Life threatening malware targeting older embedded and Windows operating systems was found on a range of network connected medical devices, heart monitors, insulin pumps, MRI scanners, and X-Ray machines.
TrapX vice president of marketing Anthony James revealed this at the RSA conference. It was conducting a proof-of-value investigation on the medical infrastructure of ten UK member hospitals when it noticed sophisticated advancements in how hackers entered networks.
When the devices were probed, TrapX researchers learned how vulnerable they were. Devices were deployed on older operating systems (Windows XP, Windows Server 2003, 2008, 2012).
James said, "What was really interesting and different with MEDJACK.3 [to MEDJACK.2] was the attack was more targeted. The others were indiscriminate - they would take anything that would accept malware."
{loadposition ray}
TrapX found malware planted on several types of medical devices including an x-ray printer, an oncology unit's MRI scanner, a surgical centre’s blood gas analyser and a health care provider's PACS-picture archiving and communication system. While the payload could be life threatening it appeared the aim of the malware was largely to enable a jump to the hospital network to find valuable patient information.
"Those devices are in the operating room; they could be in a hospital bed. Lives could be dependent on them and if they're disrupted with malware or ransomware or other attacker toolkits-they may not be able to do what they're meant to do," James said.
Malware planted on a blood gas analyser could impact the information a surgeon uses to determine the amount of anaesthesia a patient needs. Malware planted on a heart monitor or dialysis machine could corrupt data and result in a fatal breach.
TrapX learned hackers were using an old malware spreader to redirect the attack towards older operating systems. An OS without specific security patches would be left vulnerable and accept the hacker's tool. New operating systems e.g. Windows 10 would ignore it because they had been patched against those spreading capabilities.
“This is a major problem for the healthcare industry because most medical devices run old operating systems and software. A high percentage of healthcare infrastructure already has these types of attacks resident in their medical devices; they just don't know it. Healthcare institutions often don't have the mentality that devices are all on the same network. These devices are viewed as industrial machines, but they can be breach points.,” James said.
Comment
I have been intrigued by this company and its unique deception technology approach since I wrote about it last month.
It has just released a new version of its Deception-in-Depth architecture featuring a full OS that can completely replicate a production environment while increasing the ability to visualize attacks.
It has significantly deepened deception capabilities designed to bait, engage and trap attackers throughout all stages of a breach. The DeceptionGrid expansion adds a new layer of deception to the existing multi-layered deception approach. Now with the ability to deploy a high-interaction trap based on a full OS, customers can clone existing assets to get deeper intel on the intruder. This deep interaction layer provides the ability to better visualize attacks, while more effectively deceiving attackers, by tailoring deception layers to best match the attack vectors.
The full OS provides enhanced forensics capabilities that allow users to understand the attack in more detail. With this knowledge, security teams can quickly identify the assets being targeted from an attackers’ point of view, find the location of the attackers and determine what they are attempting to accomplish.
DeceptionGrid 6.0 newest features include:
- High-Interaction (Full Operating System) Traps: DeceptionGrid now supports the ability for customers to clone existing assets with our new tier of high-interaction (full OS) Traps. These traps work in concert with the existing medium-interaction traps and can completely replicate actual production servers to further deceive and more deeply engage attackers.
- Active Traps: New active-traps functionality creates a stream of false network traffic among deployed traps to confuse and divert attackers that monitor the traffic, ensuring they engage with the deployed traps.
- Powerful Attack Visualization: New expanded visualization enables the security operations team to rapidly understand the activities of the attacker over time, from the originating intrusion to the assets they are engaging with, to the final containment.
- Attack identification: New attack identification automatically determines if an attack is being conducted by a human attacker or automated attack tools, giving security teams a better understanding of the attack and subsequent containment methods.
- Built-in industry templates: The patented medium-interaction traps now include expanded templates for specialized devices based on industries. These templates include ATMs and SWIFT assets for financial services, Point of Sale (PoS) devices for retailers, devices for medical and manufacturing use, and many more, thus allowing customers in diverse industries to determine if attackers are targeting specialized devices that are often vulnerable to attack.
