HC3 Threat Intelligence BriefingSupply Chain Threats

OVERALL CLASSIFICATION ISUNCLASSIFIED

TLP:WHITE

9/06/2018

UNCLASSIFIED TLP:WHITE

UNCLASSIFIED

Agenda Intro Overview Healthcare Supply Chain Attacks Healthcare Supply Chain – Attack Vectors Operation Red Signature Operation Red Signature – Attack Chain Protections and Mitigations Conclusion

8/30/2018UNCLASSIFIED 2

UNCLASSIFIEDTLP:WHITE

Non-Technical: managerial, strategic and high-level (general audience)

Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT)

Slides Key:

Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations and the ability to compromise such assets. (Trend Micro)

Thirty percent of all breaches reported to the U.S. Department of Health and Human Services (HHS) public breach tool in 2016 were claimed to be due to breaches of business associates and third-party vendors

The healthcare industry is more dependent than ever on cloud-based systems, third-party service providers, and vendors in the supply chain.

NIST and FDA frameworks and guidelines, respectively, have been developed to mitigate chain supply threats

9/10/2018UNCLASSIFIED 3

OverviewUNCLASSIFIED

TLP:WHITE

Patient Health• Systems used for

diagnosis, monitoring, and treatment

• Medical Devices• Medical Equipment• Hospital Information

System

Data Privacy• Patient PII records like

medical records and insurance info

• Employee PII• Research and drug trail data• Payroll• Intellectual Property

Hospital Operations• Staff scheduling databases• Hospital-paging systems• Building controls• Pneumatic tube support

systems• Inventory systems• Administration

Risk Areas

Healthcare Supply Chain

9/10/2018UNCLASSIFIED 4

⁻ Medical product/medicine/supplies manufacturer

⁻ Distribution center⁻ Shipping and transportation companies⁻ Suppliers⁻ Vendor/contractor (equipment, HVAC, ISP,

telephony or the like) or hospital staff ⁻ Mobile health (mHealth) app/HIS/other

software developer ⁻ Outdated and unpatched firmware in

medical devices/equipment⁻ Previous employees or non-core services

staff

Entry Points

Source: Trend Micro

UNCLASSIFIEDTLP:WHITE

Attacks

9/10/2018UNCLASSIFIED 5

Device Firmware AttacksThreat actors can access a medical device’s firmware source code to add malicious functionality or install a backdoor

Insider threats from hospital and vendor staffIntentional or unintentional. Staff can abuse privileges, leading to a breach.

Source code during manufacturingPerpetrators can access software source code via backdoor installation or device rooting

Third-party vendorsVendors have credentials that include log-ins, passwords, and badge access, all of which can be compromised.

mHealth mobile app compromisemHealth apps can be targeted to change functionality, deliver fatal level dosages, expose personal data, penetrate company systems, and cause HIPAA violations

Website, HER, and internal portal compromisePerpetrators can attempt to compromise hospital websites, EHR software and internal portals used by hospital staff and vendors

Spear phishing from trusted email accountsAttackers can gain control of vendor credentials and send clients spoofed emails.

Source: Trend Micro

UNCLASSIFIEDTLP:WHITE

Healthcare Supply Chain – Attack Vectors

9/10/2018UNCLASSIFIED 6

Firmware attacks on devices

Compromises to mobile applications

Insider threats

Compromises to websites

Source code during manufacturing

Spear phishing

Third-party vendors

Source: Trend Micro

UNCLASSIFIED TLP:WHITE

Operation Red Signature Researchers discovered an information theft-driven supply chain

attack targeting organizations in South Korea (Trend Micro)– Attacks were discovered around the end of July, while the media

reported the attack in South Korea on August 6. Threat actors compromised the update server of a remote support

solutions provider – delivered a remote access tool called 9002 RAT to their targets

of interest through the update process. Carried out by first stealing the company’s certificate then using it to

sign the malware. 9002 RAT Payload:

– an exploit tool for Internet Information Services (IIS) 6 WebDav(exploiting CVE-2017-7269)

– SQL database password dumper.

9/10/2018UNCLASSIFIED 7

UNCLASSIFIEDTLP:WHITE

Operation Red Signature Attack Chain

9/10/2018UNCLASSIFIED 8

1. The code-signing certificate from the remote support solutions provider is stolen.

2. Malicious update files are prepared, signed with the stolen certificate, and uploaded to the attacker’s server

3. The update server of the company is hacked.

4. The update server is configured to receive an update.zip file from the attackers’ server if a client is connecting from a specific range of IP addresses belonging to their targeted organizations.

