New Medical Device Hijack Attacks Hide In Old Malware
By , - Source: Toms IT Pro

In the newly published Anatomy of Attack: MedJack.2 - Hospitals Under Siege, TrapX Labs describes how three hospitals, some with advanced cyber threat detection capabilities, were unaware of sophisticated attacks against medical equipment that could be used to exfiltrate patient data. According to the company, the healthcare industry is now under most frequent cybersecurity attacks, beating out financial services and retail industries. What's most worrisome is that most of these attacks go undetected for months.

MORE: The Pinkslipbot Is Back, Mobile App Collusion Threats On The Rise
MORE: Intel's Research Shows Collaboration Improves SecOps And Threat Mitigation

Why Medical Devices Are A Prime Target

The new TrapX report states that medical records have between 10 to 20 times the value of credit card data. Other analyses claim that medical records are worth even more. Patient data is useful to attackers for blackmail, insurance fraud and abuse, especially because health data is useful for much longer time periods compared to credit card data.

According to The Identity Theft Resource Center, as of June 14, 2016, 33.4 percent of breaches were medical or healthcare incidents. In 2015, three out of the seven largest data breaches targeted healthcare firms.

Diagnostic equipment such as MRI or PET scanners, life support equipment such as heart-lung machines, ventilators, or dialysis equipment, and therapeutic equipment such as perfusion pumps, lasers, or surgical robots all are run by embedded or attached PCs running COTS operating systems. Medical devices are usually not replaced at the same pace as business computers, and some devices are older than two generations of operating systems, running Windows 7 or even Windows XP.

Most of the time, these devices can't be scanned, for fear of liability, which makes security an even bigger challenge. Since medical devices are FDA approved, cyber defenses cannot easily be added without potentially compromising the device, and must await manufacturer approval. Adding new software to a medical device would require recertification or remanufacture of the device.  

As if this wasn't a sufficient challenge, hospital employees have shown to be particularly adept at bypassing security. A recent report published by Dartmouth College Computer Sciences shows how medical personnel regularly bypass even basic information security mechanisms. 

How MEDJACK.2 Works

Similar to MEDJACK, MEDJACK.2 deploys an older malware wrapper with an internal core that holds sophisticated attacks. The malware wrapper is so old that modern operating systems' cyber defenses won't even scan for this variant, since they aren't vulnerable to these attacks. However, the old systems running certain medical devices are vulnerable, and don't usually contain endpoint security software. Once inside, the sophisticated MEDJACK.2 core can easily move laterally and undetected, installing Remote Access Trojans (RAT) and compromising other systems in an attempt to gather patient records.

"MEDJACK.2 adds a new layer of camouflage to the attacker's strategy. New and highly capable attacker tools are cleverly hidden within very old and obsolete malware. It is a most clever wolf in very old sheep's clothing," said Moshe Ben Simon, co-founder and VP of TrapX Security and General Manager for TrapX Labs. "They have planned this attack and know that within healthcare institutions they can launch these attacks, without impunity or detection, and easily establish backdoors within the hospital or physician network in which they can remain undetected, and exfiltrate data for long periods of time."

MedJack.2 easily bypasses current defenses with an old attack, then once inside, pivots to attack other devices. MedJack.2 easily bypasses current defenses with an old attack, then once inside, pivots to attack other devices.

MORE: Integration Headache: Cybersecurity Challenges With IT/OT Security
MORE: 3 Things You Can Do Now To Prevent Shadow IT

MEDJACK.2 Case Studies

In the first case study presented by TrapX Labs, the large hospital had nex-gen firewalls, a segmented network, network IDS and a comprehensive cyber defense solution. Several penetration tests revealed possible targets, but found no attacker backdoors. The TrapX deceptive technology, designed to emulate medical devices and attract, trap and engage attacker tools, was installed on all internal networks.

On the second day, an alert was generated because malware was found injecting shellcode into an emulated device. Analysis showed that an additional file transfer was invoked to set up extra command and control. This occurred in an oncology system on a gating PC that was running Windows XP. A few days later, two more attacker activities were detected on completely separate networks. Using forensic analysis, TrapX traced one of these to a backdoor in a fluoroscopy system, which was also running Windows XP.

The TrapX Labs team concluded that there was "significant potential for the attacker to manipulate device operation and/or device readings," noting that there was no evidence that was being done. Attackers appeared interested in medical records. The attacker's tools were camouflaged within an old MS08-067 worm wrapper used to distribute malware capable of jumping between networks.

In the second case study, a smaller hospital used endpoint security, IDS, gateway firewalls, and internal segregating firewalls. Prior threats to patient data were detected, and DeceptionGrid was installed on internal networks and PACS system servers (Picture Archive and Communications System, providing storage and archiving from multiple sources) to make sure these threats were eliminated.

On the second day, malware was detected attempting to move laterally by injecting pass the hash into a trap. Forensic analysis showed that the initial compromise occurred on a MRI system, which then attacked the PACS system. This malware was wrapped inside old networm32.kido.ib malware, and the backdoor it spawned connected to a command and control server run by an external botnet.

"MEDJACK.2 adds a clever layer of camouflage to the attacker such that entire enterprise cyber defense suites have completely failed to detect the attack at any level of alert. The attacker rapidly finds and exploits the medical devices to establish secure and clandestine backdoors from which to exfiltrate patient data, damage operations and then perhaps exit with a coup de grace such as a ransomware attack," said Carl Wright, Executive Vice President and General Manager for TrapX Security. "Institutions remain wide open to this sophisticated and what we now believe to be highly targeted attacks by MEDJACK.2.”

MEDJACK.2 Prevention Steps

Once a backdoor is installed on a medical device, manufacturer cooperation is necessary to ensure removal. Sometimes this means shipping the device back to the manufacturer.

TrapX Labs' recommendations to prevent this include:

  • Review cyber defense budgets at the board level. Bring in outside experts to review strategy, budgets, and approach. All medical devices must be able to be protected against attacks such as MEDJACK.2. These requirements will significantly increase budgets.
  • Prepare for a breach. 
  • Scrutinize third party providers, especially for the ability to detect and/or prevent attacks like MEDJACK.2. Review vendor ability to digitally sign software and encrypt internal data with passwords controlled internally. All vendor contracts must include language defining the ability to detect and remove malware.
  • Isolate medical networks, preferably completely from outside access.
  • Increase employee education programs significantly. Medical devices must not be used for personal communication. Manage USB access; if memory stick transfer is necessary, use only new memory devices to insure one way communication. Use a whitelist if external communication is necessary from the medical device.
  • Utilize cyber defenses that can detect malware and persistent vectors that have bypassed primary defenses.

Because of the malware design, we know that the attackers specifically targeted older medical systems. Typical IDS, nex-gen firewalls and other endpoint products were unable to detect these threats. TrapX's DeceptionGrid, usually emulating medical devices, proved effective at discovering new threats. Medical providers need to take additional steps to protect allmedical devices, and especially the older systems, from this new breed of cyber threats.

For more information download TrapX Labs' report or check out the upcoming webinar: MEDJACK.2: Healthcare Under Siege, which is scheduled to run on Tuesday July 26, 2016.

MORE: 5 Security Best Practices Every IT Pro Needs to Know
MORE: A Guide To Intrusion Detection And Intrusion Prevention Systems (IDS/IPS)