Share this article on:
The Department of Health and Human Services Office for Civil Rights (OCR) has issued a warning to HIPAA covered entities and their business associates of an increase in attacks on network attached storage (NAS) devices. The devices are being attacked using a form of malware called Mal/Miner-C, otherwise known as PhotMiner. The attack exploits File Transfer Protocol (FTP) vulnerabilities in NAS devices.
The malware was first identified in June this year and it has been spreading quickly. Following the discovery of the malware, researchers at Sophos identified 1,702,476 instances of the threat, although it would appear that many devices had been infected multiple times.
While the threat is not specific to any particular NAS device, Sophos determined that the Seagate Central device was at risk due to the way the device uses public folders which allows attackers to easily install the malware. Up to 70% of the devices had already been infected with the malware – 5,000 of the 7,000 devices currently in use.
The malware provides attackers with access to NAS devices, although once access has been gained the attackers use brute force attacks to gain access to other networked devices using a list of default credentials. The malware also installs itself in public folders masquerading as standard office folders. When end users click on those folders they inadvertently install the malware on their own devices. This allows infections to spread quickly. All devices which connect to the NAS device can be infected.
The malware is not an information stealer so PHI is not necessarily at risk; however, the malware will have a significant impact on system resources. The malware is a cryptocurrency miner. It generates income for the attackers by mining Bitcoin and other cryptocurrencies. The malware uses the processing power of the computer on which it is installed to solve the math problems which are used in the generation of cryptocurrencies. The more problems are solved, the more Bitcoin are generated and the more money the attackers make. So far the attackers have managed to mine cryptocurrencies worth $86,000.
It is possible to prevent infection of Seagate Central devices by disabling remote access, which prevents the devices being accessed over the Internet.
OCR recommends healthcare organizations take the following steps to reduce the risk of infection cryptocurrency mining malware.
- Limit the abilities of unauthorized users to access: PC basic input output systems (BIOS) that control the basic functions of the computer (i.e., time and date, media boot order, and speeds at which the processor and memory run); data centers and server rooms; and corporate premises
- Perform regular physical audits and checks for unauthorized equipment
- Setup delivery and deployment processes to ensure only authorized access to equipment and facilities is permitted
- Perform detailed network-traffic analysis
- Block all untrusted websites and only allow communication that is approved
- Keep anti-virus and anti-malware software up to date
- Make use of whitelists for applications
- Make use of approved software-asset-management applications
- Perform active, real-time performance and system monitoring
- Limit administrative privileges
- Change generic/shared user passwords and reviewing access rights; and
- Implement segregation or separation of duties.
Healthcare organizations have been advised to consult the SANS Institute to find out how to detect cryptocurrency mining malware.