5. The malicious update.zip file is sent to the client when the remote support program is executed.

6. The remote support program recognizes the update files as normal and executes the 9002 RAT malware inside it.

7. 9002 RAT downloads and executes additional malicious files from the attackers’ server.

Source: Trend Micro

UNCLASSIFIED TLP:WHITE

Indicators of Compromise

9/10/2018UNCLASSIFIED 9

UNCLASSIFIEDTLP:WHITE

Indicators of Compromise (IoCs) (Trend Micro):

Related hashes (SHA-256):•0703a917aaa0630ae1860fb5fb1f64f3cfb4ea8c57eac71c2b0a407b738c4e19 (ShiftDoor) —detected by Trend Micro as BKDR_SETHC.D•c14ea9b81f782ba36ae3ea450c2850642983814a0f4dc0ea4888038466839c1e (aio.exe) —HKTL_DELOG•a3a1b1cf29a8f38d05b4292524c3496cb28f78d995dfb0a9aef7b2f949ac278b (m.exe) —HKTL_MIMIKATZ•9415ca80c51b2409a88e26a9eb3464db636c2e27f9c61e247d15254e6fbb31eb (printdat.dll) — TSPY_KORPLUG.AN•52374f68d1e43f1ca6cd04e5816999ba45c4e42eb0641874be25808c9fe15005 (rcview.log) — TROJ_SIDELOADR.ENC•bcfacc1ad5686aee3a9d8940e46d32af62f8e1cd1631653795778736b67b6d6e (rcview40u.dll) — TROJ_SIDELOADR.A•279cf1773903b7a5de63897d55268aa967a87f915a07924c574e42c9ed12de30 (sharphound.exe) — HKTL_BLOODHOUND•e5029808f78ec4a079e889e5823ee298edab34013e50a47c279b6dc4d57b1ffc (ssms.exe) — HKTL_PASSDUMP•e530e16d5756cdc2862b4c9411ac3bb3b113bc87344139b4bfa2c35cd816e518 (w.exe) — TROJ_CVE20177269.MOX•28c5a6aefcc57e2862ea16f5f2ecb1e7df84b68e98e5814533262595b237917d (Web.exe) — HKTL_BROWSERPASSVIEW.GA

URLs related to the malicious update file:•hxxp://207[.]148[.]94[.]157/update/rcv50/update.zip•hxxp://207[.]148[.]94[.]157/update/rcv50/file000.zip•hxxp://207[.]148[.]94[.]157/update/rcv50/file001.zip

URLs related to additionally downloaded malicious files:•hxxp://207[.]148[.]94[.]157/aio.exe•hxxp://207[.]148[.]94[.]157/smb.exe•hxxp://207[.]148[.]94[.]157/m.ex_•hxxp://207[.]148[.]94[.]157/w•hxxp://207[.]148[.]94[.]157/Web.ex_

Related C&C server (9002 RAT and PlugX variant):•66[.]42[.]37[.]101

Protection & Mitigations

Standards and Guidelines

⁻ NIST: Framework for Improving Critical Infrastructure Cybersecurity

⁻ FDA: Postmarket Management of Cybersecurity in Medical Devices

⁻ HITRUST CSF

9//2018UNCLASSIFIED 10

UNCLASSIFIEDTLP:WHITE

⁻ Network segmentation⁻ Firewalls⁻ Next-generation firewalls/Unified Threat Management

(UTM) gateways⁻ Antimalware solutions⁻ Antiphishing solutions⁻ Breach Detection Systems (BDS)⁻ IPS/IDS⁻ Encryption technologies⁻ Patch management (physical or virtual)⁻ Vulnerability scanner⁻ Deception technologies⁻ Shodan scanning

⁻ Perform vulnerability assessment of new medical devices⁻ Purchase medical devices from manufacturers who go through rigorous security

assessment of the products ⁻ Develop a plan for patching and updating code/firmware for devices implanted in

patients and for hospital medical equipment.⁻ Perform risk assessment on all suppliers and vendors in the supply chain. ⁻ Identify third-party vendor software and perform security and vulnerability

testing to ensure they are safe from hackers

Non-Technical Recommendations for Hospitals

Technical Recommendations for HospitalsSource: Trend Micro

Upcoming Briefs Trends in Malicious Macro Usage Cryptomining Landscape Various APT/FIN Groups

Analyst-to-analyst webinars are available

Questions / Comments / Concerns?

HHS HCCIC Email Address: HHSHCCIC@hhs.gov

11

UNCLASSIFIED TLP:WHITE

6/21/2018

Conclusion

8/9/2018UNCLASSIFIED

UNCLASSIFIEDTLP:WHITE