The Zero-Day Attack Uses Old Malware To Avoid Detection
Security experts at TrapX Labs have detected a new version of medical device hijack (MEDJACK) which exhibits advanced technological properties. This instance of the zero-day attack is identified as MEDJACK.3. It targets x-ray machines and MRI scanners which allow it to steal patients’ data.
The first MEDJACK attack was launched in 2015. The operation was an organized scheme. Three disparate hospital attacks took place, targeting medical devices which store patient data. TrapX Labs examined this case and discovered that medical devices provide back doors for cyber criminals. The researchers concluded that medical devices are the hardest to secure and remediate after an attack.
The zero-day attack resurfaced in 2016 as MEDJACK.2. The second version was superior to the first. The attackers used back doors and deployed botnets to penetrate devices and networks. Since the devices worked with older versions of Windows, the cyber criminals used old malware to conduct the attacks. This resulted in contemporary security programs failing to detect the threat.
TrapX Labs discovered this version of the threat while conducting proof-of-value investigation on the medical infrastructure of ten UK hospitals. The researchers created fake medical devices on hospital networks, like MRI scanners and CT scanners, to conduct field tests. The fake devices were tested on both older operating systems (Windows XP and Server 2003) and newer builds (Windows 2008 and 2012). When the experts examined them, they discovered that the fake devices were very vulnerable.
“What was really interesting and different was this [attack] was a little more targeted,” Anthony James of TrapX noted. “The others were indiscriminate – they would take anything that would accept malware.”
The pattern of the attack revealed that the hackers were using an innovative technique. They were deploying an old malware spreader to redirect the attack toward older operating systems. The results from the MEDJACK.3 attack revealed that the cyber criminals were exploiting a weakness, stemming from the evolution of the security concepts.
The contemporary operating systems do not have certain patches because they are not considered necessary anymore. They would ignore the MEDJACK.3 attack because they would evaluate it as a lower-level threat.
MEDJACK.3 essentially haunts contemporary operating systems with ghosts of past malware. The attack includes an evasion mechanism which prevents modern anti-virus programs from detecting it. “It didn’t want to be detected by sandboxing systems and newer advanced protection threat systems,” James continued to elaborate. “The malware was set to remain dormant, if there was a sandbox on the system.”
Health care institutions use outdated software for most of their devices. This has made the branch an easy target for cyber criminals. Moreover, the attacks are profitable, as medical facilities store a lot of personal information about their patients. According to research, conducted by TrapX Labs, the cyber attacks in the sector have increased by 63% in 2016. Hackers were responsible for 31% of the HIPAA data breaches in 2016. This marks a 300% spike over the last three years.
The health care sector is suffering from a lack of research, funding, and awareness on cyber security matters. James points to segregating the networks as an important step toward enhancing the level of protection at this stage. “It’s one of the glaringly obvious things,” he stated.
James recommends that health care organizations update their software and install patches as often as possible. Making the habit of working with information technologies can be challenging, but it is a responsibility we are all burdened with in this day and age. Medical apparatuses work with the same operating systems as computers, tablets, phones, and other technological gadgets. This makes them vulnerable to the same attack patterns. Health care workers need to regard them as devices which are susceptible to malware attacks.