MEDJACK 2: Old malware used in new medical device hijacking attacks to breach hospitals

Report reveals how attackers are using old malware in new medical device hijacking attacks to create backdoors into hospital networks

MEDJACK 2: Old malware used in new medical device hijacking attacks to breach hospitals
Credit: TrapX Security

Attackers are packaging the newest and most sophisticated attack tools in long out-of-date malware wrappers, targeting medical devices running legacy operating systems, to breach hospital networks for advanced persistent attacks.

Last year, TrapX Security revealed how attackers were infecting medical devices with malware, then moving laterally through hospital networks to steal confidential data. They called it MEDJACK for medical device hijack. Attackers have evolved, so today the firm released a MEDJACK 2 report, “Anatomy of an Attack—Medical Device Hijack 2."

TrapX Security co-founder Moshe Ben Simon explained:

MEDJACK.2 adds a new layer of camouflage to the attacker’s strategy. New and highly capable attacker tools are cleverly hidden within very old and obsolete malware. It is a most clever wolf in very old sheep’s clothing. They have planned this attack and know that within healthcare institutions they can launch these attacks, without impunity or detection, and easily establish backdoors within the hospital or physician network in which they can remain undetected, and exfiltrate data for long periods of time.

The report is based on first-hand research of ongoing advanced persistent attacks detected between late 2015 and early 2016. It includes analysis and case studies from three hospitals hit with MEDJACK 2. “These attacks, which target medical devices deployed within hospitals' computer networks, contain a multitude of backdoors and botnet connections, giving remote access for attackers to launch their campaign.”

“Attackers have determined that medical devices on the network are a vulnerable point of entry and the best target,” the report states. Attackers find and exploit medical devices “to establish secure and clandestine backdoors from which to exfiltrate patient data, damage operations and then perhaps exit with a coup de grace such as a ransomware attack.”

TrapX Security CEO Greg Enriquez said, “Evidence confirms that sophisticated attackers are going after healthcare institutions, and they are highly motivated to gain access to valuable patient records that can net them high dollars on the black market.”

A prime example of how stolen patient data can provide a huge payday comes from the news that a hacker dubbed “thedarkoverlord” is reportedly trying to sell 655,000 patient records stolen from three separate healthcare organizations on the dark web marketplace TheRealDeal. In this case, however, the hacker claimed to have exploited RDP to breach the organizations and provided screenshots as proof. He stands to make nearly a million dollars. Who says crime doesn’t pay?

Enriquez added, “MEDJACK 2 shows that MEDJACK 1 was not an anomaly but rather highlighted the beginnings of a growing trend, a trend that's become prevalent as attackers leverage sophisticated attack techniques to steal sensitive patient data while remaining undetected.”

MEDJACK.2 is the leading edge of organized crime weaponry designed to penetrate and compromise hospital networks virtually undetected.

List of devices vulnerable to MEDJACK 2

The researchers believe attackers are targeting medical devices that have outdated and highly vulnerable operating systems such as Windows XP and Windows 7. The devices vulnerable to MEDJACK and MEDJACK2 include “diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers, surgical machines), life support equipment (heart/lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and more.”

It can be very difficult to detect a backdoor established by an attacker and lateral movement within an internal network. The researchers said it requires “full cooperation of the device manufacturers.” Good luck with that.

They added, “Even worse, without new best practices in place, a remediated medical device may be re-infected within a few hours by the same worm propagating from another medical device within the hospital.”

The report concluded:

In summary, because of the widespread deployment of MEDJACK and the sophisticated evolution to MEDJACK.2, infection by malware remains widespread across the major healthcare institutions globally. This includes hospitals, physician practices, physician independent practice associations, accountable care organizations, healthcare insurance organizations, skilled nursing facilities, surgical centers, and other related organizations. Most institutions cannot detect these attacks, may be unaware of ongoing data breach or have inadequate strategy and funding in place to identify and remove these attackers.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.