MEDJACK.2 Hospitals Under Siege

ANATOMY OF ATTACK : MEDJACK.2 | 1 TrapX Investigative Report ANATOMY OF ATTACK

By TrapX Research Labs

Notice

TrapX Security reports, white papers and legal updates Please note that these materials may be changed, are made available for educational purposes only. Our improved, or updated without notice. TrapX Security is purpose is to provide general information only. At the not responsible for any errors or omissions in the con- time of publication all information referenced in our tent of this report or for damages arising from the use of reports, white papers and updates, is as current and this report under any circumstances. accurate as we could determine. As such, any additional developments or research, since publication, will not be reflected in this report.

Disclaimer

The inclusion of the vendors mentioned within the have reduced or eliminated cyber attacks, may not have report is a testimony to the popularity and good reputa- been installed. Network configurations and firewall set- tion of their products within the hospital community and ups that may have reduced or eliminated cyber attacks, our need to accurately illustrate the MEDJACK.2 attack. may not be in place. Current best practices may not have been implemented - this is in some cases a subjective Medical devices are FDA approved devices and determination on the part of the hospital team. additional software for cyber defense cannot be easily integrated in to the device, especially after the FDA New best practices that utilize advanced threat detection certification and manufacture. techniques such as deception technology are relatively new to hospitals, and only recently available for com- We have worked in strict confidence with the healthcare mercial deployment. institutions documented in these case studies in order to identify and remediate current and future cyber attacks. Finally, we would note that TrapX Labs personnel Information released which pertains to specific medical involved with the cyber security initiatives described devices is done solely to understand and illustrate the herein are not certified or trained by the medical device details of the MEDJACK and MEDJACK.2 attack vector. manufacturer. We do not know if the hospital personnel involved in supporting our efforts during our proof of Please note some of the information technology, concept deployments were trained or certified on the servers, firewalls, networks, and medical device equip- equipment. ment identified in this report were several years old. Notwithstanding the hospital’s best intentions, both the information technology and medical devices may not have been maintained or installed in accordance with manufacturer recommendations. Required software updates and improvements to these devices, that may

Contents

About Anatomy of Attack 5 Executive Summary 7 Healthcare - State of the Union 10 Challenges in the Healthcare Network 13 Case Study - Hospital #1 15 Case Study - Hospital #2 18 Case Study - Hospital #3 21 Understanding MEDJACK.2 23 MEDJACK.2 Risk 24 Conclusions 25 Recommendations 27 Cyber Defense Recommendations and Best Practices 29 About TrapX Security 31

About Anatomy of Attack

The Anatomy of Attack (AOA) Series highlights The TrapX Labs knowledge base benefits from the results of our research into current or information on advanced malware events potential critical information security issues. shared with us by the TrapX Security platform. The AOA series are publications of TrapX Uniquely this threat analysis includes very deep Laboratories. The mission of TrapX Labs is to intelligence on advanced threats and Zero Day conduct critical cyber security experimenta- events. tion, analysis and investigation and to bring the benefits back to the community at large through AOA publications and rapid ethical compliance disclosures to manufacturers and related parties.

Executive Summary

In May, 2015 TrapX Labs released an Anatomy of research gathered from recent incidents Attack report that shared our research into the documented within the TrapX security platform discovery and analysis of three targeted hospital in late 2015 and early 2016. This included a attacks. The TrapX Labs team referred to this detailed review of data and analysis associated attack vector as MEDJACK, or “medical device with ongoing, advanced attacks in three new hijack.” healthcare institutions. These attacks In the first report we “MEDJACK.2 adds a new layer of camou- pivoted around described how Medical flage to the attacker’s strategy. New and medical devices devices have become which were installed highly capable attacker tools are cleverly a key pivot point within the hospital’s for attackers within hidden within very old and obsolete hardwired networks. healthcare networks. malware. It is a most clever wolf in very Medical devices are MEDJACK.2 , or old sheep’s clothing. They have planned visible points of vulner- medical device ability, and the hardest this attack and know that within healthcare hijack 2, frames an area to secure and institutions they can launch these attacks, evolution of the remediate, even after a without impunity or detection, and easily attacks we docu- compromise has been establish backdoors within the hospital or mented in our first identified. We described MEDJACK report. In physician network in which they can remain how these persistent our three new case cyber-attacks threaten undetected, and exfiltrate data for long study hospitals we overall hospital opera- periods of time.” found a multitude tions and the security – Moshe Ben Simon of backdoors and of patient data. We Co-Founder & VP, TrapX Security botnet connections, further described how General Manager, TrapX Labs working under the the attacks happen, and control of attackers. once established, how the attackers can extend their foothold on these It is extremely compromised systems to potentially breach the important to note that the malware propagated patient records over an extended period of time. by the attacker(s) was never detected by any endpoint security software. Often we can find MEDJACK.2 is a sophisticated evolution of the endpoint security alerts during our forensic original MEDJACK attack based upon primary analysis but these were not present in these

