MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks

Attackers are infecting medical devices with malware and then moving laterally through hospital networks to steal confidential data, according to TrapX's MEDJACK report.

After the Office of Personnel Management breach, medical data was labeled as the "holy grail" for cybercriminals intent on espionage. "Medical information can be worth 10 times as much as a credit card number," reported Reuters. And now to steal such information, hospital networks are getting pwned by malware-infected medical devices.

TrapX, a deception-based cybersecurity firm, released a report about three real-world targeted hospital attacks which exploited an attack vector the researchers called MEDJACK for medical device hijack. "MEDJACK has brought the perfect storm to major healthcare institutions globally," they warned. "Medical devices complimented by the MEDJACK attack vector may be the hospital's weakest link in the chain'."

In three separate hospitals, TrapX found "extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA)." But "there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart - lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more."

Hospital lab blood gas analyzer attack

Blood gas analyzers are often used in critical care situations or during surgery, the report said. An unnamed hospital had "a very strong industry suite of cyber defense products" which did not detect an attack, yet TrapX found that attackers were moving laterally through the networks due to three malware-infected blood gas analyzers that had "enabled backdoors into the hospital networks." The attackers were exfiltrating confidential hospital data to a location within the European Community. TrapX found Zeus and Citadel malware being used to find additional passwords within the hospital as well as other worm variants. TrapX believes the lateral movement "may have enabled the infection of one of the hospital IT department's workstations."

When the TrapX Lab team used a Nova Biomedical CCX (Critical CareExpress) unit to recreate the attack in a simulated attack environment, they discovered the data was not encrypted. They "determined that once an attacker has established a backdoor within our target blood gas analyzer, or any other medical device, almost any form of manipulation of the unencrypted data stored and flowing through the device is possible. In summary, it is the position of TrapX Labs that the MEDJACK attack vector has the potential to distort or change internal data."

The report explained that medical devices "are closed devices, running out-of-date, closed, often times modified and likely insecure operating systems such as Windows 2000, Windows XP or Linux. That's why the MEDJACK attack vector presents a highly vulnerable target to attackers on a global basis. The defenders cannot easily get in to detect or remediate an attack. On the other hand the attackers have an open door." So after "the attacker can get into the network and bypass existing security, they have a time window to infect a medical device and establish a backdoor within this protected (and safe) harbor."

Although hospitals tend to install medical devices behind a firewall and the internal network runs antivirus and other endpoint and intrusion security, TrapX said medical devices are "key pivot points for attackers within healthcare networks." Healthcare IT teams cannot access the internal software in medical devices, so they depend on manufacturers to build and maintain security in those devices. Yet manufacturers have not developed "the requisite software to detect most of the software payloads delivered by the MEDJACK attack."

Hospital radiology aka the PAC pivot attack

During a different persistent attack at another hospital, the attacker moved laterally through the networks looking for other targets. But the "source of this lateral movement was the picture archive and communications systems (PACS) that provided the radiology department with the storage and access to images derived from multiple sources. These image sources included CT scanners, MRI scanners, portable x-ray machines (c-arms), X-ray and ultrasound equipment." The PACS system also tried to act as a botnet and connect to Command and Control.

The lateral movement "appears to have enabled the infection of a key nurse's workstation" and confidential hospital data was being exfiltrated to Guiyang, China. It's believed to have all started after an end-user in the hospital surfed to a malicious website.

Malware-infected X-Ray systems

In the third real-world attack observed by TrapX, critical medical device components were again infected with advanced malware. This time the attacker installed a backdoor in one of the hospital X-ray systems. TrapX general manager Carl Wright told SCMagazine:

"Our scientists have observed that you could manufacture an attack, designed specifically for several models of a specific medical device, and then launch that attack. That, combined with the difficulty in diagnosis and remediation, and the very high value of healthcare data, create a near perfect target for organized crime."

Attacker could remotely hack hospital drug pump, tweak amount to fatal dose

We've heard about potentially lethal attacks on medical devices like insulin pumps and pacemakers, which got the feds pressed into protecting wireless medical devices from hackers; a couple years later, DHS started investigating 24 potentially deadly cyber flaws in medical devices. Now there's more bad news on the medical device scene as vulnerabilities in drug infusion pumps could be remotely exploited by an attacker who could up the dose into a fatal dose.

Security researcher Billy Rios has discovered vulnerabilities in "at least five models" of Hospira drug infusion pumps; he told Wired, "This is the first time we know we can change the dosage."

After testing the infusion pumps, Rios discovered the following Hospira models are vulnerable: the standard PCA LifeCare pumps, PCA3 LifeCare and PCA5 LifeCare pumps; the Symbiq line of pumps and the Plum A+ model of pumps. Wired added that there are "at least 325,000" Plum A+ drug infusion pumps currently installed in hospitals worldwide. Although Rios hasn't tested other models for the vulnerabilities, "he suspects that the company's Plum A+3 and its Sapphire and SapphirePlus models are equally vulnerable too."

Join the CSO newsletter!

Error: Please check your email address.

Tags acsintrusionReuterssecurityOffice of Personnel ManagementTrapX21Cybercrime & Hacking

More about CitadelHospiraLinuxSapphire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Darlene Storm

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts