• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Hospitals Falling Victim to Old Malware

Hospitals Falling Victim to Old Malware

Pierluigi Paganini June 29, 2016

Security experts confirm that a growing number of cyber-attacks continue to hit hospitals threatening unpatched medical devices.

In late 2015, MaineGeneral Health, a new state of the art hospital located in Augusta, Maine, reported that it had fallen victim to a cyberattack that leaked the names, addresses, and phone numbers for patients of its radiology services since June 2009.  The attack is one of many in the past year where targeting of the medical industry, particularly hospitals, is on the rise. According to MaineGeneral Health, the hospital had a robust security plan in place and were continuously patching network vulnerabilities.

Though there are little details about the specifics of the breach, the fact that the radiology department was the epicenter of the breach may lend clues as to how the attackers were able break through the hospital’s defenses.

In February 2015, a dire warning was published in the American Journal of Roentgenology stating that Radiologists and the medical industry “need to urgently review and rectify security issues in existing networked medical equipment.” The team behind the warning found that forty-four percent of the 144 devices it test had a least one critical vulnerability and at least eighty-three percent had at least one high-risk vulnerability.  The team noted other significant findings such as unsecure USB ports and insecure implementations of VPN access.   Later in September, security researchers Scott Evren and Mark Collao demonstrated at DerbyCon how easy it was to find misconfigured medical devices using the Shodan search engine.  Conducting searches on terms such as “radiology” yielded a hackers treasure trove of Internet connected and misconfigured medical devices using default passwords and usernames set by the manufacturer.

Just this week, TrapX Labs, a San Mateo based security research group, released a follow-up to its May, 2015 report on the cyber-attacks against hospitals through unpatched medical devices, drawing attention across the medical industry.  MEDJACK, TrapX’s code name for medical device hijacking, is the art hiding of sophisticated cyberattack tools in legacy malware. In its research, TrapX discovered hackers hiding their tools in an old variant of the Conficker worm.  Because of its age, the worm largely goes unnoticed by network defenses but easily infects legacy software often found on medical devices.

These devices are difficult to patch or sometimes ignored by security teams who delegate patching to vendors because of contractual agreements.  Once infected, a Radiation Oncology system becomes the gateway for hackers and a pivot point to launch more sophisticated attacks against your network.

TrapX’s report comes at a time where the Healthcare industry is reeling from a series of high-profile attacks. Hollywood Presbyterian Hospital, Methodist Hospital in Henderson, Kentucky, Chino Valley Medical Center, and Desert Valle Hospital are just but a few of the medical facilities hit with a wave of Cryptolocker attacks, costing an untold amount in ransom and cleanup. Then there’s MedStar, the Washington D.C. based hospital chain whose infrastructure was crippled with a virus in late March.

Then there’s MedStar, the Washington D.C. based hospital chain whose infrastructure was crippled with a virus in late March.  According to one report some 35,000 employees could not access emails or access patient records.  Cybercriminals behind the attack demanded 45 Bitcoins, at the time worth US$45,000, to unlock its systems and threatened to destroy the private key used to encrypt MedStar’s data if payment wasn’t made within ten days.  Interestingly, the hackers also gave MedStar the option of releasing one computer at a time for 3 Bitcoins – how nice of them. It’s unknown whether or not MedStar paid the ransom or not but reported four days later they had recovered “90 percent of its functionality.”

The medical industry has become a fertile ground for cybercriminals and an industry that appears to be left lagging behind other critical infrastructures that have focused on hardening its networks for years, like the financial services industry.  Hospitals are a smorgasbord of personal identifiable information and payment systems that make it attractive for snoops, thieves, and extortionists alike.

healthcare MedicalData-breach

Security initiatives in hospitals are mainly driven by privacy and compliance initiatives, which may explain the industry lagging behind others in building robust defense mechanisms.  With 5,627 registered hospitals in the US alone and more than half being not-for-profit community hospitals operating on tight budgets, it is no wonder why security measures are falling behind, but relief may be on its way.  In December of last year, the US Congress passed a US$1.1 trillion spending

In December of last year, the US Congress passed a US$1.1 trillion spending bill that funds the establishment a healthcare industry cybersecurity task force.  In April, NIST fellow Ronald Ross promised that new best practices for the medical industry are forthcoming putting into motion new privacy and security controls that may help hospitals protect their networks.

TrapX concludes its report with a series of best practices that the medical industry can initiate today.  Network segmentation and device isolation, good patching plans, and choosing vendors that have a focus on securing there devices are a good place to start.  However, until new industry-wide programs and funding are in place, it is likely attacks against the medical sector will continue to increase.

Written by: Rick GamacheRick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn – https://www.linkedin.com/in/rick-gamache-cissp-021ab43

Twitter – https://twitter.com/thecissp

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Hospitals, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Conficker hospitals malware medical device MEDJACK worm

you might also like

Pierluigi Paganini June 27, 2025
Taking over millions of developers exploiting an Open VSX Registry flaw
Read more
Pierluigi Paganini June 27, 2025
OneClik APT campaign targets energy sector with stealthy backdoors
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT