[BreachExchange] Medical Devices Reportedly Infected in Ransomware Attack

Destry Winant destry at riskbasedsecurity.com
Fri May 19 03:41:13 EDT 2017


The recent WannaCry ransomware attack
that infiltrated more than 150 countries and forced some European
healthcare organizations to suspend certain services reportedly infected
certain medical devices as well.

HITRUST explained in an email update that its investigations found that
MedRad (Bayer), Siemens, and other unnamed medical devices were infected.

Furthermore, Indicators of Compromise (IOCs) “were identified within the
HITRUST Enhanced IOC program well in advance of last Friday’s attacks,” the
organization stated.

“HITRUST is reaching out to healthcare organizations and trade associations
to provide information to detect, prevent and remediate the threat and
associated malware,” HITRUST said. “HITRUST identified the IOCs in advance
of last Friday and published them to the HITRUST CTX and has been
publishing guidance continuously since Friday, May 12th.”

The WannaCry ransomware attack targeted Microsoft’s Windows operating
system, and also utilized the EternalBlue exploit that was allegedly
developed by the National Security Agency (NSA).

EternalBlue exploits Microsoft’s Server Message Block protocol. Healthcare
organizations typically still use Windows XP and Windows Server 2003, which
are no longer supported and updated by Microsoft.

Microsoft released a security update, MS17-010, on March 14, 2017. However,
had organizations not yet installed the update the malware may have been
able to have easier access to the systems.

A Microsoft security update was also released for Windows XP, Windows 8,
and Windows Server 2003. Those operating systems had not received security
patches for in some time.

“Remote code execution vulnerabilities exist in the way that the Microsoft
Server Message Block 1.0 (SMBv1) server handles certain requests,”
Microsoft explained in terms of Windows SMB remote code execution
vulnerabilities. “An attacker who successfully exploited the
vulnerabilities could gain the ability to execute code on the target

“To exploit the vulnerability, in most situations, an unauthenticated
attacker could send a specially crafted packet to a targeted SMBv1 server,”
Microsoft continued. “The security update addresses the vulnerabilities by
correcting how SMBv1 handles these specially crafted requests.”

It has been previously discussed how outdated medical device security
could negatively impact healthcare organizations. Procrastinating system
updates, postponing medical device updates, or even opting to
“Frankenstein” medical devices can lead to data security issues.

ICIT research found that attackers may set up beach heads for future
attacks. This can help create a type of remote access Trojan on a
vulnerable device that has perhaps been “Frankensteined” into the IoT
microcosm. The entire network could be vulnerable because there is no end
point security for that device.

The Electronic Healthcare Network Accreditation Commission (EHNAC)
also released
a statement
explaining that it is carefully monitoring the ransomware situation in
North American healthcare organizations.

“This weekend’s WannaCry ransomware attack is a disturbing reminder of how
susceptible the global healthcare arena is to cyber attacks,” EHNAC
Executive Director Lee Barrett said. “Regardless of the outcomes of this
attack, EHNAC’s executives and system administrators continue to review and
enhance security and privacy controls within accreditation criteria to
mitigate the threat of similar data breaches and to secure Protected Health
Information managed by healthcare stakeholders.”

Healthcare organizations cannot assume that they will never be affected by
a third-party cybersecurity attack. Medical devices
must be regularly updated and employees should be continuously trained on
proper data security prevention measures.

Staff members at all levels should know not to open suspicious emails or
click on suspicious links. From there, employees need to report such

Ransomware attacks are not going to disappear anytime soon, and can likely
never be fully prevented. However, organizations can work to lessen the
damage from such attacks and ensure that they will be able to quickly
recover and continue normal operations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170519/c61a37da/attachment.html>

More information about the BreachExchange mailing list