#RSAC
SESSION ID: HT-R02
MEDJACK.3 Medical Device Hijack Cyber Attacks Evolve
Anthony James & Moshe Ben Simon Corporate Marketing Officer & VP Trapx Labs TrapX Security #RSAC Agenda
State of Cybersecurity in Healthcare An Introduction to MEDJACK MEDJACK Case Studies and the Evolution of MEDJACK.3 Anatomy of the MEDJACK.3 Attack How Deception Technology Can Stop MEDJACK #RSAC The Facts - 2016 Year in Review #RSAC The Facts - 2016 Year in Review
27% of all reported breaches are in the Healthcare industry which is the most attacked industry in 1st Half 2016 27% (Source: Gemalto 1st Half Findings from 2016 Breach Level Index Data)
93 major* Healthcare data breaches happened in 2016 - this is a 63% increase over 2015 to a total of 12,057,759 records 63% (Source: Healthcare Cyber Breach Research Report for 2016, TrapX Security, Dec 2016)
31% of all HIPAA data breaches are caused by IT/Hacking in 2016, an increase of over 200% since 2014 31% (Source: Healthcare Cyber Breach Research Report for 2016, TrapX Security, Dec 2016)
Ransomware experienced a 300% increase from 2015 to 2016 Q1 300% (Source: Symantec Security Response - Q1 2016 Data) Why Healthcare? Why Healthcare?
Cyber-criminals Seeking Financial Gains No Nation States Yet
Ease of Attack Value of Rewards – Patient Records are Still the Best
Target for Ransomware The price of the ransom is less than financial loss #RSAC
An Introduction to MEDJACK Medical Device Hijack (MEDJACK) Defined Medical Device Hijack (MEDJACK) Defined
Healthcare institutions are targeted by medical device hijack (MEDJACK).
Attackers design specific malware tools with the goal of establishing a “backdoor” within a medical device
Then they complete their objective … Why Medical Devices? Why Medical Devices?
Medical devices are highly vulnerable Legacy Operating Systems Certification limits security enhancements No after-market security solutions Expensive equipment with long lifecycles No easy way to detect and remediate attacked medical equipment Anatomy of a MEDJACK ATTACK
Switch
Firewall
Internet
STAGE 1
Attacker Anatomy of a MEDJACK ATTACK
STAGE 2
Ultrasound MRI CT Scan
Switch
Firewall
Internet
STAGE 1
Attacker Anatomy of a MEDJACK ATTACK
STAGE 2
Ultrasound MRI CT Scan
Switch Internal Client
PACS PACS PACS
STAGE 3 Firewall PACS PACS PACS
Internet Remote Client
STAGE 1
Attacker Anatomy of a MEDJACK ATTACK
PACS STAGE 2 PACS Server Server Ultrasound MRI CT Scan
Switch STAGE 4 Internal Client
PACS PACS PACS
PACS Print STAGE 3 Server Server Firewall PACS PACS PACS
Internet Remote Client
STAGE 1
Attacker #RSAC
Case Study 1 – MEDJACK2 #RSAC Oncology Position Management System
• Radiation Oncology running Windows XP
• PC controls the precision and safety process of the system #RSAC Oncology System Exploited
HOSPITAL #1 Oncology system compromised ONCOLOGY DEPARTMENT
Exploited embedded Windows XP Radiation Switch Switch Switch Oncology System Attack spreads laterally Back Door Firewall
Ignored by newer operating systems Position MGMT Internet Respiratory Upload malicious payload Back Door
DeceptionGrid Utilized packed code to avoid Trap Attacker Fluoroscopic detection Radiological System Back Door DeceptionGrid Hidden to new cybersecurity Trap #RSAC
Case Study 2 – MEDJACK.3
Technical Preview #RSAC Active Case Study for MEDJACK.3
• Discovered at a hospital system with over 10 major member hospitals involved
• Malware specifically targeting medical devices with an older OS (WinXP or Windows Server 2003) • Ignored newer 2008/2012 Operating Systems
• PACS image viewer machine was the targeted medical system • This machine has access to a huge repository of medical records like patient images.
• Attacker used C&C for a backdoor within an PACS image viewer #RSAC Wolf in Sheep's Clothing
Attack used old spreading technique to be “ignored” by new OS 3 Modified, wrapped version of Win32.Kido ignored by newer Windows systems Core infection strategically targeted legacy Windows OS Commonly known in healthcare to be used for medical equipment Sophisticated payload The second stage payload had anti-VM and anti-debugging code to avoid detection Polled every 3 hours Looking to spread to other medical devices across Network Vlan's #RSAC Technical Details Review
• Files MD5 Hash - 378a2915bcec89903faaf5cff2138740 • Infects systems across a network by exploiting a vulnerability in the Windows Server service (svchost.exe) • If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. • It may also spread via removable USB drives • Attempts to propagate using PTH / weak dictionary administrator passwords on the affected systems. • Disables several important system services and security products. • Anti debugging and environment aware capabilities #RSAC Technical Details Review File is packed with a UPX packer to hide its components
• TrapX unpacked the file and gathered the new MD5s Unpacked file MD5 hash ae538bfa64c71ab338692d60ea709451 #RSAC Technical Details Review
• TrapX unpacked the file and gathered the new MD5s Unpacked file MD5 hash ae538bfa64c71ab338692d60ea709451 • Interesting Windows API Functions - IsDebuggerPresent – Detecting if the malware is running in a debugger GetProcAddress - Retrieves the address of a function in a DLL loaded into memory LoadLibrary - Loads a DLL into a process that may not have been loaded when the program started VirtualAllocEx - A memory-allocation routine that can allocate memory in a remote process. Malware sometimes use VirtualAllocEx as part of process injection #RSAC Technical Details Review • Propagation - Attempts to drop a copy of itself in a remote computer's ADMIN$ share: The copy is done by using the credentials of the currently logged-on user on the system the Malware executed on If the process above fails (or the current user doesn’t have rights) the Malware will do the following: — Enumerate users on the remote system — Use a combination of weak passwords to attempt to login to the remote system • Persistence – Adds itself to the Windows autorun In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "
QUICK SNAP SHOT TO MEDJACK IN THE DARKNET #RSAC Alerting Medical Organization on data breach #RSAC What Can We Learn? #RSAC What Can We Learn?
• Healthcare remains a highly targeted industry – risk grows
• Medical devices are at extreme high risk
• Attacks are targeted, sophisticated and widespread
• Older attack code used for propagation to minimize detection from newer systems
• Most healthcare institutions cannot detect this attack #RSAC
Questions?
Thank you for attending For more information email [email protected] or call 855-249-4453