Beware of Medical Device Hijack Attacks! Medjack.3 Discovered

In 2015, security researchers discovered MEDJACK malware: A form of malware developed specifically to attack medical devices such as heart monitors, MRI machines, and insulin pumps. While medical devices have long been a potential target for cybercriminals, until the discovery of MEDJACK, the threat of cyberattacks on medical devices was largely theoretical.

While MEDJACK could have been a one off, evidence emerged suggesting it was being actively developed. A second version of the malware – discovered last summer – was being used for advanced persistent attacks on hospitals via medical devices running on legacy systems.

Vulnerable medical devices were being used as a springboard to gain access to networks used to store the electronic protected health information of patients. TrapX security discovered that at least three attacks on healthcare providers had occurred using MEDJACK.2 by the summer of 2016.

MEDJACK.2 was capable of bypassing security controls as the malware used was old and was no longer deemed to be a threat by security solutions. More recent versions of Windows were protected against attacks using the malware so in many cases no alarms were triggered.

However, the attackers simply used an old malware wrapper to hide a range of cybersecurity tools. Tools that enabled them to install backdoors and move laterally within healthcare networks virtually undetected.

Now, security researchers at TrapX have discovered a third version of the malware. MEDJACK.3 is even more advanced and poses an even bigger threat to hospitals. The new version of the malware was discovered during an investigation of the medical infrastructure at ten UK hospitals.

As part of the investigation, TrapX created a number of fake medical devices such as MRI scanners. They noticed that those devices were being probed and that attackers were using a new method to discover and infect devices. While the method was new to MEDJACK, it had been seen before – many years previously. The attackers were using an old malware spreader to find and attack devices on older operating systems.

According to Anthony James, VP of marketing at TrapX, “Attackers are leveraging legacy malware-spreading tools that bypass a lot of today’s operating systems and target older systems.” The latest attacks are more targeted, with the attackers searching for specific devices that can be attacked rather than the more random approach seen last year.

Any device connected to an older, unpatched operating system was discovered to be vulnerable to attack and would accept the hacker’s tools. That included older operating systems such as Windows XP and Windows Server 2003, but also Windows 2008 and 2012. As was the case with MEDJACK.2, because the malware used was not perceived to pose a threat, the hackers were able to infect devices undetected.

TrapX has warned that many healthcare providers may already have been attacked with MEDJACK.3 and access may have been gained to their medical devices; possibly also the networks to which those devices are connected.

TrapX will be releasing a new white paper on MEDJACK.3 shortly.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.