An x-ray machine, an oncology system, an MRI machine… These are all vitally important healthcare devices that researchers recently found harboring malware capable of installing backdoors on other connected systems for the purpose of exfiltrating data.
Researchers at the cybersecurity firm TrapX Security refer to the act of infiltrating or hijacking medical devices as MEDJACK. In a 2015 report, the company cited examples of such attacks in which the malware infection was limited to the device itself. No more, however: In its 2016 MEDJACK.2 report, TrapX revealed examples of bad actors using hijacked medical devices as a means to gain a foothold into other connected systems by circumventing firewalls and endpoint solutions that are supposed to protect key databases. In other words, “The malware, on its own accord, has found ways to go beyond the boundaries of where it first lands,” said Anthony James, CMO at TrapX, in an interview with SCMagazine.com.
The concept of the attack is fiendishly clever: The security solutions that generally guard healthcare IT systems tend to overlook outdated malware because they don't work on newer operating systems. However, most medical devices still run on legacy operating systems, leaving them susceptible to these older malicious programs. Consequently, attackers are now infecting medical devices with the seemingly obsolete malware and then leveraging these compromises as an entry point to move laterally through connected IT systems via backdoors and shellcode execution. Once it penetrates deep into a facility's systems, the malware finally shows its true colors, attacking with advanced capabilities that were either cleverly concealed using packing techniques or secretly downloaded from a command-and-control server.
TrapX conducted its investigation by installing its deception technology in several test hospitals. The technology emulates medical devices in order to lure malware into a trap that fools the malware into revealing itself to researchers. During the probe, TrapX pulled up an old variant of the MS08-067 worm, which would normally not even be a threat, since Windows 7 and later versions long ago eliminated the vulnerabilities that this worm typically exploits.
TrapX disclosed three separate instances of this new breed of MEDJACK attack, all involving sophisticated malicious coding that was wrapped inside old malware. In all three examples, the hospital had no prior knowledge of a threat lurking within its systems.
In the first case, the malware infiltrated a respirator gating PC – part of a Windows XP-based radiation oncology system that provides video of the torso and abdomen. Subsequently, researchers found a fluoroscopy workstation that was also infected by the same malware.
In another hospital, the perpetrators infected x-ray equipment running on Windows NT 4.0. And in the third instance, the hackers compromised an MRI system in an attempt to gain access to the infected hospital's picture archive and communication system (PACS). PACS systems provide storage of and access to images from multiple hospital machines. “If an attacker can get a foothold within the PACS, they have network paths to every other possible system in the hospital as well as many of the external but network connected entities,” explains the MEDJACK.2 report.
From an attacker's point of view, the PACS “is the vault with the money, because once you reside on a PACS server, you can take out hundreds of gigs of medical data,” said Moshe Ben-Simon, co-founder and VP of services and TrapX Labs.
The threat extends beyond a mere data breach, however. MEDJACK.2 can also be a precursor to a ransomware attack or even a case of sabotage in which bad actors intentionally tamper with life-saving instruments.
In the case of the infected MRI machine, the hospital's IT staff couldn't even fully remediate the attack for weeks, and instead had to use a workaround because the equipment was needed for urgent care situations. Ultimately, rather than scrub the equipment of the malware, the hospital replaced the MRI machine with a new one. Ben-Simon referred to this common scenario as replacing “a problem with a problem,” since the new equipment is often just as vulnerable as its predecessor.
Despite this prevalent threat, manufacturers of connected medical devices generally have little inclination to spend money to update their products with the latest operating systems or security technologies, said Ben-Simon. “The vendors we speak to, they'll say: ‘I will give you a good medical device with a new operating system.' And guess what? They replace Windows NT with Windows 7,” often with little additional support or technical service, he said. Meanwhile, Microsoft is already up to Windows 10. “This is their logic, this is how they think.”