case studies. A unique finding “Attackers continue to evolve the perfect storm with the during the investigation was proliferation of MEDJACK.2. Within the simplicity of that the attack utilized an old targeting attacks using carefully selected long out-of- malware variant, such as a variant of the MS08-067 worm, which date malware wrappers, they are able to package and the signatures were well known. successfully deliver the latest and most sophisticated Windows 7 and later versions attacker tools. MEDJACK.2 is the leading edge of orga- had eliminated the vulnerabilities nized crime weaponry designed to penetrate and com- that this worm sought to exploit, promise hospital networks virtually undetected. TrapX so that it appeared to be of no concern - even if it was detected Labs believes that MEDJACK and MEDJACK.2 as well as by other security solutions since related attacks loom in the majority of our medical facili- the vast majority of workstations ties around the world and present an increased threat to would not be vulnerable. facility operations, patient safety, and the confidentiality The malware utilized for this of patient data.” attack was specifically selected – Carl Wright to exploit older versions of Executive Vice President and General Manager, TrapX Security Windows, and given the general endpoints were using newer Windows versions, they would Once the attackers were inside the network, not be affected by the threat. This point is many medical devices became easy targets in critical, and serves two main objectives: which they could launch their campaign. Based 1. Since newer versions of Windows were not upon the forensics from these case studies and vulnerable, the workstations would naturally others, we conclude that MEDJACK.2 attackers ignore the attack, eliminating the need for are intentionally moving to old variants of any endpoint security software to step in. This attack vectors to specifically target medical ensured that the worm would go undetected devices knowing they have no additional while it sought out older Windows systems. security protections. 2. The medical devices deployed in these case You will see from these case studies that the studies utilized older versions of Windows that malware was able to gain a foothold within the were still vulnerable to the threat. This gave the older operating systems in the medical devices attackers a higher likelihood of compromising and avoid *ANY* detection in the standard IT these systems. And since most medical devices endpoints or network solutions. It enabled the do not have additional endpoint security soft- attacker to install a backdoor within the enter- ware, the attack would go undetected. prise, from which they could launch their campaign and quietly exfiltrate data and perhaps In order to ensure success, it appears that the cause significant damage using a ransomware attackers intentionally repackaged and embed attack. new, highly sophisticated tools and camouflaged them within the MS08-067 worm. Within the three hospitals selected for our MEDJACK.2 case studies we installed TrapX

deception technology which enabled us to In summary, we present our conclusions and discover these attacks within a period of time recommendations for minimizing the risk that ranged from just under an hour (case associated with a MEDJACK and the more study #3) to within a few days (case study #1 sophisticated MEDJACK.2 attack. We present and #2). We employed full forensic techniques our ideas towards best practices for design, to understand and document the chain of the implementation and system life management attack, identify the source attacker locations of networked medical devices and healthcare and threats, where possible, and then to assist networks. It is the conclusion of this report the client in eliminating the threats and return- that the overwhelming majority of medical ing to normal operations. devices deployed within medical facilities are susceptible in varying degrees to the cyber-at- These were the components found to be tacks documented in this report. This remains the source of heavy attacker activity: a serious situation and one that continues to require immediate attention and remediation. Hospital #1:

Vendor A - Radiation Oncology system

Vendor A - Linac Gating system Vendor B - Flouroscopy Radiology system Hospital #2: Vendor C - PACS System Hospital #3:

Vendor D - X-Ray machine

Healthcare - State of the Union

Healthcare is one of the largest individual organizations: Excellus BlueCross BlueShield, markets within the United States with annual 10 million records compromised; Premera Blue expenditures that consume approximately 17.5 Cross, 11 million records affected; and Anthem percent of the gross domestic product in the Blue Cross, with 78.8 million highly sensitive United States. The ecosystem that provides patient records compromised. Recent events healthcare in the U.S. includes approximately since the original MEDJACK report continue to 900,000 physicians spread across over 225,000 show the acceleration of attacker activity within practices. In addition, healthcare in 2016 after there are over 2,700,000 reported incidents dropped registered nurses, slightly in 2015. physician’s assistants and medical administrative During the first few months staff that support these of 2016, the healthcare hospitals and physician industry experienced a practices. virtual tsunami wave of cyber threats that struck There are other key numerous hospitals across facilities necessary for North America and around the delivery of important the globe. Some of these healthcare services. This hospitals are listed in includes over 5,500 Table 1 - North American hospitals that support Hospitals Impacted by these healthcare provid- Cyber Attackers in 2016. ers directly. There are All of these attacks were many satellite facilities to mentioned in traditional including skilled nursing facilities, ambulatory or online news media. Let us be clear, these surgical centers, physical therapists and much hospitals in the table below are listed because more. The great majority of these facilities are of their inclusion in recent traditional or online connected electronically and often share com- news media, but not their exclusivity in being mon electronic medical record/health systems impacted by cyber attacks. TrapX Labs believes (EMR/EHR). All of this presents a massive target that the great majority of hospitals within the of choice for cyber attackers. world continue to be impacted by MEDJACK and MEDJACK.2. Of the seven biggest data breaches of 2015, three directly targeted healthcare

