Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure.

Published byVictoria Summers Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure."— Presentation transcript:

1 Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure

2 Evolving Risk Environment
Hospitals are heavily reliant on information technology, everything is connected, more-so than perhaps any other industry Computer security has not been a high priority Attackers are able to get in, existing security doesn’t stop them, end of story.

3 Fact Malware is the single greatest threat to Enterprise security today Existing security isn’t stopping it Over 80% of corporate intellectual property is stored online, digitally IT Forensics

4 Wake Up Google cyber attacks a 'wake-up' call
-Director of National Intelligence Dennis Blair CNBC 2/2/10

5 IP is Leaving The Network Right Now
Everybody in this room who manages an Enterprise with more than 10,000 nodes: They are STEALING right now, as you sit in that chair.

6 Scale The rate of malicious code and unwanted software is surpassing legitimate software (Symantec) Automated malware infrastructure Signature-based security solutions simply can’t keep up (Trend Micro) The peculiar thing about signatures is that they are strongly coupled to an individual malware sample More malware was released in 2007 than all malware combined previous (F-Secure)

7 Signature based systems don’t scale

8 Anti-virus is rapidly losing credibility
Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their…computers safe and secure. Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008 8

9 The Target The terrorists intend to erode trust in technology used for managing patient care They intend to create a large scale event They intend to cause some deaths

10 Targets of Interest Hospital LAN + WLAN CAFM (HVAC, etc)
Medical Devices (Phillips, etc) CAFM (HVAC, etc) Mobile Devices (COW’s, tablets, PDA’s, etc) Patient monitors / acute care / ICU Clinical Workstation Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc)

11 Phase-1 Recon Terrorists build a social map of all staff for all major hospitals Focus in on Hospitals that have more than 10,000 nodes in their networks These Hospitals are so reliant on technology that an attack will cause a major disruption to health care

12 Attack Vectors Spear-phishing
Booby-trapped documents Fake-Links to drive-by websites Trap postings on industry-focused social networks Forums, Groups (clinician list-servs, AMDIS, web forums) SQL injections into web-based portals Employee benefit portals, external labs, etc.

13 Boobytrapped Documents
This is the current trend Single most effective focused attack today Human crafts text

14 Social Networking Space
Web-based attack Social Networking Space Injected Java-script Used heavily for large scale infections Social network targeting is possible

15 Scraping the ‘Net for emails
Attackers use search engines, industry databases, and intelligent guessing to map out the domains of all major hospitals.

16 DMOZ

17 Over 1,000 in California…

18 Sutter’s web-based portal is quite helpful

19 Using SEO tracker on Mercy

20 Google Maps on Sacramento

21 Google Search -

22 you know they will click it

23 ‘Reflected’ injection
Link contains a URL variable w/ embedded script or IFRAME * User clicks link, thus submitting the variable too Trusted site, like .com, .gov, .edu The site prints the contents of the variable back as regular HTML *For an archive of examples, see xssed.com

24 Google Web Portal Search

25 My First Hit on allinurl:”exchange/logon
My First Hit on allinurl:”exchange/logon.asp” – I haven’t even started yet…

26 Trap Postings I www.somesite.com/somepage.php <script>
Some text to be posted to… the site ….

27 Trap Postings II www.somesite.com/somepage.php
<IFRAME src= style=“display:none”></IFRAME> Some text to be posted to… the site ….

28 SQL attack, inserts IFRAME or script tags
SQL Injection SQL attack, inserts IFRAME or script tags

29 A three step infection Exploit Server Redirect Browser Exploit
Injected Java-script Exploit Server Redirect Browser Exploit Payload Server Dropper

30 Cyber Weapons Market Terrorist’s don’t need to have expert hackers, they can just buy exploits for money Fully weaponized and ready to use Mostly developed out of the Eastern Bloc

31 Eleonore (exploit pack)

32 Tornado (exploit pack)

33 Napoleon / Siberia (exploit pack)

34 Mobile Devices (COW’s, tablets, PDA’s, etc)
Hospital LAN Medical Devices (Phillips, etc) Mobile Devices (COW’s, tablets, PDA’s, etc) Patient monitors / acute care / ICU Clinical Workstation Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc) BYPASSES ANTIVIRUS

35 Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

36

37 Phase-2 Access The terrorist group is focused on access
No actions are taken that would reveal the injected code Long term (weeks)

38 Four different rootkits
Hospital LAN Four different rootkits Medical Devices (Phillips, etc) Mobile Devices (COW’s, tablets, PDA’s, etc) LATERAL MOVEMENT Clinical Workstation Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc)

39 Steal Credentials Outlook Password Generic stored passwords

40 Mobile Devices (COW’s, tablets, PDA’s, etc)
Hospital LAN Database Passwords Medical Devices (Phillips, etc) Mobile Devices (COW’s, tablets, PDA’s, etc) Patient monitors / acute care / ICU Clinical Workstation Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc)

