<div dir="ltr"><a href="http://www.darkreading.com/vulnerabilities---threats/attackers-wrapping-new-tools-in-old-malware-to-target-medical-devices/d/d-id/1326075">http://www.darkreading.com/vulnerabilities---threats/attackers-wrapping-new-tools-in-old-malware-to-target-medical-devices/d/d-id/1326075</a><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br><p class="" style="margin-top:0px">Medical devices running outdated
operating systems like Windows XP and Windows 7 are giving attackers
safe harbors within hospital networks for carrying out data theft in a
nearly undetectable manner, a new report from TrapX Security warned this
week.</p>
<p>The <a href="http://trapx.com/trapx-labs-discovers-new-medical-hijack-attacks-targeting-hospital-devices-2/" target="_blank">report</a>
is based on the security vendor’s analysis of data associated with an
ongoing series of attacks against three healthcare institutions that are
its customers. All of the attacks involve equipment running older,
non-supported versions of Windows installed within the hospital
networks.</p>
<p>The most significant takeaway from the analysis, according to TrapX,
is the manner in which the attackers in each case intentionally
repackaged and embedded sophisticated new malware tools in extremely old
malware wrappers in an apparent bid to avoid detection.</p>
<p>One of the malware samples used in the attack, for instance, was
designed to take advantage of a remote code execution vulnerability in
Microsoft Server Service dating back to 2008. The attackers used the
worm to compromise a radiation oncology system running Windows XP and a
fluoroscopy workstation also running Windows XP in one of the hospitals.
That access then allowed the attackers to install backdoors and botnet
connections within the hospital network in order to exfiltrate data,
though they could have easily caused significant damage to the equipment
as well.</p>
<p>Since endpoints running newer Windows versions are not vulnerable to
the threat, they did not either detect the malware or ignored it
completely. “This ensured that the worm would go undetected while it
sought out older Windows systems,” TrapX said in its report.</p>
<p>In another hospital, the attackers compromised a Windows XP-based MRI
system and installed a Remote Access Trojan on the device using malware
tools packaged inside an out-of-date wrapper for network32.kido.ib. The
malware sample is ignored by patched Windows 7 and Windows 8 platforms
and newer operating system and therefor managed to evade detection, the
security vendor said.</p>
<p>According to TrapX, its analysis showed clear evidence that attackers
are intentionally packaging their tools in a manner so to target
medical equipment running Windows XP, Windows 7 and other older
operating systems.</p>
<p>“The most interesting approach we discovered was the utilization of
self-spreading malware that use old exploits that would compromise
medical devices only,” says Moshe Ben-Simon, co-founder and vice
president of services at TrapX.</p>
<p>Medical devices provide a tempting target for attackers because many
of them run old, no-longer supported operating systems. So long as the
equipment works as intended, hospitals are often reluctant to update the
operating systems on these devices, Ben-Simon says</p>
<p>“Also, they are closed turnkey systems and hospitals are generally
not allowed to install cyber defense software on them because of legal
and risk issues.” Unlike typical desktop systems, medical devices do not
get updated often and some equipment can remain in place for years
after their operating systems have become obsolete. As a result, the
corrections and fixes that are available on newer operating systems are
not present in these medical devices making them vulnerable to attacks,
Ben-Simon says.</p>
<p>Even when an organization makes the effort to keep their systems
patched, all it takes for an attacker to break into them is to repackage
the malware slightly using easily available tools.</p>
<p>“Once a backdoor is established in one machine, they can move into
other machines under the control of the human attacker,” Ben-Simon says.
“These medical devices create a huge series of safe harbors within the
hospital network, not easily detected, and very difficult to remediate
and remove.”</p><br></div></div></div></div></div></div></div></div></div>
</div>