North American Hospitals Impacted By Cyber Attacks In 2016

HOSPITAL LOCATION Hollywood Presbyterian Medical Center1 Hollywood, California Methodist Hospital Henderson, Kentucky Ottawa Hospital Ottawa, Canada Mercy Hospital, Mercy Iowa City Iowa City, Iowa Alvarado Hospital Medical Center2 San Diego, California Chino Valley Medical Center3 Chino, California Desert Valley Hospital4 Victorville, California Kings Daughters Health (KDH) Madison, Indiana Medstar Franklin Square Medical Center Baltimore, Maryland Medstar Good Samaritan Hospital Baltimore, Maryland Medstar Harbor Hospital Baltimore, Maryland Medstar Montgomery Medical Center Olney, Maryland Medstar Southern Maryland Hospital Center Clinton, Maryland Medstar St. Mary’s Hospital Leonardtown, Maryland Medstar Union Memorial Hospital Baltimore, Maryland Medstar Georgetown University Hospital Washington, DC Medstar Washington Hospital Center Washington, DC Medstar National Rehabilitation Center Washington, DC

1Owned by CHA Medical Group of South Korea

2Owned by Prime Healthcare Services

3Owned by Prime Healthcare Services

4Owned by Prime Healthcare Services

The legal environment is very challenging for the case of a ransomware attack. The attacker the healthcare community. Of course, most has already analyzed and encrypted most of data is protected under the Health Insurance your data. Do you have a breach? How do and Portability and Accountability Act (HIPAA) you know? If you are in Washington, D.C. and which is enforced, in part, as specified by the data was breached from patients residing in HITECH act. HIPAA stipulates a basic framework Washington, D.C., Maryland and Virginia how of requirements for meeting legislated privacy do the laws apply? All of this creates significant and security requirements to protect personal expense and liability beyond the short term health information. ramifications of the breach or just dealing with HIPAA. Of course, the potential damage to Healthcare data protection and disclosure is each of the patients whose data was stolen is also governed by laws that vary by state. There also a primary concern. are states for which the definition of “personal information” is broader or technically different As we know today, healthcare has always been than the general definition within HIPAA. In the and remains a major target. As of January 16, event of a breach, each state may have varying 2016, the Identify Theft Resource Center (ITRC) requirements for notification, post-event risk shows Healthcare breach incidents as 35.5% of analysis, may offer an encryption “safe-harbor” all listed incidents nationwide. The continuing and more. Some states require that you notify wave of attacks against hospitals and medical the state attorney general if you suffer a breach organizations is driven by relative economic of more than 1,000 records. Other states rewards for organized crime. Medical records provide additional regulations pertaining to the continue to have between 10 to 20 times the protection of data involving HIV/AIDS treat- value of credit card data. Cyber-attackers know ment. Finally, some states are now permitting a that healthcare institution networks are highly private cause of action by the patients involved. vulnerable due to medical devices and hence offer attractive “low hanging fruit.” This con- All of these uncertain situations raise the risk tinues to place our most important healthcare for the healthcare institution and strain limited institutions at high risk. resources to the breaking point. Consider

Challenges in the Healthcare Network

Medical devices go through a Food and Drug Administration approval process prior to commercial release. This is essential to ensure that the standards of manufacture and product “Attackers have determined that medical performance protect consumers and meet safe devices on the network are a vulnerable intended use. point of entry and the best target. This makes things much more complex for MEDJACK.2 ups the ante for the defend- the healthcare cyber defenders. The cyber ers. New tools and new best practices are defense team within hospitals cannot install their local suites of cyber defense software. required now more than ever. MEDJACK.2 There is no real protection offered by any 3rd adds a clever layer of camouflage to the party or pre-installed cyber defense suites. attacker such that entire enterprise cyber Medical devices cannot be scanned using any defense suites have completely failed sort of agent or intrusive software. Medical to detect the attack at any level of alert. devices are virtual black holes to the hospital cyber support team. There are many technical The attacker rapidly finds and exploits reasons and manufacturer restrictions that limit the medical devices to establish secure hospitals from installing software within the and clandestine backdoors from which to medical devices. Technical limitations aside, exfiltrate patient data, damage operations when you speak with the hosptial they tell you and then perhaps exit with a coup de grace very directly that it is about liability. Tampering with an FDA approved device might impact such as a ransomware attack. Institutions operation in some unknown way. No clinician remain wide open to this sophisticated and or healthcare institution administrator wants to what we now believe to be highly targeted take on that risk. attacks by MEDJACK.2.” Generally, medical devices are managed by – Carl Wright, the manufacturer’s own technicial team. Once Executive Vice President again, there is no real protection offered by General Manager, TrapX Security most cyber defense suites that could run within the medical devices.

