<div dir="ltr"><a href="http://bigstory.ap.org/article/86401c5c2f7e43b79d7decb04a0022b4/hackers-broke-hospitals-despite-software-flaw-warnings">http://bigstory.ap.org/article/86401c5c2f7e43b79d7decb04a0022b4/hackers-broke-hospitals-despite-software-flaw-warnings</a><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-family:arial,helvetica,sans-serif"><span style="font-size:8pt"></span></span><br>The hackers who seriously disrupted operations at a large hospital
chain recently and held some data hostage broke into a computer server
left vulnerable despite urgent public warnings in 2007 and in 2010 that
it needed to be fixed with a simple update, The Associated Press has
learned.
<p>The hackers exploited design flaws that had persisted on the MedStar
Health Inc. network, according to a person familiar with the
investigation who spoke on condition of anonymity because this person
was not authorized to discuss the findings publicly. The flaws were in a
JBoss application server supported by Red Hat Inc. and other
organizations, the person said.</p>
<p>The FBI, which is investigating, declined to discuss how the hackers broke in.</p><div id="dynamiccontent">
</div>
<p>The JBoss technology is popular because it allows programmers to
write custom-built software tools that can be quickly made available
across a company, but security researchers discovered it was routinely
misconfigured to allow unauthorized outside users to gain control. The
U.S. government, Red Hat and others issued urgent warnings about the
security problem and a related flaw in February 2007, March 2010 and
again earlier this week. The government warned in 2007 the problem could
disrupt operations and allow for unauthorized disclosures of
confidential information.</p>
<p>Fixing the problem involved installing an available update or manually deleting two lines of software code.</p>
<p>It was not immediately clear why the hospital chain, which operates
10 hospitals in Maryland and Washington including the MedStar Georgetown
University Hospital, was still vulnerable years after those warnings.
The new disclosure doesn't diminish the potential culpability of the
hackers responsible for the break-in, but it reveals important details
about how the crime unfolded. And it could affect MedStar's civil or
administrative exposure under U.S. laws and regulations that require
health providers to exercise reasonable diligence to protect their
systems.</p>
<p>MedStar's assistant vice president, Ann C. Nickles, said in a
statement Tuesday to the AP that the company "maintains constant
surveillance of its IT networks in concert with our outside IT partners
and cybersecurity experts. We continuously apply patches and other
defenses to protect the security and confidentiality of patient and
associate information." MedStar said Monday its systems "are almost
fully back online," just over a week after the March 28 hacking. The
company hired experts from Symantec Corp. to help investigate.</p>
<p>Nickles said Tuesday there was no evidence that patient or employee records were compromised.</p>
<p>MedStar said in a statement Friday evening to the AP that it would
not provide details about how the attack occurred, and it criticized
further media coverage of the case as perpetuating "the infamy of
malicious attacks for airtime and publicity" and encouraging copycat
hackers.</p>
<p>The MedStar hackers employed virus-like software known as Samas, or
"samsam," that scours the Internet searching for accessible and
vulnerable JBoss application servers, especially ones used by hospitals.
It's the real-world equivalent of rattling doorknobs in a neighborhood
to find unlocked homes. When it finds one, the software breaks in using
the old vulnerabilities, then can spread across the company's network
by stealing passwords. Along the way, it encrypts scores of digital
files and prevents access to them until victims pay the hackers a
ransom, usually between $10,000 and $15,000.</p>
<p>If a victim hasn't made safe backups of files, there may be little
choice except to pay, although MedStar has said it paid nothing. The
hospital chain shut down its systems quickly after discovering the
attack, limiting its impact to archives, some imaging and lab files and
other duplicate records, according to the person with inside knowledge
of the attack.</p>
<p>"This old issue is still somehow spread across Internet-facing
servers," said Stefano Di Paola and Giorgio Fedon of Minded Security, an
Italian security firm, in a joint statement to the AP. They discovered a
related vulnerability in the servers in 2010 that Red Hat designated
its highest priority to fix.</p>
<p>The FBI issued a flash message to companies days after the MedStar
hacking, describing the dangers of samsam and asking for help detecting
it and improving defenses against it. Days later, the Homeland Security
Department issued a separate warning about samsam and another common
ransomware strain, Locky, which tricks victims into opening email
attachments to infect computers.</p>
<p>Cisco Systems Inc., which has studied the attacks, estimated there
were about 2.1 million servers around the world vulnerable to samsam,
although some may be additionally protected by other layers of security.
It described the ransomware campaign as "proving to be a profitable
affair."</p>
<p>"If you haven't patched your server, you're vulnerable, and it can
compromise your server at 3 a.m. in the morning when no one's watching,"
said Craig Williams, a senior technical leader at Talos, Cisco's
security research organization. "This is simply a case of people not
following best practices and not applying patches for people to correct
their systems."</p>
<p>Identifying the hackers and arresting them can be difficult. Tracing
the scanning activity preceding an attack typically leads to other
hacked computers; logs that might yield identifying clues can be
manipulated or deleted and the samsam software is unusually
self-sufficient and doesn't require hackers to control it after an
infection. Ransoms are paid using hard-to-trace digital currency.</p><span style="font-family:arial,helvetica,sans-serif"><span style="font-size:8pt"></span></span></div></div></div></div></div></div></div></div></div>
</div>