41 Day 1 Subtle modifications to the database

42 Firewalls are ineffective
Hospital LAN Firewalls are ineffective Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc) Webserver on the Internet

43 Custom remote-control application

44 Full SQL access EMR

45 Modify dosages for in-patient care
Hospital LAN Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc) Modify dosages for in-patient care

46 Some unsavory ideas… False doctor orders are inserted
Medications are changed outright Some medications are discontinued Dosages are altered Allergies deleted

47 Day 3

48 At first, they don’t realize this was an attack
Hospitals forced to restore database backups, losing three days or more of data At first, they don’t realize this was an attack The database is blamed

49 Day 4 After systems are restored from backup, terrorists stop using
Hospitals also start to realize this was a widespread event….

50

51 Day 5

52 Emergency Management Plan
Hospitals start restoring backups Incident Response Teams discover the command-and-control traffic & database backdoor Files are sent to AV vendor

53 Hospitals think they have stopped a major attack…
Hospital LAN X X X Hospitals think they have stopped a major attack… Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc) Webserver on the Internet

54 The ‘Hospital Worm’

55 Meanwhile… Terrorists switch to secondary
They only enable the secondary once the hospital has responded to the database corruption Even if the Internet is disabled entirely, the secondary has a hard coded activation time as backup trigger

56 Firewalls & IDS are ineffective
Hospital LAN Medical Devices (Phillips, etc) Firewalls & IDS are ineffective Mobile Devices (COW’s, tablets, PDA’s, etc) Chart Software on the COW is injected Patient monitors / acute care / ICU Electronic Health Record (EHR) + other clinical systems (radiology, pharmacy, lab, etc) Commands injected via MSN Messenger

57 In-process Injection No modifications to the Database
Nurse C.O.W. No modifications to the Database Data is modified in transit here User Interface Restored DB Libraries Database Access Layer

58 Day 7 Confidence in the medical computers erodes… Hospitals start to implement paper system… Electronic Charts are not to be trusted….

59 Days 8-15 = Not Enough Staff
Non essential procedures are cancelled Large Hospitals are completely understaffed, nurse to patient ratios are taxed when computers are shut down

60 Day 15 Implant triggers automatically
Monitors in both adult and neonatal ICU are injected to show false data – critical patients die because alarms are not working Several major vendors targeted, especially those systems based on Windows embedded

61 ICU Monitor Injection Windows CE™ Rootkit Driver USB Driver
Application Software

62 Day 16 = Chaos ER services are redirected to non-affected hospitals
The Internet is blocked causing disruption with external labs and partner services Family members of patients fill the hospitals, taxing the dwindling resources Patients are being transferred to non-affected hospitals (largely those that still use paper)

63 Day 20 Implant triggers automatically
Firmware in medical devices are altered to cause severe harm Flow rates, faulty timers, incorrect dosages Infusion pumps, in particular, are targeted

64

65 “No one knew when it would end
“No one knew when it would end. We couldn’t trust or operate the medical devices. The staff could only provide basic care. The affected hospitals were more or less shut down – they were shunned as if cursed.”

66 Will This Be You?

67 Notes on research The emergency scenario was partially modeled on Hurricane Katrina & Emergency Management Plans The network attacks are all modeled on real malware that can be found today The ICU monitor attack is based on real-world Windows CE rootkit capability The medical device attack is modeled on real-world JTAG hacking on ARM-processor based devices + firmware All newspaper clippings were fabricated for illustrative purposes, but drawn from actual historical news events regarding medical equipment failures causing deaths

68 About HBGary Sacramento based, founded in 2004
Works closely with DoD & intelligence community regarding cyber threats Two products, both focused on detecting & responding to advanced threats in the Enterprise

Download ppt "Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure."

Similar presentations

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.

Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
IT Security for Users By Matthew Moody.

IT Security for Users By Matthew Moody.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Emily Ansell 8K viruseshackingbackups next. Viruses A virus is harmful software that can be passed to different computers. A virus can delete and damage.

Emily Ansell 8K viruseshackingbackups next. Viruses A virus is harmful software that can be passed to different computers. A virus can delete and damage.
Viruses Hackers Backups Stuxnet Portfolio Computer viruses are small programs or scripts that can negatively affect the health of your computer. A.

Viruses Hackers Backups Stuxnet Portfolio Computer viruses are small programs or scripts that can negatively affect the health of your computer. A.
ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.

ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.
1 REMOTE CONTROL SYSTEM V7 www.hackingteam.it. 2 Introduction.

1 REMOTE CONTROL SYSTEM V7 2 Introduction.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.

Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Similar presentations

Ads by Google