The FDA is wrestling with the problem of MRI machines, etc.), therapeutic equipment integrating modern medical devices with up- (infusion pumps, medical lasers, surgical to-date cyber defense techniques. To the best machines), life support equipment (heart - lung of our knowledge, any cyber security software machines, medical ventilators, extracorporeal agent or executable from a 3rd party that would membrane oxygenation machines and dialysis be placed within the medical device is abso- machines) and more. As we noted above, most lutely not approved for use at this time. of these devices run standard and often older operating systems and the medical devices’ As we noted in the initial MEDJACK report, proprietary internal software. hospitals install medical devices “behind the firewall” where they are Recently, ransomware has be- believed to be secure come another attacker weap- and protected. We know on of choice. Ransomware can from all our MEDJACK and generate income quickly for MEDJACK.2 case studies The cyber defense cyber criminals and may be that this strategy does not team within hospitals the crowning blow following work. Modern attackers cannot install their a data breach and theft. and their malware have local suites of cyber Ransomware is different. defeated this strategy defense software. Attacker software copies in the three healthcare original files, encrypts them, institutions within the and then deletes the originals MEDJACK report, in the propagating rapidly through three additional insti- the healthcare institution tutions cited within the until stopped. Locky, a new MEDJACK.2 report and strain of ransomware infected in many other healthcare computers within several institutions that we deal with on a daily basis. healthcare facilities in the United States, New Zealand, and Germany. Another type of ran- The MEDJACK and MEDJACK.2 attack vectors somware, known as Samas, is also being used presents a highly vulnerable target to attackers. to compromise healthcare networks. The defenders cannot easily get in to detect or remediate an attack. The attackers seem to have Healthcare institutions continue to remain a wide open door. Medical devices are “black attractive targets because of all of the inter- boxes” and their internal software operations net-connected systems and medical devices. are not visible to the hospital cyber defense This presents an attacker with a highly connect- team. They run out of date operating systems, ed community that brings these vulnerable such as Windows 7 or Windows XP which medical devices together with high value are highly vulnerable and almost completely patient data. All it takes is one successful at- unprotected. tempt for the attacker to establish a backdoor, find and steal data, or use automated tools to The list of devices vulnerable to MEDJACK and set a ransomware attack in motion. MEDJACK.2 is very large. This includes diagnostic equipment (PET scanners, CT scanners,

Case Study - Hospital #1

Hospital #1:

Vendor A - Radiation Oncology system Vendor A - Trilogy Linac Gating system Vendor B - Flouroscopy Radiology system

Overview operations center team was separate from the Our client was a prospective top 1000 global information technology team and this gave hospital that was evaluating advanced threat them good focus on maintaining a strong detection solutions. They had specific interest cyber environment. They were using their cur- in evaluating deception technology and rent technology consistent with best practices. already had in place a very current and well Prior penetration testing had noted concerns funded cyber defense solution. Their intrusion and possible attacker strongholds within detection software was network centralized their medical devices but, until the deception and they had up-to-date endpoint protection technology evaluation, they had no technology software in place. They had an enterprise next in-house that could easily identify established generation firewall and several additional attacker backdoors within these devices. internal firewalls in place. Compliance requirements for this client includ- Deployment and Analysis ed HIPAA and the data breach and notification The deception technology was installed on all requirements of several states in which they internal networks. This particular installation had facilities. They were extremely concerned utilized our emulated medical devices. These about potential risk caused by cyber attackers emulated medical devices were design to to their patients, their patient data and their attract, trap, and engage attacker software ongoing operations. tools. The hospital had a very strong security opera- By the second day DeceptionGrid was alerted tions team and they had previously engaged to attacker activity. Malware was discovered several penetration testing teams. The security moving laterally within the network, and upon

