Healthcare is a consistent target for cybercriminals, with IBM’s 2016 Cyber Security Intelligence Index claiming it had become the single most attacked industry. Today FortiGuard Labs has released details on the top 5 methods used to attack healthcare in Q4, 2016.
The research draws on telemetry gathered from 454 healthcare companies in 50 different countries. It outlines the top five threats detected in malware, ransomware, mobile malware, IPS events, botnets, and exploit kits.
The top malware threat comes from VBS/Agent.LKY!tr with more than 85,000 detections. This is best known as the initial attack vector for a ransomware attack. The second most prevalent malware is Riskware/Asparnet, with close to 78,000 detections. This is usually installed unintentionally, and is designed to collect sensitive information.
Unsurprisingly, given the size of the ransomware threat to the healthcare industry, four of the top five malware threats have a ransomware connection. The remaining three are VBS/Agent.97E!tr (31,000 detections), JS/Nemucod.BQM!tr (30,000 detections), and JS/Nemucod.76CD!tr.dldr (28,000 detections).
By far the most prolific ransomware detected during this period was CryptoWall, accounting for 91% of all ransomware infections detected. Cerber accounted for 6% of detections, and TorrentLocker for 3%. TeslaCrypt and Locky were also detected, but each at less than 1% of infections.
Mobile malware is a particular concern for the healthcare industry given the mobility of much of the workforce — doctors and nurses spend much of their time moving between patients and visiting home patients. Android malware occupies all five top slots for mobile malware detected during Q4 2016. This is unsurprising given the prevalence of Android devices and the open nature of the operating system compared to that of iOS. “This could be due to the fact that Android devices allow users to easily install apps from 3rd party sources, which could sometimes be loaded with Android-based malware,” notes the report.
By far the most prevalant mobile malware is Android/Qysly.B!tr. With around 4700 detections during the period, this is twice the number of Android/Generic.Z.2E7279!tr detections (around 2300).
IPS event detections shows that the internet of things is becoming a major attack vector, especially for healthcare. Top spot goes to VxWorks.WDB.Agent.Debug.Service.Code.Execution with nearly 1.9 million hits. “VxWorks is an operating system for embedded devices,” notes the report, “which includes medical devices such as CT/PET/X-ray instrumentation, infusion pumps, personal activity monitors, and many others.” The vulnerability was discovered in 2010, but criminals clearly believe that not all devices will have been patched.
The second most prevalent IPS event (Web.Server.etc.passwd.Access) has just over 500,000 detections, probing for misconfigured Unix-based web servers that may expose operating system usernames from /etc/passwd. Third is SQLi attempts on web servers; fourth are attempts to exploit Netcore/Netis routers; and fifth is ShellShock.
The top botnet detected is Andromeda, comprising a loader that has both anti-VM and anti-debug features that downloads modules and updates from its C2 server. Andromeda has been around since 2011. Second is H-worm, a VBscript-based botnet that steals sensitive information. Third is Necurs, particularly associated with delivering the Locky ransomware.
Conficker, one of the largest botnets ever known and dating back to 2008 is still there at number four — demonstrating that there are still many unpatched Windows systems around. Pushdo, at five, has also been around for several years. It is mostly associated with large spam campaigns.
The most frequently detected exploit kit is RIG, at 46%. “Coming in 2nd place at 23% is CK, followed by Angler (16%), Neutrino (12%) and other less popular exploit kits at 3%. Most of these exploit kits are used for ransomware distribution.”
Most of the threats against the healthcare industry are associated in one way or another with ransomware — due, says FortiGuard, “to the higher probability of collecting ransom when sensitive healthcare data is encrypted.” But FortiGuard has also detected many old threats against targets that should have been patched long ago. Patching is a problem for all industries, but operational medical devices are like the OT in industrial operations: there is a reluctance to tinker with critical systems that are working and in constant use.