FortiGuard Labs – Global Healthcare Threat Telemetry for Q4 2016

This Global Healthcare Threat Telemetry report examines the threat landscape of the global healthcare industry in Q4 2016. It is based on threat telemetry obtained by FortiGuard Labs’ research group from sensors located at 454 healthcare companies located in 50 countries around the globe.

FortiGuard Labs, and its more than 200 researchers and analysts located around the world, logs over 400,000 hours of threat research every year by monitoring and analyzing threat telemetry gathered from over two million sensors. The resulting threat intelligence allows us to maintain accurate visibility into current and detect emerging threats, which we use improve our detection and prevention technologies, provide near-real time, actionable threat intelligence to over 300,000 customers worldwide. On average, we block 180,000 malicious websites, 220,000 Botnet attempts, and 733,000 network intrusion attempts per minute. We have also set the industry record of 339 zero day threats discovered to date.

In addition, this threat telemetry data allows us to work with international law enforcement to track and apprehend cybercriminals, develop valuable research into threat characteristics and threat actors, and produce reports on the state of cyberthreats across a wide number of industries and regions.

In the following report we look at the top 5 malware, ransomware, mobile malware, IPS events, botnets, and exploit kits detected by FortiGuard Labs during the last quarter of 2016 targeting the global healthcare industry.

Top 5 Malware

The majority of the top 5 malware detected are all known for being the initial attack vectors for ransomware attacks, with the top attack coming from a VB script-based dropper (VBS/Agent.LKY!tr) which is known for downloading ransomware during the secondary phase of an attack. Coming in 2nd place is “Riskware/Asparnet,” which is a type of software that is usually installed unintentionally, and which has the nefarious objective of collecting sensitive information without the user’s consent.

The remaining malware in the list are also known to be ransomware droppers (VBS/Agent.97E!tr, JS/Nemucod.BQM!tr, and JS/Nemucod.76CD!tr.dldr). JS/Nemucod (and its variants) is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs (which are primarily ransomware.) For example, an email arrives via a typical Nemucod spam with and encrypted JavaScript attachment. Upon decrypting the JavaScript, we can see that it attempts to download a file on the user’s temporary directory from compromised websites. The downloaded file is an executable file that is later used to encrypt the user's files. More information about JS/Nemucod can be found here: 

https://blog.fortinet.com/2016/03/16/nemucod-adds-ransomware-routine

Top 5 Ransomware

The top ransomware observed through our threat telemetry system is CryptoWall, coming in at more than 90% of all ransomware infections detected. As with most types of ransomware, CryptoWall holds the victim’s data hostage by encrypting files and then charging a ransom to decrypt the files. The malware displays a message informing the victim that their files have been encrypted and that they have a limited time to pay the ransom before the cost of recovery goes up. To maximize their anonymity, the malware authors use the Tor network and require the ransom to be paid in Bitcoins, a trend that we are seeing more frequently. For more details about CryptoWall, you can read Fortinet’s joint-research with the Cyber Threat Alliance at:

https://blog.fortinet.com/2015/10/28/threat-intelligence-sharing-at-work-cyber-threat-alliance-tracks-cryptowall-version-3

CryptoWall v3 Report – http://cyberthreatalliance.org/cryptowall-report-v3.pdf

CryptoWall v4 Report – http://cyberthreatalliance.org/cryptowall-report.pdf

Coming in at 2^nd place is Cerber, at around 5% of infections detected. Cerber pretty much has the same ransomware characteristics as CryptoWall. More detailed information about Cerber can be found in our FortiGuard blog’s research section at: 

https://blog.fortinet.com/search?q=cerber

TorrentLocker, TeslaCrypt, and Locky are the other ransomware detections that we observed, and that are also popularly seen in other industries. More information about these ransomwares can be found in our blog posts as well:

https://blog.fortinet.com/2016/07/25/insights-on-torrentlocker

https://blog.fortinet.com/search?q=teslacrypt

https://blog.fortinet.com/search?q=locky

Top 5 Mobile Malware

Android malware takes up all of the top 5 mobile malware spots. This could be due to the fact that Android devices allow users to easily install apps from 3^rd party sources, which could sometimes be loaded with Android-based malware.