finding the emulated medical device, injected first alert. We were running many different malicious code into the malware trap using a medical device emulation profiles and did not shellcode execution technique (shellcode is detect a preference in this particular attack a small module of code used as a payload to vector. exploit a software vulnerability). This is a complex attack whereby a file transfer was invoked Analysis enabled us to track this attacker back to load a file necessary to set up additional through the network to a backdoor within command and control. the Fluoroscopy workstation which was also running Windows XP. Analysis enabled us to track the attacker back through the network to a backdoor within the Both of these systems are highly sensitive and respiratory gating PC. This is a radiation oncolo- are involved in the delivery of critical patient gy system running on Windows XP. The hospital therapy and treatment. It is our view, based had no prior alert or indication of compromise upon the analysis performed in the original for this medical device prior to our notification. MEDJACK report, that once a backdoor is created with a medical device, there is significant Within four days an additional two emulated potential for the attacker to manipulate device medical devices (traps) targeted for compro- operation and/or the device readings and mise by the attacker generated alerts. Malware data. Potential aside, we noted absolutely no was injected again using the shellcode tech- evidence of such intentions in this case study nique. Most interesting was that this network and believe that all identified attacker activity is was separate from the one associated with the targeted towards the theft of patient data.

The attacker’s sophisticated tools were camou- cyber defenses installed. We have been work- flaged inside an out-of-date MS08-067 code ing with the hospital to identify the attacker wrapper that was used for the initial distribu- origins. This information remains confidential tion vector. We determined that the malware at this time. Our analysis on this continues after was in fact quite sophisticated, and capable case study #3. of “jumping” or moving between networks successfully. Based upon a repeating pattern, we believe that the attackers are intentionally packaging the attacker tools in such a way so as to target older Windows XP, or Windows 7 operating systems which are quite vulnerable and have no endpoint detection cyber defense installed. Further, they do this while eliminating the potential for alert by the standard hospital workstations which have up-to-date endpoint

Case Study - Hospital #2

Hospital #2:

Vendor C - PACS System Multiple Vendor Computer Servers and Storage Units

Overview Our client was a prospective top 10,000 support tasks for their internal customers and global hospital. They had specific interest in seemed heavily loaded and burdened by cyber evaluating deception technology and wanted security analysis. They were quite uncertain as an automated technology that would not place to how they could best resist the current wave additional burden or workload on their team. of advanced attackers. They were also sensitive to the impact on their existing information technology budgets which Deployment and Analysis were under pressure. They had intrusion detection software, gateway firewalls, and internal DeceptionGrid was installed on all internal firewalls that divided the network into individu- networks and the servers within their PACS al segments, each with specific policies. Finally, (picture archive and communication systems) they had an endpoint security in place. which provide storage and access to image information from multiple source machine This hospital was extremely concerned about types. potential risk caused by cyber attackers to their patients, their patient data, and their ongoing Communication protocols used within PACS operations. They had detected prior attempts include Digital Imaging and Communications to steal patient data and were not sure they in Medicine (DICOM) which is a standard for had eliminated these threats. handling, storing, printing, and transmitting information in medical imaging applications. The hospital had a small information tech- DICOM is an application protocol that uses nology team responsible for both standard TCP/IP to communicate between systems. information technology support and cyber DICOM is used primarily to enable two or more security. They had a substantial backlog of entities that are capable of receiving image

and patient data in DICOM format. DICOM also a foothold within the PACS, they have network enables the integration of scanners, servers, paths to every other possible system in the workstations, printers, and network hardware hospital as well as many of the external but from multiple manufacturers into one PACS network connected entities. system. DICOM is used primarily by hospitals, surgical centers (surgi-centers), x-ray/ct-scan/ By the second day a DeceptionGrid PACS MRI facilities, skilled nursing facilities, large trap had discovered malware, allowing us to physician networks such as accountable care track the origin and details of the attack. The organizations (ACO) or independent physician origin was found to be a compromised medical associations (IPA), managed healthcare organi- device located in an entirely different segment zations and more. of the network. The malware within this compromised medical device learned where the File formats on the PACS systems include PACS systems were located, and attempted to primarily DICOM (digital imaging and com- perform a pass-the-hash attack to gain access munications in medicine) and non-image data, to the PACS systems. such as .PDF which may be encapsulated within DICOM. The PACS system included x-ray film Fortunately this attack was not successful on the images, computerized tomography (CT) scan real PACS system, but our PACS trap accepted images, and magnetic resonance (MRI) imaging the attack, giving the malware the impression along with necessary workstations, servers and it had ssucceeded. A pass-the-hash hacking storage. Virtually every hospital has at least one technique allows an attacker to authenticate to centralized PACS system. If an attacker can get a remote server or service using the underlying

