Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure.

Published byCorey Price Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure."— Presentation transcript:

1 Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure

2 The Target The terrorists intend to erode trust in technology used for managing patient care They intend to create a large scale event They intend to cause some deaths

3 Targets of Interest Hospital LAN Phillips Devices CAFM COW
ICU monitors Internet Workstation EMR, Document Management System

4 Phase-1 Recon Terrorists build a social map of all staff for all major hospitals Focus in on Hospitals that have more than 10,000 nodes in their networks These Hospitals are so reliant on technology that an attack will cause a major disruption to health care

5 Attack Vectors Spear-phishing
Booby-trapped documents Fake-Links to drive-by websites Trap postings on industry-focused social networks Forums, Groups SQL injections into web-based portals Employee benefit portals, external labs, etc.

6 Boobytrapped Documents
This is the current trend Single most effective focused attack today Human crafts text

7 Social Networking Space
Web-based attack Social Networking Space Injected Java-script Used heavily for large scale infections Social network targeting is possible

8 Scraping the ‘Net for emails
Attackers use search engines, industry databases, and intelligent guessing to map out the domains of all major hospitals.

9 DMOZ

10 Over 1,000 in California…

11 Sutter’s web-based portal is quite helpful

12 Using SEO tracker on Mercy

13 Google Maps on Sacramento

14 Google Search -

15 you know they will click it

16 ‘Reflected’ injection
Link contains a URL variable w/ embedded script or IFRAME * User clicks link, thus submitting the variable too Trusted site, like .com, .gov, .edu The site prints the contents of the variable back as regular HTML *For an archive of examples, see xssed.com

17 Google Web Portal Search

18 My First Hit on allinurl:”exchange/logon
My First Hit on allinurl:”exchange/logon.asp” – I haven’t even started yet…

19 Trap Postings I www.somesite.com/somepage.php <script>
Some text to be posted to… the site ….

20 Trap Postings II www.somesite.com/somepage.php
<IFRAME src= style=“display:none”></IFRAME> Some text to be posted to… the site ….

21 SQL attack, inserts IFRAME or script tags
SQL Injection SQL attack, inserts IFRAME or script tags

22 A three step infection Exploit Server Redirect Browser Exploit
Injected Java-script Exploit Server Redirect Browser Exploit Payload Server Dropper

23 Cyber Weapons Market Terrorist’s don’t need to have expert hackers, they can just buy exploits for money Fully weaponized and ready to use Mostly developed out of the Eastern Bloc

24 Eleonore (exploit pack)

25 Tornado (exploit pack)

26 Napoleon / Siberia (exploit pack)

27 Hospital LAN Phillips Devices COW ICU monitors Internet Workstation EMR, Document Management System BYPASSES ANTIVIRUS

28 Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

29

30 Phase-2 Access The terrorist group is focused on access
No actions are taken that would reveal the injected code Long term (weeks)

31 Four different rootkits
Hospital LAN Four different rootkits Phillips Devices COW LATERAL MOVEMENT Internet Workstation EMR, Document Management System

32 Steal Credentials Outlook Password Generic stored passwords

33 Hospital LAN Database Passwords Phillips Devices COW ICU monitors Internet Workstation EMR, Document Management System

34 Day 1 Subtle modifications to the database

35 Firewalls are ineffective
Hospital LAN Firewalls are ineffective EMR, Document Management System Webserver on the Internet

36 Custom remote-control application

37 Full SQL access EMR

38 Hospital LAN EMR, Document Management System Modify dosages for in-patient care

39 Some unsavory ideas… False doctor orders are inserted
Medications are changed outright Some medications are discontinued Dosages are altered Allergies deleted

40 Day 3

41 At first, they don’t realize this was an attack
Hospitals forced to restore database backups, losing three days or more of data At first, they don’t realize this was an attack The database is blamed

42 Day 4 After systems are restored from backup, terrorists stop using
Hospitals also start to realize this was a widespread event….

43

44 Day 5

45 Emergency Management Plan
Hospitals start restoring backups Incident Response Teams discover the command-and-control traffic & database backdoor Files are sent to AV vendor

46 Hospitals think they have stopped a major attack…
Hospital LAN X X X Hospitals think they have stopped a major attack… EMR, Document Management System Webserver on the Internet

47 The ‘Hospital Worm’

48 Meanwhile… Terrorists switch to secondary
They only enable the secondary once the hospital has responded to the database corruption Even if the Internet is disabled entirely, the secondary has a hard coded activation time as backup trigger

49 Firewalls & IDS are ineffective
Hospital LAN Phillips Devices Firewalls & IDS are ineffective COW Chart Software on the COW is injected EMR, Document Management System Commands injected via MSN Messenger

50 In-process Injection No modifications to the Database
Nurse C.O.W. No modifications to the Database Data is modified in transit here User Interface Restored DB Libraries Database Access Layer

51 Day 7 Confidence in the medical computers erodes… Hospitals start to implement paper system… Electronic Charts are not to be trusted….

52 Days 8-15 = Not Enough Staff
Non essential procedures are cancelled Large Hospitals are completely understaffed, nurse to patient ratios are taxed when computers are shut down

53 Day 15 Implant triggers automatically
Monitors in both adult and neonatal ICU are injected to show false data – critical patients die because alarms are not working Several major vendors targeted, especially those systems based on Windows embedded

54 ICU Monitor Injection Windows CE™ Rootkit Driver USB Driver
Application Software

55 Day 16 = Chaos ER services are redirected to non-affected hospitals
The Internet is blocked causing disruption with external labs and partner services Family members of patients fill the hospitals, taxing the dwindling resources Patients are being transferred to non-affected hospitals (largely those that still use paper)

56 Day 20 Implant triggers automatically
Firmware in medical devices are altered to cause severe harm Flow rates, faulty timers, incorrect dosages Infusion pumps, in particular, are targeted

57

58 “No one knew when it would end
“No one knew when it would end. We couldn’t trust or operate the medical devices. The staff could only provide basic care. The affected hospitals were more or less shut down – they were shunned as if cursed.”

59 Will This Be You?

60 Notes on research The emergency scenario was partially modeled on Hurricane Katrina & Emergency Management Plans The network attacks are all modeled on real malware that can be found today The ICU monitor attack is based on real-world Windows CE rootkit capability The medical device attack is modeled on real-world JTAG hacking on ARM-processor based devices + firmware All newspaper clippings were fabricated for illustrative purposes, but drawn from actual historical news events regarding medical equipment failures causing deaths

Download ppt "Cyber-Crash and Bleed Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Information Technology Disaster Recovery Awareness Program.

Information Technology Disaster Recovery Awareness Program.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Lunker: The Advanced Phishing Framework

Lunker: The Advanced Phishing Framework
Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.

Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
November 2009 Network Disaster Recovery October 2014.

November 2009 Network Disaster Recovery October 2014.
IMonitor Software About IMonitorSoft Since the year of 2002, coming with EAM Security Series born, IMonitor Security Company stepped into the field of.

IMonitor Software About IMonitorSoft Since the year of 2002, coming with EAM Security Series born, IMonitor Security Company stepped into the field of.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
IT Security for Users By Matthew Moody.

IT Security for Users By Matthew Moody.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
People use the internet more and more these days so it is very important that we make sure everyone is safe and knows what can happen and how to prevent.

People use the internet more and more these days so it is very important that we make sure everyone is safe and knows what can happen and how to prevent.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

Similar presentations

Ads by Google