FortiGuard Labs has an extensive database of mobile malware threats, and our researchers have shared some of their thoughts in this area at:

https://blog.fortinet.com/search?q=android

https://blog.fortinet.com/search?q=ios

Top 5 IPS Events

VxWorks.WDB.Agent.Debug.Service.Code.Execution takes the top spot in IPS events detected, at close to 2 million hits. VxWorks is an operating system for embedded devices (or the Internet of Things, as it is popularly known today), which includes medical devices such as CT/PET/X-ray instrumentation, infusion pumps, personal activity monitors, and many others. This vulnerability was discovered back in 2010, but the fact that we’re still seeing attacks targeting this vulnerability in 2016 (when patches are already available,) goes to show that threat actors may be trying to take advantage of exploiting vulnerable embedded devices that:

• have a longer patch cycle, or
• are rarely patched, or even
• not patched at all!

In the top 5 IPS events shown above, we also see attacks probing for misconfigured Unix-based web servers that may expose operating system usernames from /etc/passwd, SQL injection attempts on web applications, exploits targeting vulnerable Netcore/Netis routers [https://blog.fortinet.com/2016/10/12/home-routers-new-favorite-of-cybercriminals-in-2016], and multiple Bash vulnerabilities (aka ShellShock).

Top 5 Botnet Events

The top botnet detected is Andromeda [https://blog.fortinet.com/search?q=Andromeda], which is a modular bot that consists of a loader that downloads modules and updates from its C2 server. The loader has both anti-VM and anti-debug features, hence the reason why it may be a popular botnet. This is followed by H-Worm, Necurs, Conficker, and Pushdo.

H-Worm is a VBscript-based botnet that allows threat actors to steal sensitive information and send it to its C2 servers, and Necurs is known to distribute malware with relation to the Locky ransomware. Conficker, one of the largest botnets ever known, has been around since 2008. It exploits vulnerable Windows systems and spreads as a worm by scanning and infecting other vulnerable systems. Infected systems are ultimately used to form a botnet. The fact that we are still seeing Conficker in 2016 indicates that there are still vulnerable Windows systems across the internet that are still infected with this malware. Pushdo is also a botnet that has been around for several years, and is known for being involved with large spam campaigns.

Top 5 Exploit Kits

RIG is the top exploit kit detected, at 46%, and like most exploit kits in 2016, is geared towards ransomware distribution after a successful exploitation. An analysis of a RIG exploit kit sample can be read here: https://blog.fortinet.com/2015/09/30/a-quick-look-at-a-recent-rig-exploit-kit-sample

Coming in 2^nd place at 23% is CK, followed by Angler (16%), Neutrino (12%) and other less popular exploit kits at 3%. Most of these exploit kits are used for ransomware distribution as well. Some write-ups about these exploit kits can be read here:

https://blog.fortinet.com/search?q=angler

http://blog.fortinet.com/search?q=neutrino

Summary

From the threat telemetry results above, we can see that the healthcare industry faces more or less the same threats as the larger IT industry. From a malware perspective, the majority of infections are ransomware-based due to the higher probability of collecting ransom when sensitive healthcare data is encrypted. We also saw that CryptoWall was the most prevalent ransomware in the healthcare industry for Q4 2016, and that Android-based malware took the top 5 mobile malware spots. Interestingly, we also saw that attacks on a 6-year old VxWorks vulnerability was the top IPS event detected, which may indicate that threat actors are trying their luck on probing for and exploiting unpatched medical devices running VxWorks embedded systems. Andromeda was the top botnet detected. It has been resilient enough to still be in the wild since 2011. Finally, the top 5 exploit kits detected are known to distribute ransomware.

All of the threats above can be mitigated when a multi-layered security approach is properly planned and executed. Fortinet provides a comprehensive multi-layered security approach through the Fortinet Security Fabric [ https://www.fortinet.com/corporate/about-us/why-fortinet.html ] where security solutions for network, endpoint, application, data center, cloud, and access are designed to work together as an integrated and collaborative security fabric. This translates to a powerful, integrated end-to-end security solution across the entire attack surface, with threat mitigation delivered along any point along the kill chain.

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.