TrapX Study Points to Invasive Attacks Against Hospitals

By Sean Michael Kerner  |  Posted 2016-06-27 Print this article Print
MEDJACK, hospitals, medical devices

TrapX describes Medical Device Hijack 2 as a focused, customized exploit and attack by organized crime against hospitals' network-connected medical devices.

Hackers are increasingly going after hospitals and are honing their techniques, according to a new report, titled "Anatomy of an Attack—Medical Device Hijack 2" (MEDJACK 2), from TrapX security.

The MEDJACK 2 report is a follow-up to a 2015 study from TrapX that details how hackers are exploiting medical devices and facilities to steal information.

Multiple studies in 2016 so far have identified a growing trend of ransomware attacks on hospitals. While some forms of ransomware are delivered by generic exploit kits, the MEDJACK attacks are not exploit kits in the same category as the Angler exploit kit, for example.

"MEDJACK 2 represents a laser-focused, customized exploit and attack by organized crime against hospitals' network-connected medical devices," Moshe Ben-Simon, co-founder and vice president of services and Trapx Labs at TrapX, told eWEEK. "While MEDJACK.2 can support ransomware attacks, the primary goal is the far more lucrative theft of patient data."

In contrast, Angler is much more of a standard exploit toolkit designed for Microsoft Windows operating systems, where the user has failed to install updates or falls prey to a browser-based vulnerability, Ben-Simon said.  Angler is more of a toolkit or software as a service for unsophisticated attackers to build exploits for almost any purpose.

In MEDJACK 2 attacks, cyber-attackers use tools to look across a network to find the target, which is typically an older, more vulnerable operating system on embedded processors within the medical devices.

"MEDJACK 2 is likely launched often by organized crime—this conclusion is based on anecdotal evidence and forensics from our security operations center and the review of actual case studies," Ben-Simon said.

The TrapX MEDJACK 2 report looks at how hackers are infiltrating hospital networks and devices and how the MEDJACK attack itself has evolved over the past year.

"In MEDJACK 1, attackers were able to pretty much find only basic medical devices," Ben-Simon said. "In MEDJACK 2, we found the new ability for attackers to recognize PACS [picture archiving and communication systems], versus medical devices, and plan their attacks accordingly."

Once hackers found a way into hospitals, they were very carefully seeking out the largest repositories of detailed patient data, which is often the PACS systems. PACS holds a central role in a health care network, with hospital clinicians, ambulatory physicians, diagnostic laboratories all depositing, accessing or updating data within the PACS systems.

In TrapX's first MEDJACK report, most attackers were found within the first VLAN they penetrated and they stayed within that VLAN. However, with MEDJACK.2, the attackers' methodology was significantly more sophisticated, according to Ben-Simon, with attackers moving laterally across multiple network VLANs.

Additionally, MEDJACK 2 attackers used simple worms that were designed to be invisible to standard cyber-security and dismissed by endpoint operating systems.

"This suggested to us a concerted effort by attackers to penetrate health care networks and to take advantage of the weaknesses of specific medical devices," Ben-Simon said.

TrapX's core technology is its DeceptionGrid platform, which aims to trick attackers that are attempting to infiltrate a network. To date, TrapX has raised $9 million in venture capital to execute its product plans.

Trapx offers medical emulation Traps (Decoys) that emulate X-ray machines , CT Scan/MRI Systems and PACS systems.

"We emulate the medical de facto protocol DICOM [Digital Imaging and Communications in Medicine], which serves the industry as the medical data delivery protocol across hospital networks," Ben-Simon said. "We have specific emulations for devices as specialized as blood gas analyzers."

Ben-Simon noted that once the attackers get inside a network and establish command and control, they move laterally to discover new resources and continue to monitor the network infrastructure to see if new known security tools are being deployed against them. The goal with TrapX's technology is to deceive the attackers and thwart their efforts. It is often the case that most attackers have been inside the hospital networks for many months or even years, he said.

"Anecdotally, our data shows that infected machines were compromised at least one year or more," Ben-Simon said. "In one surgical urgent care center, we found embedded malware and attacker command and control that was in place for three years within a medical device."

MEDJACK 2 hackers use a variety of entry vectors to infiltrate health care networks. One of the most common entry points is through targeted email and social-engineering attacks against hospital personnel.

"Standard workstations, information technology assets and the cyber-defenses that protect them work on the multitude of attacks, but MEDJACK can move through the network quickly enough to find and penetrate a medical device, where none of the standard cyber-defenses can reach," Ben-Simon said. "Once inside, [attackers] are protected and can establish command and control and begin the process of reconnaissance to find and exfiltrate high-value data."

Ben-Simon expects further evolution of MEDJACK in the future as attackers continue to increase the sophistication of their tactics and tools. Among the changes that he expects for MEDJACK 3 are the improved packaging of ransomware capabilities.

"In the first punch, attackers have already exfiltrated the patient data silently," Ben-Simon said. "The second punch will bring a well-orchestrated attack against the network to encrypt and freeze all of the data."

Additionally, Ben-Simon expects the number of data breaches in health care to go up further over time. Part of the reason for increased health care breaches is the fact that medical devices are closed, FDA (Food and Drug Administration) protected devices that cannot be easily diagnosed by standard cyber-defenses.

"We believe that almost all hospitals have undiscovered MEDJACK instances currently within their networks and that the discovery and remediation of this threat will receive substantially increased energy and focus by hospital personnel over 2017 and 2018," Ben-Simon said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel