New Brian Buckley · 2016. 9. 12. · Anti‐virus is rapidly losing credibility Source: “Eighty...
Transcript of New Brian Buckley · 2016. 9. 12. · Anti‐virus is rapidly losing credibility Source: “Eighty...
-
Brian BuckleyInfragard Coordinator for Northern California
www.infragard.net
-
Cyber‐Crash and BleedCyber‐Crash and Bleed
Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital
Infrastructure
-
Evolving Risk Environment
• Hospitals are heavily reliant on information technology,
everything is connected more‐so than perhaps anyeverything is connected, more so than perhaps any
other industry
• Computer security has not been a high priority
• Attackers are able to get in, existing security doesn’tAttackers are able to get in, existing security doesn t
stop them, end of story.
-
Wake UpWake Up
Google cyber attacks aGoogle cyber attacks a 'wake‐up' call‐Director of National Intelligence Dennis BlairCNBC 2/2/10
http://www.csmonitor.com/USA/2010/0204/Google‐cyber‐attacks‐a‐wake‐up‐call‐for‐US‐intel‐chief‐says
-
IP is Leaving The Network Right NowIP is Leaving The Network Right Now
• Everybody here who manages an EnterpriseEverybody here who manages an Enterprise with more than 10,000 nodes:
They are STEALING right now, as you watch this.
-
Signature based systems don’t scale
50000
60000
30000
40000
10000
20000
0
2006 2007 2008 2009
-
Anti‐virus is rapidly losing credibility
Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006
Top 3 AV companies don’t detect 80% of new malware
The sheer volume and complexity of computer viruses being released on the Internet today has the anti virus industry onreleased on the Internet today has the anti‐virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti‐virus software alone to keep
Source: “Anti‐Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008
their…computers safe and secure.
g p p , g , ,
-
The TargetThe Target
• The terrorists intend to erode trust inThe terrorists intend to erode trust in technology used for managing patient care
• They intend to create a large scale event• They intend to create a large scale event• They intend to cause some deaths
-
Targets of Interest
Hospital LAN + WLANMedical Devices (Phillips, etc)( p , )
CAFM
Mobile Devices (COW’ t bl t
(HVAC, etc)
(COW’s, tablets, PDA’s, etc)
Clinical Patient monitors /acute care / ICU
Electronic Health Record (EHR) + other clinical systems (radiology
Workstation
systems (radiology, pharmacy, lab, etc)
-
Phase‐1 ReconPhase 1 Recon
• Terrorists build a social map of all staff for allTerrorists build a social map of all staff for all major hospitals– Focus in on Hospitals that have more than 10 000– Focus in on Hospitals that have more than 10,000 nodes in their networks
– These Hospitals are so reliant on technology thatThese Hospitals are so reliant on technology that an attack will cause a major disruption to health care
-
Attack VectorsAttack Vectors
• Spear‐phishingSpear phishing– Booby‐trapped documents– Fake‐Links to drive‐by websitesy
• Trap postings on industry‐focused social networks– Forums, Groups (clinician list‐servs, AMDIS, web forums)
• SQL injections into web‐based portals– Employee benefit portals, external labs, etc.
-
Boobytrapped DocumentsBoobytrapped Documents
• Single most effective focused attack today• Human crafts text
-
Web‐based attackSocial Networking Space
Web based attack
Injected Java‐script
• Used heavily for large scale infectionsS i l t k t ti i ibl• Social network targeting is possible
-
Scraping the ‘Net for emailsScraping the Net for emails
Attackers use search engines, industry databases, and intelligent guessing to map out the domains ofand intelligent guessing to map out the domains of
all major hospitals.
-
DMOZDMOZ
-
Over 1,000 in California…Over 1,000 in California…
-
Sutter’s web‐based portal is quite h l f lhelpful
-
Using SEO tracker on MercyUsing SEO tracker on Mercy
-
Google Maps on SacramentoGoogle Maps on Sacramento
-
you know they will click ity y
-
Google Web Portal SearchGoogle Web Portal Search
-
My First Hit on allinurl:”exchange/logon.asp” – I haven’t even started yet…
-
SQL InjectionSQL Injection
www.somesite.com/somepage.php/ p g p p
SQL attack, i t IFRAMEinserts IFRAME or script tags
-
Cyber Weapons MarketCyber Weapons Market
• Terrorist’s don’t need to have expert hackersTerrorist s don t need to have expert hackers, they can just buy exploits for money– Fully weaponized and ready to use– Fully weaponized and ready to use– Mostly developed out of the Eastern Bloc
-
Eleonore (exploit pack)Eleonore (exploit pack)
-
Tornado (exploit pack)Tornado (exploit pack)
-
Napoleon / Siberia (exploit pack)Napoleon / Siberia (exploit pack)
-
Hospital LAN
Medical Devices (Phillips, etc)
Mobile Devices (COW’ t bl t(COW’s, tablets,
PDA’s, etc)
Clinical
Patient monitors /acute care / ICU
Electronic Health Record (EHR) + other clinical systems (radiology
WorkstationBYPASSES ANTIVIRUS
systems (radiology, pharmacy, lab, etc)
-
Command and ControlCommand and Control
Once installed, the malware phones home…
SOURCE COMPUTER USERNAMETIMESTAMP
HD SERIAL NUMBER
VICTIM IP ADMIN? OS VERSION
HD SERIAL NUMBER
-
Phase‐2 AccessPhase 2 Access
• The terrorist group is focused on accessThe terrorist group is focused on access– No actions are taken that would reveal the injected codeinjected code
– Long term (weeks)
-
Hospital LAN Four different rootkits
Medical Devices (Phillips, etc)
Mobile Devices (COW’ t bl t(COW’s, tablets,
PDA’s, etc)
Clinical LATERAL MOVEMENT
Electronic Health Record (EHR) + other clinical systems (radiology
Workstation
systems (radiology, pharmacy, lab, etc)
