{"id":15223,"date":"2019-04-30T08:10:02","date_gmt":"2019-04-30T16:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/04\/30\/news-8972\/"},"modified":"2019-04-30T08:10:02","modified_gmt":"2019-04-30T16:10:02","slug":"news-8972","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/30\/news-8972\/","title":{"rendered":"Sophisticated threats plague ailing healthcare industry"},"content":{"rendered":"

Credit to Author: Jovi Umawing| Date: Tue, 30 Apr 2019 15:00:00 +0000<\/strong><\/p>\n

The healthcare industry is no longer circling the drain, but it’s still in critical condition.<\/p>\n

While many organizations in healthcare have aimed at or made positive strides toward a more robust cybersecurity and privacy posture, they still have a long way to go. <\/p>\n

In 2018, healthcare had the highest number of breaches recorded compared to other industries. This is according to BakerHostetler\u2019s 2019 Data Security Incident Response Report<\/a>, which is in its fifth annual iteration this year.<\/p>\n

Even today, black hat hackers are continuing to go after patient healthcare data, and as such breaches will only intensify<\/a>, according to Business Insider. The HIPAA Journal<\/a>, a website dedicated to covering HIPAA-related news, corroborates this intensity after seeing a steady reporting of at least one breach per day from January through March, 2019. <\/p>\n

What\u2019s causing these daily breaches? <\/p>\n

Hacking and IT incidents, which include malware attacks, have been consistently topping the list.<\/p>\n

Malware in healthcare sectors <\/h3>\n

Healthcare falls short on a lot of security measures: unpartitioned networks, reliance on legacy infrastructure<\/a>, non-compliance with HIPAA security rules and NIST CSF controls<\/a>, unmanaged IoT devices, vulnerable medical management apps<\/a>, the slow implementation of government-recommended IT and cybersecurity practices<\/a> over the last four years, and the lack of email authentication and low adoption of always-encrypted sessions<\/a>. For starters.<\/p>\n

More importantly, healthcare systems are massively susceptible to malware infection and hijacking, since there are little-to-no protections in place. And when the threats being lobbed at healthcare are more advanced, all that lagging on security takes its toll.<\/p>\n

So which types of malware are targeting healthcare organizations? We have collated and analyzed data from our own product telemetry to determine the top malware aiming to infect systems and networks, exfiltrate patient data, and disrupt operations. Here are our results.<\/p>\n

Trojans and riskware are common on healthcare systems<\/h3>\n
\n
\"\"
Malicious and risky files plague healthcare systems worldwide
<\/figcaption><\/figure>\n<\/div>\n

Among the five types of malware we found affecting healthcare systems, more than three-quarters (79 percent) are Trojans<\/a>. This is followed by riskware (11 percent)\u2014those pieces of software that are not inherently malicious, but could still pose a risk to systems on which they\u2019re installed. Others are ransomware, spyware, and worms\u2014all with an equal share of 3 percent. <\/p>\n

We take a deep dive into each.<\/p>\n

Trojans<\/h3>\n

Based on our data, a sizable chunk of information-stealing Trojans and downloaders, as well as files posing as legitimate Microsoft (MS) files are present on healthcare systems. We detect them as Trojan.Emotet<\/a> (35 percent) and Trojan.FakeMS<\/a> (33 percent), respectively.<\/p>\n

\n
\"\"
The top 6 Trojans detected in healthcare, with Trojan.Emotet leading.
<\/figcaption><\/figure>\n<\/div>\n

Emotet<\/a> is an information stealer that can target user credentials stored in browsers and listen to network traffic. Known new versions of Emotet act as downloaders, dropping other banking Trojans, such as TrickBot<\/a> and Qakbot<\/a>, ransomware, such as Ryuk<\/a>, and, at times, cryptominers and cryptowallet stealers. <\/p>\n

Emotet has had success in penetrating organizations and spreading because of its simple, yet tried-and-true delivery method\u2014phishing emails<\/a>\u2014as well as its use of an NSA exploit called EternalBlue<\/a>, which pushes the infection laterally through networks. In addition, Emotet contains its own malspam module, which churns out additional phishing to continue the cycle. <\/p>\n

To add insult to injury, once on networks, Emotet is notoriously difficult to remediate. <\/p>\n

Information stealers, in general, are particularly dangerous to have in healthcare systems, as they put electronic health records (EHRs) at risk. Staff credentials can also be swiped and re-used by threat actors to gain access to more information and resources they can use, misuse, or sell to the highest bidders in the dark market.<\/p>\n

Emotet has widely affected the health insurance, hospital, pharmaceutical, biotechnology, and medical device sectors. In fact, this threat has been consistently gaining ground on all organizations over the last year, increasing in both persistence and volume to the tune of almost 650 percent from the same time last year.<\/p>\n

