Share this article on:
Cybercriminals are using increasingly sophisticated methods to gain access to healthcare networks, although according to a recent report – MEDJACK.2 Hospitals Under Siege – from Trap X Research Labs, old school malware and ancient exploits can still be effective.
Three hospitals have been discovered to have been infected with malware via medical devices running on legacy systems. The researchers discovered “a multitude of backdoors and botnet connections,” that had been installed using ancient exploits of the unsupported Windows XP platform. Hackers had succeeded in compromising the machines even though the hospitals had modern, sophisticated cybersecurity defenses in place.
The initial attacks used old malware which was not detected by advanced security software. The malware was not deemed to pose a threat as the vulnerabilities that the malware exploited had been addressed in Windows 7 and did not exist in later Windows versions.
Sophisticated Cybersecurity Defenses Failed to Identify Windows XP Malware Infections
One of the hospitals tested by TrapX researchers had a host of sophisticated cybersecurity defenses in place. Researchers described the technology as a “very current and well-funded cybersecurity solution.” The hospital network used an enterprise-class firewall, network-centered intrusion detection software, a range of internal firewalls, and up to date endpoint protection. The hospital had also previously engaged a number of pentesters to assess its systems for vulnerabilities. During penetration testing, medical devices were highlighted as being a potential security risk; although no in house security solutions were able to detect already established backdoors in the devices.
TrapX security researchers used emulated medical devices as honeypots to attract and engage software tools used by attackers. The team discovered that malware had been installed on the network and was moving laterally and spreading to new devices. The researchers were able to trace the malware back to a respiratory gating PC that was running Windows XP. Even though security solutions had been employed to detect intrusions, there were no alerts raised nor any indicators of compromise. The hospital was completely unaware of the attack. A few days later another two emulated medical devices generated malware alerts, which were traced back to a fluoroscopy workstation running Windows XP. That machine also had a backdoor.
The attackers could have potentially used their backdoor to alter readings from the device and even interfere with the operation of the device, although they appeared not to have done so. The researchers concluded that the malware had been installed to obtain patient data.
Ancient Worm Used to Compromise Medical Devices
The attackers had managed to attack the medical devices by exploiting a vulnerability that had been addressed in a 2008 Microsoft Security Bulletin. The critical vulnerability was reported as being exploitable by using a specially crafted RPC request which would allow an attacker to run arbitrary code. In 2008, Microsoft said the critical vulnerability could be leveraged using a wormable exploit, which is exactly what the attackers did.
A MS08-067 worm was used and backdoors were installed. These were not detected and neither was the lateral movement of malware through the network.
Hackers used old malware wrappers to conceal highly sophisticated hacking tools and bypassed modern endpoint solutions. The vulnerabilities had been addressed at the operating system level and were deemed not to pose a risk. Consequently, the cyberattacks occurred without triggering any alerts. However, the malware is far from benign. According to the report, “This advanced malware can now hop laterally across networks to exploit virtually any information within the healthcare institution.”
Attacks on Medical Devices Are Far From Isolated Incidents
Two further case studies were covered in the report, one of which involved an attack on a PACS system which potentially would have allowed the attackers to launch attacks on every other possible system in the hospital. This attack was traced back to the MRI system and involved “an almost harmless networm” which exploited vulnerabilities in XP and unpatched Windows 7 installations. The third case study revealed a similar infection of an X-Ray machine.
The researchers demonstrated that even with highly sophisticated cybersecurity defenses attackers are able to exploit vulnerabilities in healthcare legacy systems. The researchers pointed out that medical devices are a “key pivot point for attackers,” yet the devices are difficult to secure. Even when a breach is discovered it is difficult to effectively remediate these devices.
According to the report, “The presence of medical devices on healthcare networks creates high vulnerability. These medical devices will make these networks much more susceptible to a successful cyberattack.”
MEDJACK attacks are also widespread and are a serious problem. TrapX says, “Most institutions cannot detect these attacks, may be unaware of [an] ongoing data breach, or have inadequate strategy and funding in place to identify and remove these attackers.”