Detecting an Embedded OS Infected with Conficker On Patient Medical Monitoring Device

Posted by lantelligence on May 22, 2018

Healthcare Struggles To Protect Health Data 

5,579,438 patient records were breached in 2017, according to new data released on 23 of January 2018 in the Protenus Breach Barometer Report. Insider threats can remain undiscoverable for long periods of time. The Report states that "on average, it took 308 days for an organization to discover it had suffered a breach in 2017."


The Case

Vigilant Technology Solutions was engaged by a Healthcare Provider who was experiencing an extreme drop in bandwidth availability within their infrastructure. Their IT staff had been working the problem for two weeks without any detection or artifacts of the problem visible in their existing IDS/IPS or logs. 

Upon starting the engagement, we placed CyberDNA sensors into locations that would give us the best collection ability of all traffic traversing their network. We place our collection devices very carefully as an attacker that is working remotely has to travel across the network at some point on their way out to the Internet. This allows for an interesting vantage point as no matter what way the attacker tries to change the way they look they still have to travel the network and are detectable if you are able to look at the data the right way. Vigilant’s approach gives immediate visibility and can inform a customer in near real-time of what is happening in the deepest parts of their network. It’s like turning the lights on late at night to see if there is a monster in the room, although you hope there isn’t one. Whether there is one or not you at least know and can take the appropriate action. Within minutes of turning on Vigilant’s CyberDNA service our analyst team was able to detect in an agentless way that multiple heart monitor devices at a remote hospital location were running an embedded operating system infected with a botnet known as Conficker. They may never have known what was going on or that they were on heart monitors hooked up to patient however the attackers were using these devices to attack other locations on the Internet and brought down the hospitals network in the crossfire. 

There were two problems here:

  • Conficker was bringing their network down and
  • The devices were running out of compliance operating systems and were connected to

The Hospital had the devices removed and cleaned up the network, they also contacted their vendor as the embedded OS running on the Heart Monitor was not compliant. When you use third party software or devices like POS Systems, medical devices, etc., you are as the mercy of the levels of security the vendors have built into them. This botnet attack was carried out by tactics that Vigilant detects every day. Without the visibility that Vigilant can bring it would have likely gone undetected in this victimized organization because their detection tools simply didn’t see it.

How It Was Resolved

  • The patient medical devices running embedded Windows 98 were first infected with
    Conficker behind the hospital firewall and were brought active as part of a firewall.
  • The effects of the infected devices caused a large bandwidth draw on the Hospital
    network resulting in applications being rendered unusable.
  • All IDS/IPS and detection methods available within the hospital network did not detect
    the Windows 98 OS nor the Conficker infection.
  • CyberDNA was placed within the environment and immediately, in an agentless way,
    detected both the non-compliant OS running on the devices and that Conficker was the
    source of the Bandwidth draw.
  • Vigilant’s Analyst team notified the customer of the infected systems. The customer
    removed the systems from the patients, cleaned them and notified the manufacturer of
    the vulnerability.

Download Full Case Study: Cyber Security For Healthcare Industry (PDF)

Related article: POS System Update With The Infected Code. Attack Attempt To A Large Dealership

Tags: Vigilant, Cyber Security, Insider