authorities of an impressive range of additional potential vulnerable instruments, including:
“Diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.”
The new report, MEDJACK.2: Hosptials Under Siege (I love this title, by the way!), has built upon this early detailing of the persistent threat posed to medical facilities, and the security company provide a detailed analysis of the “ongoing, advanced” attacks taking place.
New Institutions, New Attacks
One of the most interesting things detailed in the report was the sophisticated malware variants deployed by the attackers, specifically designed to appear as to be no concern to modern Windows systems. The MS08-067 worm, more commonly known as Conficker, is well-known amongst security professionals, and indeed, its signature is equally well-known by antivirus and endpoint security software.
The majority of recent Windows versions have eradicated most of the specific vulnerabilities which allowed the worm such success during its “heyday,” so when presented to the network security system of the medical facility, it appeared as though there was no immediate threat.
However, the malware was specifically selected for its ability to exploit older, unpatched versions of Windows that are found on many medical devices. This is critical for two reasons:
- As the newer versions of Windows weren’t vulnerable, they didn’t detect a threat, eliminating any endpoint security protocols that should have stepped in. This ensured the worm’s successful navigation to any old Window workstations.
- Specifically focusing the attack on older versions of Windows granted a significantly higher chance of success. As well as this, most medical devices do not have specialized endpoint security, again limiting their chances of detection.
TrapX co-founder, Moshe Ben Simon, explained:
“MEDJACK.2 adds a new layer of camouflage to the attacker’s strategy. New and highly capable attacker tools are cleverly hidden within very old and obsolete malware. It is a most clever wolf in very old sheep’s clothing. They have planned this attack and know that within healthcare institutions they can launch these attacks, without impunity or detection, and easily establish backdoors within the hospital or physician network in which they can remain undetected, and exfiltrate data for long periods of time.”
Using the out-of-date Conficker worm as a wrapper, the attackers were able to move swiftly between internal hospital networks. Although TrapX have not officially named the medical facility vendors their security systems were evaluating, they have detailed the specific departments, systems, and equipment vendors that were affected:
- Hosptial #1: Top 1,000 global hospital
- Vendor A – Radiation Oncology system
- Vendor A – Trilogy LINAC Gating system
- Vendor B – Flouroscopy Radiology system
- Hospital #2: Top 2,000 global hospital
- Vendor C – PACS system
- Multiple Vendor Computer Servers and Storage Units
- Hospital #3: Top 200 global hospital
- Vendor D – X-Ray Machine
In the first hospital, attackers compromised a system running a centralized intrusion detection system, endpoint protection throughout the network, and next generation firewalls. Despite these protections, security researchers found backdoors in a number of systems, as detailed above.
The second hospital found their Picture Archiving and Communication System (PACS) had been compromised in order to search for vulnerable medical devices and patient data, including “x-ray film images, computerized tomography (CT) scan images, and magnetic resonance (MRI) imaging along with necessary workstations, servers and storage.” A particular quandary is that virtually every hospital in the country has at least one centralized PACS service, and there are hundreds of thousands more throughout the world.
In the third hospital, TrapX found a backdoor in the X-Ray equipment, an application based upon Windows NT 4.0. Although the hospital security team “had considerable experience in cyber-security,” they were completely unaware their system had been compromised, again due to the malware arriving wrapped as an understated threat.
A Danger To Services?
The presence of hackers throughout medical networks is of course, extremely worrying. But it seems their intrusion into medical facility networks is primarily motivated by the theft of personal medical records, rather than to actually pose a direct threat to hospital hardware. In that sense, we can be thankful.
Many security researchers will take note of the sophisticated malware camouflaged as more basic versions, designed to elude current endpoint security solutions. TrapX noted in their initial MEDJACK report that while old malware was being used to gain access to devices, this is a definite escalation; the attackers’ desire to bypass any modern security checkpoints was noted.
“These old malware wrappers are bypassing modern endpoint solutions as the targeted vulnerabilities have long since been closed at the operating system level. So now the attackers, without generating any alert, can distribute their most sophisticated toolkits and establish backdoors within major healthcare institutions, completely without warning or alert.”
Even if the primary objective is patient credential theft, the exposure of these critical vulnerabilities means only one thing: a more vulnerable healthcare system, with more potential vulnerabilities yet to be exposed. Or, networks that have already been compromised without raising any alarms. As we have seen, this scenario is entirely possible.
Medical records have become one of the most lucrative forms of personally identifiable information, sought by a wide range of malicious entities. With prices ranging from $10-20 per individual record, there is an efficacious black market trade, spurred on by the seeming ease of access to further records.
The message to medical facilities should be clear. The evolution of patient records into an easily transferable digitized version is undoubtedly fantastic. You can walk into almost any medical facility, and they’ll be able to easily access a copy of your records.
But with the knowledge that backdoors are increasingly common in medical devices utilizing progressively ancient hardware, there must be a concerted effort between both equipment manufacturers and medical institutions to work together to maintain patient record security.
Have you been affected by medical record theft? What happened? How did they access your records? Let us know below!
Image Credits:medical monitor by sfam_photo via Shutterstock