-
Steal CredentialsSteal Credentials
Outlook Email Password
Generic stored passwords
-
Hospital LAN
Medical Devices (Phillips, etc)
Database Passwords
Mobile Devices (COW’ t bl t(COW’s, tablets,
PDA’s, etc)
Clinical Patient monitors /acute care / ICU
Electronic Health Record (EHR) + other clinical systems (radiology
Workstation
systems (radiology, pharmacy, lab, etc)
-
Day 1Day 1
• Subtle modifications to the databaseSubtle modifications to the database
-
Hospital LAN
Firewalls are ineffective
Webserver on
Electronic Health Record (EHR) + other clinical systems (radiology Webserver on
the Internetsystems (radiology, pharmacy, lab, etc)
-
Custom remote‐control applicationCustom remote control application
-
Full SQL accessFull SQL access
EMR
-
Hospital LAN
Modify dosages for in‐patient care
Electronic Health Record (EHR) + other clinical systems (radiologysystems (radiology, pharmacy, lab, etc)
-
Some unsavory ideas…Some unsavory ideas…
• False doctor orders are insertedFalse doctor orders are inserted• Medications are changed outrightS di i di i d• Some medications are discontinued
• Dosages are altered• Allergies deleted
-
Day 3Day 3
-
• Hospitals forced to restore database backupsHospitals forced to restore database backups, losing three days or more of data
• At first they don’t realize this was an attack• At first, they don t realize this was an attack– The database is blamed
-
Day 4Day 4
• After systems are restored from backupAfter systems are restored from backup, terrorists stop using
• Hospitals also start to realize this was a widespread event….
-
Day 5Day 5
-
Emergency Management PlanEmergency Management Plan
• Hospitals start restoring backupsHospitals start restoring backups• Incident Response Teams discover the command and control traffic & databasecommand‐and‐control traffic & database backdoorFil AV d• Files are sent to AV vendor
-
Hospital LAN
XHospitals think they have stopped a major attack…X X pp jX
Webserver on
Electronic Health Record (EHR) + other clinical systems (radiology Webserver on
the Internetsystems (radiology, pharmacy, lab, etc)
-
The ‘Hospital Worm’The Hospital Worm
-
Meanwhile…Meanwhile…
• Terrorists switch to secondaryTerrorists switch to secondary
• They only enable the secondary once the hospital has responded to the databasehospital has responded to the database corruption– Even if the Internet is disabled entirely theEven if the Internet is disabled entirely, the secondary has a hard coded activation time as backup trigger
-
Hospital LAN
Medical Devices (Phillips, etc)
Mobile Devices (COW’ t bl t
Firewalls & IDS are ineffective
(COW’s, tablets, PDA’s, etc) Patient monitors /
acute care / ICU
Chart Software on the COW is injected
Electronic Health Record (EHR) + other clinical systems (radiologysystems (radiology, pharmacy, lab, etc)
Commands injected via MSN Messenger
-
In‐process InjectionIn process Injection
Nurse C.O.W.
No modifications to the Database
User InterfaceR d DB
to the DatabaseData is
modified in transit here
Restored DB
Libraries Database Access Layer
-
Day 7Day 7Confidence in the medical computers erodes… H i l i lHospitals start to implement paper system… Electronic Charts are not to be trusted….
-
Days 8‐15 = Not Enough StaffDays 8 15 Not Enough Staff
• Non essential procedures are cancelledNon essential procedures are cancelled• Large Hospitals are completely understaffed, nurse to patient ratios are taxed whennurse to patient ratios are taxed when computers are shut down
-
Day 15Day 15
• Implant triggers automaticallyImplant triggers automatically
• Monitors in both adult and neonatal ICU are injected to show false data – critical patients die because alarms are not working– Several major vendors targeted, especially those systems based on Windows embedded
-
ICU Monitor InjectionICU Monitor Injection
Windows CE™
Rootkit Driver USB Driver
Application SoftwareApplication Software
-
Day 16 = ChaosDay 16 Chaos
• ER services are redirected to non‐affectedER services are redirected to non affected hospitals
• The Internet is blocked causing disruption• The Internet is blocked causing disruption with external labs and partner servicesF il b f i fill h h i l• Family members of patients fill the hospitals, taxing the dwindling resources
• Patients are being transferred to non‐affected hospitals (largely those that still use paper)
-
Day 20Day 20
• Implant triggers automaticallyImplant triggers automatically
• Firmware in medical devices are altered to cause severe harm– Flow rates, faulty timers, incorrect dosages– Infusion pumps, in particular, are targeted
-
“No one knew when it would end. We couldn’t trust or operate the medical devices. The staff could only provide basic care. The affected hospitals were more or less shut down – they were shunned as if cursed ”were shunned as if cursed.
-
Will This Be You?Will This Be You?
-
Notes on researchNotes on research• The emergency scenario was partially modeled on Hurricane Katrina & Emergency Management Plans
• The network attacks are all modeled on real malware that can be found todaythat can be found today
• The ICU monitor attack is based on real‐world Windows CE rootkit capabilityTh di l d i tt k i d l d l ld• The medical device attack is modeled on real‐world JTAG hacking on ARM‐processor based devices + firmware
• All newspaper clippings were fabricated for illustrative purposes, but drawn from actual historical news events regarding medical equipment failures causing deathsg g q p g
-
Bill FawnsCIO, Kern Medical Center
-
QuestionsQuestions
Questions can be directed to [email protected]