Trojan.FakeMS, on the other hand, is the detection we use for malware posing as legitimate Microsoft files. Healthcare personnel may or may not have been aware of such files ending up on their work systems. Either way, their presence on machines that staff rely on to processes sensitive records or pull up correct patient data at critical times isn’t ideal. <\/p>\n

Meanwhile, cryptominer infections, which we sometimes detect as Trojans, often present machine slowdown as a common symptom, and 17 percent of healthcare systems have been showing this sign.<\/p>\n

Cryptomining schemers, who may or may not be part of healthcare staff, can manually download miners, which we generically detect as Trojan.BitCoinMiner<\/a>, from the Internet and discreetly install them onto machines that are used for record keeping. This resource abuse was the case for the Decatur County General Hospital<\/a> in Tennessee when their electronic medical records (EMR) server has been hijacked in September 2017<\/a> to house a miner.<\/p>\n

Riskware<\/h3>\n

As mentioned earlier, riskware is non-malicious; however, we flag it for a number of reasons<\/a>, one of which is its ability to block other programs from receiving patches. This leaves the user\u2019s machine open for exploitation by a number of threats, including EternalBlue mentioned above. <\/p>\n

RiskWare.MicTray<\/a> makes up 98 percent of our riskware detections in several healthcare sectors, primarily in health insurance and pharmaceuticals. MicTray is the name of our detection for the keylogger component present in the Conexant audio driver set.<\/p>\n

The remaining 2 percent of detections are for Riskware.Tool.HCK<\/a>, the name we use for tools or applications that may be illegal to use in certain countries. Cracked versions of paid software are examples of this.<\/p>\n

Ransomware<\/h3>\n

Ransom.WannaCrypt<\/a>, otherwise known as WannaCry, is the ransomware responsible for crippling the UK\u2019s National Health Services (NHS) in 2017, costing them a total of \u00a392 million<\/a> (approximately $120 million) from cancelled appointments due to unusable systems to remediation and IT system upgrades. It\u2019s also the malware that forced the healthcare industry to take cybersecurity and privacy seriously.<\/p>\n

More than a year later, WannaCry is still at large and continues to affect organizations across industries and countries, disrupting normal operations and putting patient lives and data at risk.<\/p>\n

\n
\"\"
The Ransom.WannaCrypt ransom note <\/figcaption><\/figure>\n<\/div>\n

Our data shows that WannaCry is currently in the top five malware families affecting healthcare. This could also mean that a vast number of systems are still open to the EternalBlue vulnerability, waiting to be exploited.<\/p>\n

Spyware<\/h3>\n

When it comes to spyware in healthcare, Spyware.TrickBot and Spyware.Emotet have dominated the detection count at 45 percent each. Spyware.Agent<\/a> accounted for 10 percent of our total spyware detections in healthcare.<\/p>\n

\n
\"\"
The top 3 spyware detected in healthcare, with Spyware.TrickBot leading. <\/figcaption><\/figure>\n<\/div>\n

As secondary infections to Trojan.TrickBot and Trojan.Emotet, it\u2019s no surprise to see TrickBot and Emotet spyware on healthcare systems. Normal users hardly notice how these information stealer modules work in the background; however, network admins may be able to spot odd connections to blacklisted domains as an attempt to reach command-and-control (C&C) servers to upload stolen data.<\/p>\n

Worms<\/h3>\n

Worm.Parite<\/a>, a detection name we use for a polymorphic<\/a> file infector targeting executable programs (files ending in .exe) and screensavers (files ending in .scr<\/a>) on local and shared networked drives, is the only one of its kind affecting systems within the biotech\/medical sector.<\/p>\n

One thing to note about Parite is that systems it infects may not show any obvious signs of infection\u2014at least at first. Once a user executes an infected file, the virus code attached to it runs, and then passes back the control to the .exe or .scr file so it executes as normal.<\/p>\n

If users don\u2019t address a worm or virus infection, the system is at risk of further infection and exploitation from other malware.<\/p>\n

Oh, and one more thing: fileless malware<\/h3>\n

Fileless malware is one of those new schemes that black hat hackers adopted several years ago<\/a>, and they continue to do so at an ever-increasing pace.<\/p>\n

A fileless infection means that traces of actual malware present on the affected system are so minute that it evades regular antivirus detection and makes the work of grabbing samples a challenge to security analysts.<\/p>\n

Our telemetry data has revealed that, although nominal, fileless malware are present in healthcare organization systems, among them the health insurance and pharmaceutical sectors.<\/p>\n

We are able to detect fileless infections flagged as Rootkit.Fileless.MTGen<\/a>. They\u2019re our broad detection for fileless malware that use rootkits to hide their presence on affected systems.<\/p>\n

Some examples of fileless malware that we\u2019ve seen through the years include the following, which we have rounded up in a list below:<\/p>\n