Connect with us


The Modus Operandi of healthcare attackers



David Sygula, senior cybersecurity analyst at CybelAngel, assesses the risk of cyber attacks to health operators and how they can help safeguard from such a security breach


Healthcare providers have long been a favourite target for callous criminals seeking an easy payday. Medical records are a favourite commodity in the cyber criminal community where they are bought and sold in huge quantities in underground forums on the dark web. 

At the same time, attackers know that the critical nature of hospitals and other frontline caregivers means that disruptive attacks such as ransomware are more brutally effective than they are against fields like retail and manufacturing. Healthcare organisations involved in research for preventing and curing COVID-19 have also been in the crosshairs of adversaries seeking to steal their research data. 

As such, there has been a steady supply of healthcare security incidents around the world in recent years. In February 2021, two French hospitals were struck with a ransomware attack in the same week. 2020 also saw multiple healthcare breaches that involved the theft of more than one million patient records.

To gain a better understanding of how cyber criminals plan and execute attacks on healthcare providers, we delved into the dark web to analyse exchanges in hidden forums. We zeroed in on three threat actors who were specifically targeting hospitals in France, seeking unprotected databases, credentials and medical records. 

Hunting for employee credentials 

The cyber criminal community has evolved into a complex shadow economy over the years which increasingly mirrors the legitimate business world. Specialists visit dark web forums to offer their services and assets they have stolen, while many criminals prefer to focus on a particular area and profit from trading with their peers rather than executing a full attack by themselves. One of the most popular services is the sale of stolen user credentials, which other criminals will then use to facilitate their own attacks.

David Sygula

For example, one threat actor we tracked in February offered the sale of a database belonging to a third-party service provider working with “many (if not all) French hospitals”. The stolen database contained the names, email addresses, passwords and phone numbers of over 50,000 employees working at various hospitals. 

Such a cache of information does not necessarily mean an attacker will be able to go ahead and strike 50,000 targets – depending on the age of the database, some user profiles may be defunct, or passwords may have changed. Credentials alone will also not be enough if the victim has additional identity security protocols such as multifactor authentication or a zero-trust policy. Nevertheless, a threat actor can count on at least some of the ill-gotten details working and granting them access to the healthcare organisation’s network.

Such databases are often used in an attack technique known as credential stuffing, where automated bots are used to try logging in to multiple different networks and applications. People will often reuse the same email and password combination across multiple applications and services out of convenience, so credential stuffing can quickly gain the criminal access to multiple entry points. 

From here, the criminal can begin exploring the network and executing their preferred method of attack. This could include the theft of medical records and other valuable data such as research IP, or the installation of any number of dangerous pieces of malware, including programmes to create system backdoors, serve as keyloggers, or launch devastating ransomware infections. Criminals have increasingly combined these techniques into devastating multi-pronged attacks, for example stealing medical databases before locking the system down and demanding a ransom. 

Exploiting unprotected medical records 

Medical records are traded as a commodity on the dark web, often in extremely high volumes. One of the criminals we analysed offered a database of “500,000 French hospital records”, which we later investigated and determined to be authentic. The database contained an extensive amount of personal information, including surname, first name, email address, telephone number and patient health data such as social security number, blood group and attending physician.

Criminals use these stolen records for a variety of malicious purposes and the personal details can hurt the reputation of the patients and the medical centre itself. Details can be used to execute more targeted, effective phishing attacks on individuals, even impersonating the hospital itself. Threat actors may also use details to commit fraud, for example filing false health insurance claims. In some cases, they may even seek to blackmail individuals using private data about medical conditions. While such databases are often one of the goals of threat actors who have infiltrated a healthcare provider’s network, attackers can often access them without even having to breach the environment.

The healthcare industry tends to suffer from a proliferation of low-end network-attached storage devices and other poorly secured connected devices, meaning that systems are often discoverable online by bad actors. In one of our previous investigations, we found major issues with Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the common standard used to send and receive medical data from devices such as X-rays and CT scans. We found that more than 45 million medical imaging files were freely accessible on unprotected servers worldwide. While the images themselves are not an issue, their capacity for metadata meant that most included personal information about the patient. The investigation was pushed towards web interfaces that may also hold medical imaging or other patient records, and we found that many of them could be accessed without the need for a username and a password – it was not even necessary to try default accounts. 

Similarly, remote tools such as VPN and remote desktop protocols (RDPs) have become increasingly essential to healthcare operations, particularly over the last year, but these too are often poorly secured and open to abuse by attackers using stolen credentials.

How healthcare providers can strengthen their defences 

The healthcare sector will continue to be a favourite target for ruthless criminals seeking to steal personal data or inflict the misery of a ransomware outbreak, so it is imperative for organisations to improve their security capabilities. The good news is there are multiple actions that can be taken that will have an immediate effect on the chance of a breach, also mitigating the impact when one occurs.

First, employee training makes a big difference. Attackers count on the human element being the weak link in the security chain. Increasing awareness about the common techniques and instilling policies around sharing sensitive data or authorising payments can help reduce the success of these attacks. In the fast-paced healthcare environment it can be tempting to cut corners to complete tasks more quickly, so staff should also be made aware of the importance of following proper security controls and compliance policies.

Alongside targeting personnel, the majority of cyber attacks rely on common software vulnerabilities. Unpatched software remains a huge problem in the medical sector, with applications often remaining vulnerable to exploits that have had patches available for years. Organisations must ensure they have a regular cadence for patching applications, prioritising higher risk systems as needed. Taking care to correctly configure cloud databases and systems like DICOM to include data encryption and strong password requirements will also make it much harder for attackers to abuse these assets.

In the event of your data escaping existing security parameters and ending up outside of your control, deploying asset discovery and monitoring solutions can be beneficial, if not paramount. Such solutions allow your business greater visibility into the growing threat landscape and additionally give you better supervision over third-party cloud applications: connected storage devices, open databases, OT/IoT devices and perhaps worst of all, shadow assets. Once these vulnerable assets are perceivable, associated vulnerabilities can be continuously monitored, safeguarding you from malicious threats that pose risks to your network and sensitive data.  

Finally, remote connection tools such as VPN and RDP should have enhanced security settings enabled to prevent them being abused by attackers with stolen credentials. Implementing traffic monitoring will also help to spot signs of malicious activity such as large-scale data exfiltration.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending stories