Detective work traces fictional mega-breach through multiple critical systems
Insecure technologies are making healthcare organizations easy prey for cybercriminals, as well as lucrative and egregious targets, attendees at Black Hat USA 2020 heard last week.
In a virtual briefing last week, Seth Fogie, information security director at Pennsylvania hospital operator Penn Medicine, simulated a multi-stage, fictional data breach that compromised about 225,000 records in total.
He traced the attacker’s movements across multiple integrated systems involved in radiology, EMR downtime, drugs distribution, nurse calls, and temperature monitoring.
Fogie, who has led Penn Medicine’s security program for more than a decade, also offered advice on bolstering the security of healthcare applications, and exposed vendors’ endemic failure to design critical systems securely or patch vulnerabilities promptly or properly.
The financial incentives in the healthcare sector are enormous for both attackers and defenders, he noted, with the latter also burdened with protecting patients’ data and even lives in the worst-case scenarios.
“Depending on who you talk to”, Fogie said, this fictional breach could have earned cybercriminals as little as $2.25 million up to a massive $225 million, for compromising just a single ecosystem.
As Fogie outlined in his Black Hat presentation, Penn Medicine’s security team contrived a scenario in which ‘Alice’ alerted a clinic’s security department to a malicious message – “I’ll be watching you” – that has appeared on a TV in the hospital room of her husband, ‘Bob’.
Forensics revealed that the attacker, ‘Mallory’, breached the screencast feature of a patient education system that served as a bridgehead to compromising more critical systems.
Logging into Bob’s account on the application, Fogie expected, but failed to see, an authentication prompt.
But using Burp Suite, he spots a “web request that returns XML that contains the date of birth, patient name, patient number, and room number” of more than 500 patient records.
He then notices a web socket upgrade request that yields a reference to Bob’s four-digit login PIN – proving that unauthenticated API requests had retrieved patient data with “no validation other than on the client”.
Fogie’s ‘red flag indicators’ for probing healthcare systems
- Default or plaintext credentials
- A lack of hashed credentials in the database
- Exposed ‘secrets’ via client-side file review
- Client/server protocol design errors
- OWASP 101 including APIs
- Client-side binary review or authentication issues
- Gut feeling that something is awry
He then surmised that Mallory could potentially have breached a system that captures procedural and diagnostic information logged by the physician.
If this were the case, the attacker could modify information in a way that results in misdiagnosis or, “because there’s coding tied to insurance”, higher care costs.
Using dnSpy, the debugger and .NET assembly editor, he probed the client software code for keywords like ‘encryption’, ‘backdoor’, and ‘secret username’, and finds “a snippet of code with two particularly disturbing issues: a backdoor reference and dailypassword function”.
Fogie then uses the .NET Fiddle sandbox to analyze a snippet of dailypassword code and finds a character value that resembles a password.
Plugging the username backdoor and password into the client interface then gives full backdoor access to more than 100,000 patient records.
An integration with a drug dispensary system also raised the specter of Mallory modifying drug prescriptions with potentially fatal consequences.
Fogie discovered that any authenticated user could access an open share file used as part of the application installation process.
Exposed in the share file was a configuration file, which Fogie decrypted using the decrypt SQL credentials function. This unearthed what appeared to be a default vendor password.
From here, Fogie navigated several further steps to compromise a local administrator account and several vendor accounts sharing the same default password.
As a defensive measure, Fogie urged his counterparts at other healthcare organizations to emulate the security measures undertaken by Penn Medicine.
For instance, application vulnerabilities are shared via the Health Information Sharing and Analysis Center (H-ISAC).
Penn Medicine also conducts ‘Lite’ penetration tests on all new products. This is coupled with team-based ‘penn’ tests, along with the establishment of strategic security application testing goals, and ongoing security training.
Finally, Fogie suggested that security audits, assessments, and pen tests should have a broad scope.
“Look at the applications – don’t just look at how active directory works or the normal stuff that you look for in a pen test,” he explained. “You might find something interesting and different than just playing domain admin.”