Security firm Trap X Labs has revealed that medical devices like CT Scanners, MRI machines, and dialysis pumps are increasingly being targeted by cyber criminals. These devices have proven to be particularly vulnerable because many run on outdated operating systems with few security measures in place.
Compounding the problem is that antiquated device running Windows 7 or Windows XP s are particularly susceptible to malware from the past. The study specifically studied three instances of the Conflicker worm being used to steal electronic medical records from connected medical devices.
In 2009, the Conflicker worm infected between 9 and 15 million computers. For its time the worm was particularly sophisticated, using regularly updated code to evade security protections and expand its reach. The worm was particularly effective at cracking passwords and enlisting computers in botnet schemes.
The efficacy of the Conflicker worm died out as patches, updates, and stronger machines became available. But computers still running on unprotected platforms remain vulnerable. That has enabled cyber criminals to reuse threats from the past rather than invent new ones for the present.
The contemporary version of the Conflicker worm is based on the architecture of the original but with updates that allow it to move laterally inside of a network and specifically target certain types of devices. The malware is usually delivered through phishing schemes directed at hospital staff, and exploits a vulnerability in Windows XP to gain access to the network.
The presence of the malware often goes unnoticed because medical devices are managed separate from the rest of the hospital’s IT. As a result, they fall outside the hospital’s cyber security protocol and largely go uninspected and unmonitored. Once cyber criminals gain access to a device they can create a backdoor to all the hospital’s networks.
Opportunity is not the only thing motivating the perpetrators of these attacks. In recent years medical records have become a hot commodity on the black market because they facilitate both identity theft and prescription drug fraud. By one estimate, medical records sell illicitly for $10 to $20 each while financial records sell for just $5. Medical records are also frequently used in ransomware schemes.
The work done by Trap X reveals an unexpected friction between IOT and cyber security. When older devices become integrated into networks, they expose those networks to threats that have already been dismissed and forgotten. The cyber criminal’s job is simply to recycle what has worked before.