#RSAC SESSION ID: HT-R02 MEDJACK.3 Medical Device Hijack Cyber Attacks Evolve Anthony James & Moshe Ben Simon Corporate Marketing Officer & VP Trapx Labs TrapX Security #RSAC Agenda State of Cybersecurity in Healthcare An Introduction to MEDJACK MEDJACK Case Studies and the Evolution of MEDJACK.3 Anatomy of the MEDJACK.3 Attack How Deception Technology Can Stop MEDJACK #RSAC The Facts - 2016 Year in Review #RSAC The Facts - 2016 Year in Review 27% of all reported breaches are in the Healthcare industry which is the most attacked industry in 1st Half 2016 27% (Source: Gemalto 1st Half Findings from 2016 Breach Level Index Data) 93 major* Healthcare data breaches happened in 2016 - this is a 63% increase over 2015 to a total of 12,057,759 records 63% (Source: Healthcare Cyber Breach Research Report for 2016, TrapX Security, Dec 2016) 31% of all HIPAA data breaches are caused by IT/Hacking in 2016, an increase of over 200% since 2014 31% (Source: Healthcare Cyber Breach Research Report for 2016, TrapX Security, Dec 2016) Ransomware experienced a 300% increase from 2015 to 2016 Q1 300% (Source: Symantec Security Response - Q1 2016 Data) Why Healthcare? Why Healthcare? Cyber-criminals Seeking Financial Gains No Nation States Yet Ease of Attack Value of Rewards – Patient Records are Still the Best Target for Ransomware The price of the ransom is less than financial loss #RSAC An Introduction to MEDJACK Medical Device Hijack (MEDJACK) Defined Medical Device Hijack (MEDJACK) Defined Healthcare institutions are targeted by medical device hijack (MEDJACK). Attackers design specific malware tools with the goal of establishing a “backdoor” within a medical device Then they complete their objective … Why Medical Devices? Why Medical Devices? Medical devices are highly vulnerable Legacy Operating Systems Certification limits security enhancements No after-market security solutions Expensive equipment with long lifecycles No easy way to detect and remediate attacked medical equipment Anatomy of a MEDJACK ATTACK Switch Firewall Internet STAGE 1 Attacker Anatomy of a MEDJACK ATTACK STAGE 2 Ultrasound MRI CT Scan Switch Firewall Internet STAGE 1 Attacker Anatomy of a MEDJACK ATTACK STAGE 2 Ultrasound MRI CT Scan Switch Internal Client PACS PACS PACS STAGE 3 Firewall PACS PACS PACS Internet Remote Client STAGE 1 Attacker Anatomy of a MEDJACK ATTACK PACS STAGE 2 PACS Server Server Ultrasound MRI CT Scan Switch STAGE 4 Internal Client PACS PACS PACS PACS Print STAGE 3 Server Server Firewall PACS PACS PACS Internet Remote Client STAGE 1 Attacker #RSAC Case Study 1 – MEDJACK2 #RSAC Oncology Position Management System • Radiation Oncology running Windows XP • PC controls the precision and safety process of the system #RSAC Oncology System Exploited HOSPITAL #1 Oncology system compromised ONCOLOGY DEPARTMENT Exploited embedded Windows XP Radiation Switch Switch Switch Oncology System Attack spreads laterally Back Door Firewall Ignored by newer operating systems Position MGMT Internet Respiratory Upload malicious payload Back Door DeceptionGrid Utilized packed code to avoid Trap Attacker Fluoroscopic detection Radiological System Back Door DeceptionGrid Hidden to new cybersecurity Trap #RSAC Case Study 2 – MEDJACK.3 Technical Preview #RSAC Active Case Study for MEDJACK.3 • Discovered at a hospital system with over 10 major member hospitals involved • Malware specifically targeting medical devices with an older OS (WinXP or Windows Server 2003) • Ignored newer 2008/2012 Operating Systems • PACS image viewer machine was the targeted medical system • This machine has access to a huge repository of medical records like patient images. • Attacker used C&C for a backdoor within an PACS image viewer #RSAC Wolf in Sheep's Clothing Attack used old spreading technique to be “ignored” by new OS 3 Modified, wrapped version of Win32.Kido ignored by newer Windows systems Core infection strategically targeted legacy Windows OS Commonly known in healthcare to be used for medical equipment Sophisticated payload The second stage payload had anti-VM and anti-debugging code to avoid detection Polled every 3 hours Looking to spread to other medical devices across Network Vlan's #RSAC Technical Details Review • Files MD5 Hash - 378a2915bcec89903faaf5cff2138740 • Infects systems across a network by exploiting a vulnerability in the Windows Server service (svchost.exe) • If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. • It may also spread via removable USB drives • Attempts to propagate using PTH / weak dictionary administrator passwords on the affected systems. • Disables several important system services and security products. • Anti debugging and environment aware capabilities #RSAC Technical Details Review File is packed with a UPX packer to hide its components • TrapX unpacked the file and gathered the new MD5s Unpacked file MD5 hash ae538bfa64c71ab338692d60ea709451 #RSAC Technical Details Review • TrapX unpacked the file and gathered the new MD5s Unpacked file MD5 hash ae538bfa64c71ab338692d60ea709451 • Interesting Windows API Functions - IsDebuggerPresent – Detecting if the malware is running in a debugger GetProcAddress - Retrieves the address of a function in a DLL loaded into memory LoadLibrary - Loads a DLL into a process that may not have been loaded when the program started VirtualAllocEx - A memory-allocation routine that can allocate memory in a remote process. Malware sometimes use VirtualAllocEx as part of process injection #RSAC Technical Details Review • Propagation - Attempts to drop a copy of itself in a remote computer's ADMIN$ share: The copy is done by using the credentials of the currently logged-on user on the system the Malware executed on If the process above fails (or the current user doesn’t have rights) the Malware will do the following: — Enumerate users on the remote system — Use a combination of weak passwords to attempt to login to the remote system • Persistence – Adds itself to the Windows autorun In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "<random string>" With data: "rundll32.exe<system folder>\<malware file name>.dll,<malware parameters>” #RSAC Technical Details Review • Persistence – it may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe Register itself under the registry key HKLM\SYSTEM\CurrentControlSet\Services • Remote Scheduled Job – After an infection of a remote system it will create a schedule task job to execute itself • Mapped and Removable Drives - may drop a copy of itself in all mapped and removable drives using a random file name • HTTP call back – C&C connection to external server. (IP based connection) • One of the infection indicate that an internal desktop used for C&C server that may manage the operation • Resets system restore point- may reset system restore points likely into prevent the victim using System Restore #RSAC QUICK SNAP SHOT TO MEDJACK IN THE DARKNET #RSAC Alerting Medical Organization on data breach #RSAC What Can We Learn? #RSAC What Can We Learn? • Healthcare remains a highly targeted industry – risk grows • Medical devices are at extreme high risk • Attacks are targeted, sophisticated and widespread • Older attack code used for propagation to minimize detection from newer systems • Most healthcare institutions cannot detect this attack #RSAC Questions? Thank you for attending For more information email [email protected] or call 855-249-4453.