NTLM (Microsoft NT Lan Manager) hash of non-patch versions of windows 7 by loading a one or multiple user’s passwords instead of RAT (remote access tool) so the attacker could requiring plaintext passwords as normally then load sophisticated attacking software required. This type of attack is rarely successful components. on systems requiring true authentication, but the trap (decoy PACS dydtem) allowed this As in case study #1 we believe that the attack- attack to succeed, capturing the malicious ers are intentionally packaging their tools in payload, and providing additional details of such a way so as to target medical devices with the compromise. older Windows XP, or non-patch version of Windows 7 operating systems, which are quite Our analysis enabled us to track the attacker vulnerable and have no endpoint defenses back through the network to a backdoor within installed. As before, attackers do this to elim- the MRI system which initiated the attack inate possible detection at the OS level from on the PACS trap. Until our notification, the standard hospital workstations (endpoints) and hospital had no prior alert or indication of servers that have an up-to-date OS as well as compromise for this medical device, or that the installed cyber defenses. PACS system servers were being attacked. This backdoor included a command and control This particular medical device was installed server to an external botnet. within Urgent Care so remediation of the attack took the hospital several weeks. In the interim Although the attack utilized an out-of-date they blocked the internet protocol (IP) address wrapper, we determined that the malcode of the attacker from continued command and was in fact quite sophisticated and capable control of the device. Remediation in this case of “jumping” or moving between networks. consisted of a newly manufactured device and The almost harmless networm (ignored by returning the compromised device back to the the Windows 7 patched systems, Windows 8 manufacturer. We have been working with the platforms and modern operating systems) ex- hospital to identify more information about the ploited a vulnerability within Windows XP and attacker’s origins.

Case Study - Hospital #3

Hospital #3:

Vendor D - X-Ray machine

Overview Our client was a prospective top 10,000 global The hospital had a small but sharp IT and hospital that was evaluating advanced threat security operations team. They had consid- detection solutions. They had interest in evalu- erable experience in cyber security in past ating deception technology and already had in employment and were using their current place a funded cyber defense architecture. They technology consistent with best practices. They had intrusion detection, firewalls, and endpoint had no knowledge of any attacker presence security in place. within their networks.

Deployment and Analysis Analysis enabled us to track the attacker back through the network to a backdoor within the DeceptionGrid was installed on all internal x-ray equipment which was an application networks. This particular installation utilized based on Windows NT 4.0. The hospital had no emulated medical devices which are designed prior alert or indication of compromise for this to trap and engage attackers, and their tools. medical device. Within 20 minutes DeceptionGrid alerted on As in our first case study the malware was attacker lateral movement. The malware was wrapped inside an out-of-date malware wrap- moving laterally within the network, and upon per that was initially identified as a networm. finding the emulated medical device, injected We determined, once again, that this tech- malicious code into the malware trap. nique camouflaged a much more sophisticated and targeted attack. We have been working with the hospital to identify more information about the attacker origins.

Understanding MEDJACK.2

Tools have evolved to help mask old, easily MEDJACK.2 is recognition that attackers have detectable malware threats as new malware moved consciously to exploit medical devices through a technique called repacking. Our further. These attackers have stepped up their first report on MEDJACK in early 2015 noted game and now camouflage very sophisticated that very basic versions of old malware such as attacks within these old malware wrappers. CONFICKER were used to propagate the attack These old malware wrappers are bypassing due to the vulnerability of the old embedded modern endpoint solutions as the targeted operating systems within medical devices. vulnerabilities have long since been closed at This was old malware with old capability but the operating system level. So now the attack- since there was no endpoint security within the ers, without generating any alert, can distribute medical devices these attacks were still causing their most sophisticated toolkits and establish problems. backdoors within major healthcare institutions,

completely without warning or alert. Attackers All of this makes healthcare institutions more have put considerable research and devel- vulnerable. These exploits root within medical opment into these new tools. This advanced devices and evade most cyber defense soft- malware can now hop laterally across networks ware for extended periods of time. There are to exploit virtually any information within the no records displayed by the cyber defense healthcare institution. software, even at low levels of priority, about this out-of-date malware which has been re- solved (and ignored) at the operating systems level.

MEDJACK.2 Risk

To be clear, these are the risks we see today MEDJACK.2 can uniquely obfuscate the most present in most medical facilities on a global modern and sophisticated attack tools under basis: the cloak of an older, almost obsolete, malware wrapper. This attack is then completely ignored MEDJACK.2 highlights how these threats can by the operating systems and the current cyber penetrate healthcare networks and create a defense, without an alert at any level. This backdoor within medical devices or any device appears to be a carefully assembled strategy for that matter running the older Windows® by cyber attackers (organized crime). operating systems such as Windows XP and Windows 7. These backdoors can be used to MEDJACK and the MEDJACK.2 attack vector exfiltrate patient data for long periods of time, has the potential to enable an attacker’s and ultimately deliver a devistating parting gift command and control which can then distort such as ransomware or perhaps worse. or change data internal to medical devices. This could be stored data or information that is displayed or measured externally.

