ANATOMY OF ATTACK : MEDJACK.2 | 1 TrapX Investigative Report ANATOMY OF ATTACK MEDJACK.2 Hospitals Under Siege By TrapX Research Labs ©2016 TrapX Software. All Rights Reserved. 2 | ANATOMY OF ATTACK : MEDJACK.2 Notice TrapX Security reports, white papers and legal updates Please note that these materials may be changed, are made available for educational purposes only. Our improved, or updated without notice. TrapX Security is purpose is to provide general information only. At the not responsible for any errors or omissions in the con- time of publication all information referenced in our tent of this report or for damages arising from the use of reports, white papers and updates, is as current and this report under any circumstances. accurate as we could determine. As such, any additional developments or research, since publication, will not be reflected in this report. Disclaimer The inclusion of the vendors mentioned within the have reduced or eliminated cyber attacks, may not have report is a testimony to the popularity and good reputa- been installed. Network configurations and firewall set- tion of their products within the hospital community and ups that may have reduced or eliminated cyber attacks, our need to accurately illustrate the MEDJACK.2 attack. may not be in place. Current best practices may not have been implemented - this is in some cases a subjective Medical devices are FDA approved devices and determination on the part of the hospital team. additional software for cyber defense cannot be easily integrated in to the device, especially after the FDA New best practices that utilize advanced threat detection certification and manufacture. techniques such as deception technology are relatively new to hospitals, and only recently available for com- We have worked in strict confidence with the healthcare mercial deployment. institutions documented in these case studies in order to identify and remediate current and future cyber attacks. Finally, we would note that TrapX Labs personnel Information released which pertains to specific medical involved with the cyber security initiatives described devices is done solely to understand and illustrate the herein are not certified or trained by the medical device details of the MEDJACK and MEDJACK.2 attack vector. manufacturer. We do not know if the hospital personnel involved in supporting our efforts during our proof of Please note some of the information technology, concept deployments were trained or certified on the servers, firewalls, networks, and medical device equip- equipment. ment identified in this report were several years old. Notwithstanding the hospital’s best intentions, both the information technology and medical devices may not have been maintained or installed in accordance with manufacturer recommendations. Required software updates and improvements to these devices, that may ©2016 TrapX Software. All Rights Reserved. ANATOMY OF ATTACK : MEDJACK.2 | 3 Contents About Anatomy of Attack 5 Executive Summary 7 Healthcare - State of the Union 10 Challenges in the Healthcare Network 13 Case Study - Hospital #1 15 Case Study - Hospital #2 18 Case Study - Hospital #3 21 Understanding MEDJACK.2 23 MEDJACK.2 Risk 24 Conclusions 25 Recommendations 27 Cyber Defense Recommendations and Best Practices 29 About TrapX Security 31 ©2016 TrapX Software. All Rights Reserved. 4 | ANATOMY OF ATTACK : MEDJACK.2 About Anatomy of Attack The Anatomy of Attack (AOA) Series highlights The TrapX Labs knowledge base benefits from the results of our research into current or information on advanced malware events potential critical information security issues. shared with us by the TrapX Security platform. The AOA series are publications of TrapX Uniquely this threat analysis includes very deep Laboratories. The mission of TrapX Labs is to intelligence on advanced threats and Zero Day conduct critical cyber security experimenta- events. tion, analysis and investigation and to bring the benefits back to the community at large through AOA publications and rapid ethical compliance disclosures to manufacturers and related parties. ©2016 TrapX Software. All Rights Reserved. ANATOMY OF ATTACK : MEDJACK.2 | 5 Executive Summary In May, 2015 TrapX Labs released an Anatomy of research gathered from recent incidents Attack report that shared our research into the documented within the TrapX security platform discovery and analysis of three targeted hospital in late 2015 and early 2016. This included a attacks. The TrapX Labs team referred to this detailed review of data and analysis associated attack vector as MEDJACK, or “medical device with ongoing, advanced attacks in three new hijack.” healthcare institu- tions. These attacks In the first report we “MEDJACK.2 adds a new layer of camou- pivoted around described how Medical flage to the attacker’s strategy. New and medical devices devices have become which were installed highly capable attacker tools are cleverly a key pivot point within the hospital’s for attackers within hidden within very old and obsolete hardwired networks. healthcare