Conficker Used in New Wave of Hospital IoT Device Attacks

Conficker returns from obsolescence to help hijack medical devices and steal patient records.

Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps are increasingly being targeted by hackers seeking to steal patient medical records from hospitals. Attackers consider the devices soft digital targets, seldom guarded with same security as client PCs and servers within hospitals.

In a report by security firm TrapX Labs, researchers found that the dearth of cyber defenses on clinical IoT medical equipment was tied to a resurgence of old malware such as networm32.kido.ib and the notorious Conficker worm. In its paper MEDJACK.2 Hospitals Under Siege (PDF), researchers describe how modern hospital security systems overlook protecting internet-connected devices running Windows XP or unpatched versions of Windows 7 and Windows 8 making them an easy target for ancient worms.

“The malware utilized for this attack was specifically selected to exploit older versions of Windows… It enabled the attacker to install a backdoor within the enterprise, from which they could launch their campaign and quietly exfiltrate data and perhaps cause significant damage using a ransomware attack,” TrapX wrote in its report.

In its 2009 heyday Conficker was estimated to have infected between 9 million to 15 million computers. The computer worm was known for constantly morphing as Conficker authors regularly updated the code. The worm targets Microsoft’s Windows operating system and was notorious for cracking passwords, hijacking Windows computers and enlisting them into botnets that distributed spam and installed scareware.

Researchers say they have captured new samples of the Conficker worm that has been updated with an enhanced ability to laterally move within a network and target specific types of medical devices. Researchers say malware is being delivered via spear phishing attacks against hospital staff. Researchers say once Conficker or networm32.kido.ib infects and wends its way inside a network attackers use command-and-control instructions to deliver additional “more sophisticated” malware to devices.

“Wrapped inside an out-of-date malware wrap­per for networm32.kido.ib, we determined that the malware was in fact quite sophisticated, and capable of ‘jumping’ or moving between networks successfully. The almost harmless net­worm, easily ignored by Windows 7 patched systems, Windows 8 platforms and new oper­ating systems, exploited a vulnerability within Windows XP to load a RAT (remote access tool) so the attacker could load sophisticated, state of the art attacker software components,” according to the report.

In its previous 2015 report TrapX noticed similar types of attacks inside hospitals and healthcare facilities. What’s new is, “These old worms such as Conficker are being used in tandem with much more sophisticated payloads that are able to go deeper into a hospital network and target specific devices that can gain criminals easier access to patient records,” said Moshe Ben-Simon, co-founder of Trapx Labs.

Patient records are quickly becoming a hot commodity on the dark web. Ben-Simon said medical records are known to hold greater value on the black market over other items such as credit card data. That’s because criminals can steal a patient’s identity and not just extend credit in their names, but also have costly prescriptions filled. “Insurance pays for the prescription and attackers can resell the drugs on the black market,” Ben-Simon said.

TrapX estimates that medical records fetch $10 to $20 per record on the black market versus about $5 for one financial profile.

Last week records for 655,000 patients wound up on the web that were allegedly stolen from three healthcare organizations. In the case of these records, attackers claim to have obtained the data via a remote desktop protocol attack.

According to the TrapX report, which studied real-world infections at three hospitals, a forensic investigation revealed that the presence of the Conficker worm failed to generate any cybersecurity alarms. TrapX reported the Conficker worm went unnoticed out of a lack of concern for the ancient vulnerability. “Medical devices are ‘black boxes’ and their internal software operations are not visible to the hospital cyber defense team. They run out of date operating systems, such as Windows 7 or Windows XP which are highly vulnerable and almost completely unprotected,” wrote researchers.

Ben-Simon said those medical devices are extremely attractive targets because each one of them is highly connected and link to a community additional vulnerable medical devices that link to high value patient data. “All it takes is one successful at­tempt for the attacker to establish a backdoor, find and steal data, or use automated tools to set a ransomware attack in motion,” according to the report.

Suggested articles

amazing ring doorbell

FBI: Ring Smart Doorbells Could Sabotage Cops

While privacy advocates have warned against Ring’s partnerships with police, newly unearthed documents reveal FBI concerns about ‘new challenges’ smart doorbell footage could create for cops.