Conclusions

The data stored within healthcare networks Clinicians and their non-clinician administrative remains a primary target for attackers on a support teams are focused on patient care and global basis. Recent data from IBM® Security are scheduled to the minute each day. They suggests that healthcare has become the #1 expect network and computing resources to most attacked industry in 2015, replacing work - they don’t really want to be involved in financial services, which was the leader in 2014. issues like cyber security. Yet, clinicians often The drivers for this include both the economic make all if not most important healthcare rewards and the relative difficulty (or ease) with related policy decisions. The operation of which an attacker can successfully exploit a tar- known and infected systems often goes on for geted enterprise. There is substantial economic days after the attacker foothold is discovered gain to be enjoyed by the theft of medical as the impact and risk to patient care or facility records, which have among the highest value operations is greater by taking these offline. on the black market, ranging from $10 to $20 Healthcare institutions depend on these devic- per patient record. As we have discovered, es on a 24 hour, 7 day per week basis. medical devices are not well defended by standard cyber defense practices. Standard The presence of medical devices on healthcare cyber defense solutions cannot defend nor networks creates high vulnerability. These remediate these devices. medical devices will make these networks much more susceptible to a successful cyber Healthcare cyber defense budgets remain attack. We noted this in early 2015, and now, under great strain and are generally inade- in mid 2016 the tidal wave of medical device quate to meet the level of investment from based attacks is prominent, visible, and trend- motivated attackers. Cyber defense teams ing substantially. are often the same as information technology support teams, thus having to pull double duty. The ramifications of MEDJACK.2 are almost They have seen some increases in budgeted overpowering if you are a hospital adminis- spend to deal with the current cyber threat trator, officer, or board member. You need to environment but it is not nearly enough to deal move rapidly to significantly upscale cyber with the sophistication of current and future security budgets, staffing and contractors such attacks. as managed security service providers (MSP/ MSSP) in order to meet this threat. You need These cost structures do not adequately ad- to consider an environment where motivated dress the spend required to meet the current attackers will eventually breach the perimeter. cyber threat.

It is likely that you will need to constantly iden- to perhaps hundreds of medical devices all at tify and eliminate attackers attempting to pene- the same time. Imaging coordinating all of this trate your networks on a regular basis. Further, activity around patients, resident physicians for markets such as the United States, where and ambulatory physicians. Medical facilities HIPAA and state data breach compliance re- are not set up for this sort of shutdown, which quirements are significant, failure to take these might have to take place several times per steps may subject your healthcare institution year. to substantial legal penalties and associated financial risks. In summary, because of the widespread deployment of MEDJACK and the sophisti- Once an attacker has established a “backdoor” cated evolution to MEDJACK.2, infection by within a medical device they are very hard to malware remains widespread across the major detect and to remediate. You need the full healthcare institutions globally. This includes cooperation of the device manufacturer. Your hospitals, physician practices, physician inde- cyber security team cannot easily detect mal- pendent practice associations, accountable ware on a system which they cannot scan with care organizations, healthcare insurance their standard cyber defense software. Botnet organizations, skilled nursing facilities, surgical software detection works best if the external IP centers, and other related organizations. Most address is known to be one used by attackers. institutions cannot detect these attacks, may Beyond this, only a very few select technolo- be unaware of ongoing data breach or have gies, such as deception technology, can detect inadequate strategy and funding in place to lateral movement within an internal network. identify and remove these attackers. Even worse, without new best practices in place, a remediated medical device may be reinfected within a few hours by the same worm propagating from another medical device within the hospital. Consider the operational implications of this to major medical facilities. We have seen several cases where the facility was required to clean (rebuild or reload installed software or replace entire devices) multiple devices at the same time to prevent them from getting reinfected by another medical device which still had malicious code. Consider administrators and staff trying to manage the shutdown of dozens

Recommendations

Our review of these new case studies provided affected) within the public notification trigger very valuable and useful information. Our of HIPAA. Compliance and information tech- recommendations are supported by TrapX nology must work together to document these Security Labs (TSL’s) research, experience and incidents, provide the notice and follow-up as our constant dialog with other leading security required by law. There are similar compliance experts on a global basis. We see multiple requirements in many countries around world. areas for deeper and continued research within Major healthcare institutions should seek the healthcare cyber threat environment. the advice of competent HIPAA consultants. Hospitals and physician practices in the U.S. Healthcare institutions should are primary targets for a HIPAA compliance consider these specific audit. Given the high risk of data breach that recommendations: hospitals face, we recommend they bring in outside consultants to audit and review their HIPAA compliance program in 2016. Administrative Raise the level of scrutiny for your business Recommendations associates under HIPAA. Recognize that while Review budgets and cyber defense initiatives many of them can meet the HIPAA require- at the facility or organizational board level. ments for privacy and data security, and have Bring in an independent cyber security expert done their risk assessments, they may not have at the board level to help you understand implemented the necessary best practices to required budgets, staffing levels, and key meet and defeat MEDJACK.2. activities. Consider a fast paced alternative to Carefully note compliance requirements relat- bring in a managed security service provider ing to patient data for the states that pertain (MSSP) on an outsourced basis to augment to your services and patients. These can vary your current cyber defense capabilities. significantly from HIPAA and, given the current Major healthcare institutions should prepare high risk environment, fastidious adherence to for the possibility of one or more data breach- compliance is required at all times. es that will trigger HIPAA reporting, processes, Increase employee education programs and procedures. If you are a healthcare entity pertaining to the use of healthcare information within the U.S., it is possible you will find exfil- technology systems. These should not be tration of patient data (more than 500 patients used for personal communications. Email

