US hospitals hacked with ancient exploits

Attackers have popped three prominent US hospitals, using deliberately ancient malware so old that it slips under the radar of modern security controls to compromise Windows XP boxes and gain network beacheads.

The attacks were foiled using deceptive honeypot-style frameworks, according to California-based TrapX.

Hospitals were attacked between late 2015 and early this year, potentially compromising medical systems such as x-ray machines, and fluoroscopy radiology systems.

TrapX detailed the attacks in its paper MEDJACK.2 Hospitals Under Siege [PDF] descrbing how the three hospitals contained a "multitude of backdoors and botnet connections" under attacker control.

"The malware utilized for this attack was specifically selected to exploit older versions of Windows," TrapX researchers wrote of the attacks.

"It enabled the attacker to install a backdoor within the enterprise, from which they could launch their campaign and quietly exfiltrate data and perhaps cause significant damage using a ransomware attack.

"[Attackers] can extend their foothold on these compromised systems to potentially breach the patient records over an extended period of time."

The company says the modern security systems in place at the hospitals did not eradicate the old malware using vulnerabilities such as MS08-067 which was dangerous only to Windows XP systems.

That the security systems failed to stop the malware is odd given that the signatures for the deployed worms are well known and should be baked into detection controls.

Forensic investigations however revealed the systems did not generate alerts in what the researchers suggest is a lack of concern for the ancient exploits that fire only on the hospitals' few Windows XP systems.

One hospital was compromised despite having had centralised intrusion detection software, updated endpoint protection, and new model firewalls.

One malware instance appeared to be ancient but contained deeper within it sophisticated abilities for lateral network movement, the company says.

The report is the latest in a series in which medical devices have been described as a "key pivot point for attackers" in healthcare.

This says TrapX is because the devices are "visible points of vulnerability" that are among the most difficult to secure and remediate after a breach.

Healthcare in the US is one of the largest individual markets with annual expenditures of some 17.5 percent of US GDP. It employs some 900,000 physicians, 2,700,000 registered nurses, physician’s assistants, and medical administrative staff in more than 225,000 practices.

The findings come on the back of a separate report that revealed healthcare practitioners were revealed to be possibly the most notorious bypassers of security controls using shared passwords, Post-It notes, and proximity sensor -defeating styrofoam cups to get their jobs done faster.

The persistence of Windows XP in healthcare isn't just a problem in America. Australia's Royal Melbourne Hospital was attacked in January. ®