networks. malware. It is a most clever wolf in very Medical devices are MEDJACK.2 , or old sheep’s clothing. They have planned visible points of vulner- medical device ability, and the hardest this attack and know that within healthcare hijack 2, frames an area to secure and institutions they can launch these attacks, evolution of the remediate, even after a without impunity or detection, and easily attacks we docu- compromise has been establish backdoors within the hospital or mented in our first identified. We described MEDJACK report. In physician network in which they can remain how these persistent our three new case cyber-attacks threaten undetected, and exfiltrate data for long study hospitals we overall hospital opera- periods of time.” found a multitude tions and the security – Moshe Ben Simon of backdoors and of patient data. We Co-Founder & VP, TrapX Security botnet connections, further described how General Manager, TrapX Labs working under the the attacks happen, and control of attackers. once established, how the attackers can extend their foothold on these It is extremely compromised systems to potentially breach the important to note that the malware propagated patient records over an extended period of time. by the attacker(s) was never detected by any endpoint security software. Often we can find MEDJACK.2 is a sophisticated evolution of the endpoint security alerts during our forensic original MEDJACK attack based upon primary analysis but these were not present in these ©2016 TrapX Software. All Rights Reserved. 6 | ANATOMY OF ATTACK : MEDJACK.2 case studies. A unique finding “Attackers continue to evolve the perfect storm with the during the investigation was proliferation of MEDJACK.2. Within the simplicity of that the attack utilized an old targeting attacks using carefully selected long out-of- malware variant, such as a variant of the MS08-067 worm, which date malware wrappers, they are able to package and the signatures were well known. successfully deliver the latest and most sophisticated Windows 7 and later versions attacker tools. MEDJACK.2 is the leading edge of orga- had eliminated the vulnerabilities nized crime weaponry designed to penetrate and com- that this worm sought to exploit, promise hospital networks virtually undetected. TrapX so that it appeared to be of no concern - even if it was detected Labs believes that MEDJACK and MEDJACK.2 as well as by other security solutions since related attacks loom in the majority of our medical facili- the vast majority of workstations ties around the world and present an increased threat to would not be vulnerable. facility operations, patient safety, and the confidentiality The malware utilized for this of patient data.” attack was specifically selected – Carl Wright to exploit older versions of Executive Vice President and General Manager, TrapX Security Windows, and given the general endpoints were using newer Windows versions, they would Once the attackers were inside the network, not be affected by the threat. This point is many medical devices became easy targets in critical, and serves two main objectives: which they could launch their campaign. Based 1. Since newer versions of Windows were not upon the forensics from these case studies and vulnerable, the workstations would naturally others, we conclude that MEDJACK.2 attackers ignore the attack, eliminating the need for are intentionally moving to old variants of any endpoint security software to step in. This attack vectors to specifically target medical ensured that the worm would go undetected devices knowing they have no additional while it sought out older Windows systems. security protections. 2. The medical devices deployed in these case You will see from these case studies that the studies utilized older versions of Windows that malware was able to gain a foothold within the were still vulnerable to the threat. This gave the older operating systems in the medical devices attackers a higher likelihood of compromising and avoid *ANY* detection in the standard IT these systems. And since most medical devices endpoints or network solutions. It enabled the do not have additional endpoint security soft- attacker to install a backdoor within the enter- ware, the attack would go undetected. prise, from which they could launch their cam- paign and quietly exfiltrate data and perhaps In order to ensure success, it appears that the cause significant damage using a ransomware attackers intentionally repackaged and embed attack. new, highly sophisticated tools and camou- flaged them within the MS08-067 worm. Within the three hospitals selected for our MEDJACK.2 case studies we installed TrapX ©2016 TrapX Software. All Rights Reserved. ANATOMY OF ATTACK : MEDJACK.2 | 7 deception technology which enabled us to In summary, we present our conclusions and discover these attacks within a period of time recommendations for minimizing the risk that ranged from just under an hour (case associated with a MEDJACK and the more study #3) to within a few days (case study #1 sophisticated MEDJACK.2 attack. We present and #2).