attachments and links (URLs) should be treated impacted in the event that all of your informa- with necessary suspicion until proven other- tion technology resources (patient databases, wise. It only takes one employee mistake to let scheduling systems, EMR/EHR systems, an attacker’s tools into the enterprise. diagnostic lab ordering systems) went down or had the data locked because of a ransomware Review disaster recovery plans and consider attack. how the quality of patient care might be

Cyber Defense Recommendations and Best Practices

Isolate your medical devices inside a secure soon as possible if they exhibit older architec- network zone and protect this zone with an tures and have no viable strategy for dealing internal firewall that will only allow access to with advanced malware such as MEDJACK. specific services and IP addresses. If possible Then acquire new devices with the necessary and practical, totally isolate medical devices protections from manufacturers that can com- inside a network which is not connected to the ply with your requirements. external internet. Implement a strategy to update your existing Implement a strategy to review and remediate medical device vendor contracts for support, existing medical devices now. Many of these maintenance and specifically address malware are likely infected and creating risk for your remediation. If these new services raise oper- institution and your patients. ating budgets we believe that the additional expense is necessary and prudent. Medical Implement a strategy to rapidly integrate and device manufacturers should include specific deploy software and hardware fixes provided language about the detection, remediation by the manufacturer to your medical devices. and refurbishment of any medical devices These need to be tracked and monitored by sold to healthcare institutions which are then senior management and quality assurance infected by malware. Manufacturers must have teams. a documented test process to determine if the Implement a strategy to procure medical de- device is infected, and a documented standard vices from any vendor only after a review with process to remediate when malware and the manufacturer that focuses on the cyber cyberattackers have infultrated the device. security processes and protections. Conduct Manage access to medical devices, especially quarterly reviews with all of your medical through USB ports. Avoid allowing any medical device manufacturers. device to provide USB ports for staff use Implement a strategy for medical device without additional protections. Consider the end-of-life. Many medical devices have been one-way use of new memory sticks in order to in service for many years often against a long preserve the air gap. Otherwise one medical depreciated lifecycle. Retier these devices as device can infect similar devices.

Evaluate and favor medical device vendors that to discover vulnerabilities and help with the utilize techniques such digitally signed software management of medical device manufacturers. and encrypt all internal data with passwords Allow them to object to the procurement of you can modify and reset. Software signing is a medical device that provides an easy and a mathematical technique used to validate the unprotected target for the MEDJACK attack authenticity of the software. Some manufac- vector. tured medical devices use this technique to help prevent execution of unauthorized code. Utilize a technology designed to identify Encryption provides a safety margin in the malware and persistent attack vectors that event of data exfiltration or device compromise, have already bypassed your primary defenses. at least for a window of time. Deception technology can provide this advan- tage for your security operations center (SOC) Improve your own ability, even when a device team. is selected, to allow your information security teams to test and evaluate vendors independent of the acquiring department. Allow your IT teams to run more stringent security tests

About TrapX Security

TrapX has created a new generation of deception technology that provides real-time breach detection and prevention. Our field proven solution deceives would-be attackers with turn-key decoys (traps) that “imitate” your true assets. Hundreds or thousands of traps can be deployed with little effort, creating a virtual mine field for cyberattacks, alerting you to any malicious activity with actionable intelligence immediately. Our solutions enable our customers to rapidly isolate, fingerprint and disable advanced attackers, malicious insiders and new zero day attacks in real-time. Uniquely our automation, innovative protection enable us to provide complete and deep insight into malware and malicious activity unseen by other types of cyber defenses. TrapX Security has many government and Global 2000 users around the world, servicing customers in defense, healthcare, finance, energy, consumer products and other key industries.

+1–855–249–4453 www.trapx.com

For sales: [email protected]

For partners: [email protected]

For support: [email protected]

Trademarks and Copyright

TrapX, TrapX Security, DeceptionGrid and all logos are trademarks or registered trademarks of TrapX in the United States and in several other countries. Microsoft and Windows are registered trademarks of Microsoft Corporation. IBM is a registered trademark of IBM corporation. Other trademarks are the property of their respective owners. © TrapX Software 2016. All Rights Reserved.