All Wrapped Up: The Evolution Of Medical Hijacking

Gavin Phillips 13-07-2016

Among the ever gushing river of stolen personal information, one data type has solidified its position as the caviar of personal credentials, and is now sought by a broad variety of nefarious individuals and organizations. Medical data has risen to the top 5 Reasons Why Medical Identity Theft is Increasing Scammers want your personal details and bank account information – but did you know that your medical records are also of interest to them? Find out what you can do about it. Read More of the identity theft pile, and as such medical facilities are encountering an ongoing surge in malware designed to steal those private credentials.



Earlier this year, we explored the MEDJACK report Healthcare: The New Attack Vector for Scammers & ID Thieves Healthcare records are increasingly used by scammers to make a profit. While there are massive advantages to having a digitized medical record, is putting your personal data in the firing line worth it? Read More , compiled by deception-focused security firm, TrapX. Their initial MEDJACK report illustrated a broad range of attacks focused on medical facilities throughout the country, with a focus on hospital medical devices. TrapX found “extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA),” as well as notifying hospital authorities of an impressive range of additional potential vulnerable instruments, including:

“Diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.”

The new report, MEDJACK.2: Hospitals Under Siege (I love this title, by the way!), has built upon this early detailing of the persistent threat posed to medical facilities, and the security company provide a detailed analysis of the “ongoing, advanced” attacks taking place.

New Institutions, New Attacks

One of the most interesting things detailed in the report was the sophisticated malware variants deployed by the attackers, specifically designed to appear as to be no concern to modern Windows systems. The MS08-067 worm, more commonly known as Conficker, is well-known amongst security professionals, and indeed, its signature is equally well-known by antivirus and endpoint security software Compare Your Anti-Virus' Performance with These 5 Top Sites Which anti-virus software should use? Which is the "best"? Here we take a look at five of the best online resources for checking anti-virus performance, to help you make an informed decision. Read More .

Win32 Worm Conficker

The majority of recent Windows versions have eradicated most of the specific vulnerabilities which allowed the worm such success during its “heyday,” so when presented to the network security system of the medical facility, it appeared as though there was no immediate threat.


However, the malware was specifically selected for its ability to exploit older, unpatched versions of Windows that are found on many medical devices. This is critical for two reasons:

  1. As the newer versions of Windows weren’t vulnerable, they didn’t detect a threat, eliminating any endpoint security protocols that should have stepped in. This ensured the worm’s successful navigation to any old Window workstations.
  2. Specifically focusing the attack on older versions of Windows granted a significantly higher chance of success. As well as this, most medical devices do not have specialized endpoint security, again limiting their chances of detection.

TrapX co-founder, Moshe Ben Simon, explained:

“MEDJACK.2 adds a new layer of camouflage to the attacker’s strategy. New and highly capable attacker tools are cleverly hidden within very old and obsolete malware. It is a most clever wolf in very old sheep’s clothing. They have planned this attack and know that within healthcare institutions they can launch these attacks, without impunity or detection, and easily establish backdoors within the hospital or physician network in which they can remain undetected, and exfiltrate data for long periods of time.”

Specific Vulnerabilities

Using the out-of-date Conficker worm as a wrapper, the attackers were able to move swiftly between internal hospital networks. Although TrapX have not officially named the medical facility vendors their security systems were evaluating, they have detailed the specific departments, systems, and equipment vendors that were affected:

  • Hosptial #1: Top 1,000 global hospital
    • Vendor A – Radiation Oncology system
    • Vendor A – Trilogy LINAC Gating system
    • Vendor B – Flouroscopy Radiology system
  • Hospital #2: Top 2,000 global hospital
    • Vendor C – PACS system
    • Multiple Vendor Computer Servers and Storage Units
  • Hospital #3: Top 200 global hospital
    • Vendor D – X-Ray Machine

In the first hospital, attackers compromised a system running a centralized intrusion detection system, endpoint protection throughout the network, and next generation firewalls. Despite these protections, security researchers found backdoors in a number of systems, as detailed above.


MEDJACK 2 Oncology Dept

The second hospital found their Picture Archiving and Communication System (PACS) had been compromised in order to search for vulnerable medical devices and patient data How Health Data from Your Apps Is Being Bought and Sold The recent explosion in the number of health and fitness apps means that there's a lot of health data being collected by our devices - data that is being sold. Read More , including “x-ray film images, computerized tomography (CT) scan images, and magnetic resonance (MRI) imaging along with necessary workstations, servers and storage.” A particular quandary is that virtually every hospital in the country has at least one centralized PACS service, and there are hundreds of thousands more throughout the world.


In the third hospital, TrapX found a backdoor in the X-Ray equipment, an application based upon Windows NT 4.0 Remember These? 7 Ancient Windows Programs Still Used Today They say technology advances at an exponential rate. But did you know some programs have been around for multiple decades? Join us for a walk down Nostalgia Lane and discover the oldest surviving Windows programs. Read More . Although the hospital security team “had considerable experience in cyber-security,” they were completely unaware their system had been compromised, again due to the malware arriving wrapped as an understated threat.


MEDJACK2 Backdoor

A Danger To Services?

The presence of hackers throughout medical networks is of course, extremely worrying. But it seems their intrusion into medical facility networks is primarily motivated by the theft of personal medical records This Is How They Hack You: The Murky World of Exploit Kits Scammers can use software suites to exploit vulnerabilities and create malware. But what are these exploit kits? Where do they come from? And how can they be stopped? Read More , rather than to actually pose a direct threat to hospital hardware. In that sense, we can be thankful.

Many security researchers will take note of the sophisticated malware camouflaged Your New Security Threat for 2016: JavaScript Ransomware Locky ransomware has been worrying security researchers, but since its brief disappearance and return as a cross-platform JavaScript ransomware threat, things have changed. But what can you do to defeat the Locky ransomware? Read More as more basic versions, designed to elude current endpoint security solutions. TrapX noted in their initial MEDJACK report that while old malware was being used to gain access to devices, this is a definite escalation; the attackers’ desire to bypass any modern security checkpoints was noted. ­

“These old malware wrappers are bypassing modern endpoint solutions as the targeted vulnerabilities have long since been closed at the operating system level. So now the attackers, without generating any alert, can distribute their most sophisticated toolkits and establish backdoors within major healthcare institutions, completely without warning or alert.”

Even if the primary objective is patient credential theft, the exposure of these critical vulnerabilities means only one thing: a more vulnerable healthcare system, with more potential vulnerabilities yet to be exposed. Or, networks that have already been compromised without raising any alarms. As we have seen, this scenario is entirely possible.


Medical records have become one of the most lucrative forms of personally identifiable information, sought by a wide range of malicious entities. With prices ranging from $10-20 per individual record, there is an efficacious black market trade, spurred on by the seeming ease of access to further records.

The message to medical facilities should be clear. The evolution of patient records into an easily transferable digitized version is undoubtedly fantastic. You can walk into almost any medical facility, and they’ll be able to easily access a copy of your records.

But with the knowledge that backdoors are increasingly common in medical devices utilizing progressively ancient hardware, there must be a concerted effort between both equipment manufacturers and medical institutions to work together to maintain patient record security.

Have you been affected by medical record theft? What happened? How did they access your records? Let us know below!

Image Credits:medical monitor by sfam_photo via Shutterstock

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *