santiago silver - Fotolia

Hospitals targeted using camouflaged old malware

Specialised devices running older versions of operating systems are becoming critical points of cyber attack vulnerability, warns TrapX Security

Cyber attackers are targeting hospitals and other specialised facilities by camouflaging old malware to steal patient data held on legacy systems, researchers at TrapX Security have revealed.

Cyber attacks continue to target the healthcare industry, leading to an influx of attacks against hospital networks that have successfully penetrated security defenses and continue to compromise medical devices, according to report released by the security firm.

Although the report focuses on the healthcare industry, the findings have implications for other industries that use specialist devices, said Anthony James, CMO at TrapX Security. “We have seen similar attacks in the manufacturing sector,” he told Computer Weekly.

According to James, the report has direct relevance for any industry that uses specialist devices, such as point of sale (PoS) and automated teller machines (ATMs) that use operating systems they do not control and cannot change, which can include internet of things (IoT) devices.

These industries, such as retail and financial services and healthcare and manufacturing, should start thinking about how they are going to secure such devices because they are becoming they are becoming “critical points of vulnerability” to access the network and cause “significant harm”, he said.  

The latest report from TrapX is a follow up on an earlier report issued in 2015 that detailed how persistent attacks on Windows-based medical devices, such as blood gas analysers, were going undetected for months.

“Many of these systems use older versions of Windows such as XP, but healthcare organisations are typically not allowed to change anything on these systems once they are approved by the healthcare authorities, including updates to the underlying operating systems,” said James.

The first report showed how cyber criminals were using medical devices as key points from which to launch attacks inside healthcare networks and steal data.

Knowing that this was the way attackers were getting into their systems, alerted healthcare organisations saw the need to put in additional layers of protection and tools to detect if any malicious activity is taking place.

Targeting legacy systems for cyber attacks

The latest report explains how attackers have evolved and are now increasingly targeting medical devices that use legacy operating systems that contain known vulnerabilities. Once these devices have been compromised, attacker can install tools that can be used as back doors into the network.

The evolution was in terms of using old attacks, but in a new way because healthcare organisations were learning to block the attacks covered in the first report by using auxiliary security measures.

By camouflaging old malware with new techniques, the attackers discovered they were able to bypass traditional security mechanisms to achieve access to hospital networks and sensitive data through medical devices.

“We always assume that attackers are using only the latest tools, but the research found in some cases attackers were using an old worm in a new wrapper so it was undetected but still effective against legacy systems and devices,” said James.

“An old worm in a new wrapper is undetectable by antivirus systems, but it does the job as it is laser-focused on these legacy systems.

“The old worm does not trigger any alerts on other systems on the compromised network that are running up to date versions of Windows. This is because the vulnerability they exploit has been patched by Microsoft to stop the worm from working.”

Healthcare is most attacked industry

Healthcare is the most frequently attacked industry, according to research from IBM. Healthcare beats out financial services, retail and other industries, making it difficult for healthcare organisations to keep pace with the number and sophistication of attacks they have to deal with.  

“Evidence confirms that sophisticated attackers are going after healthcare institutions, and they are highly motivated to gain access to valuable patient records that can net them high dollars on the black market,” said Greg Enriquez, CEO of TrapX Security.

The latest report, he said, shows that findings of the first report were not an anomaly. Instead, it showed the beginnings of a growing trend that has become prevalent as attackers use sophisticated attack techniques to steal sensitive patient data while remaining undetected, said Enriquez.

Medical device hijack attacks

The second report – Medjack2 - is based on research gathered from medical hijack attacks documented by medical organisations that have deployed TrapX security systems.

The report details threat data and analysis in three hospital case studies that chronicle the sophisticated evolution of ongoing advanced persistent attacks detected between late 2015 and early 2016.

These attacks, which target medical devices deployed inside hospitals’ computer networks, contain a multitude of backdoors and botnet connections, giving remote access for attackers to launch their campaign.

Targeted devices identified by TrapX included medical image archives, insulin pumps and MRI machines, which were all running older versions of Windows.

“The onslaught of medical device hijack attacks is accelerating. I’s becoming increasingly more challenging for hospitals to detect and prevent them,” said Moshe Ben Simon, TrapX Security co-founder and vice-president.

“To mitigate these attacks, TrapX recommends that hospital staff review budgets and cyber defense initiatives at the organisational board level and consider bringing in technologies that can identify attacks in their networks, not just at the perimeter,” he said.

Healthcare organisations, he added, also need to implement strategies that review and remediate existing medical devices, better manage medical device end-of-life and carefully limit access to medical devices.

  • Read more about malware

  • Expert Nick Lewis explains how fileless malware operates and the best ways for security programs to stop it.
  • High-profile cloud malware attacks are increasing and enterprises need to understand the threat.
  • Cloud synchronisation services can spread malware infection throughout an enterprise.
  • Cyber criminals caused substantial losses across Europe by using Tyupkin malware to access ATM cash cassettes.

Read more on Hackers and cybercrime prevention