TrapX found the attacker installed a backdoor located within one of the X-ray systems in the hospital. A wrong reading of an X-ray could result in missing the delivery of required therapy, or perhaps delivering the wrong therapy. TrapX researchers found that medical devices in all three hospitals were infected by two types of sophisticated attacks: Shellcode and Pass-the-Hash techniques, both of which were designed to exploit older operating systems without current security updates.
Hospitals generally install medical devices "behind the firewall" where they are believed to be secure and protected. The internal network protection generally includes a firewall, signature-based protection such as antivirus software, other endpoint and intrusion security and more.
The security gap that makes MEDJACK effective is that most of the information technology cyber defense in the “protected network” cannot run on the medical devices. Cyber defense can only run on the servers and workstations (personal computers) around them. Once the attacker can get into the network and bypass existing security they have a time window to infect a medical device and establish a backdoor within this protected (and safe) harbor.
“MEDJACK has brought the perfect storm to major healthcare institutions globally. The health information technology team is dependent on the manufacturers to build and maintain security within the device. The medical devices themselves just do not have the requisite software to detect most of the software payloads delivered by MEDJACK attack. Finally, the standard cyber security environment set up in the hospital, regardless of how effective it might be, cannot access the internal software operations of medical devices,” said Carl Wright, executive vice president and general manager at TrapX Security.
According to TrapX, attackers leveraged the shellcode technique to exploit numerous medical devices including a Radiation Oncology system, a Trilogy Linac Gating system, a Flouroscopy Radiology system and an X-Ray machine. During the attack, malware moves within the network, injecting malicious code into a malware trap by leveraging a small module of code as a payload to exploit a software vulnerability. This complex attack then invoked a file transfer to load the appropriate file to set up additional command and control functions.
What made this attack unique was that the attacker’s sophisticated tools were camouflaged inside an out-of-date MS08-067 worm wrapper that was used for the initial distribution vector, enabling the malware to successfully move between networks. After observing a pattern, TrapX researchers concluded that the attackers intentionally packaged tools targeting older and more vulnerable Windows XP or Windows 7 operating systems devoid of adequate endpoint cyber defenses. By masking new tools in outdated worm code, the attackers were also able to dodge security alerts by the standard hospital workstations installed with up-to-date endpoint cyber defenses.
Sign up for CIO Asia eNewsletters.