Malware spurs cyber attacks: Mirai disrupted Internet service in eastern U.S.
The FBI is warning companies to protect themselves from cyber attacks from a newly released malware that disrupted a large segment of the Internet in the United States last month.
The distributed denial of service attack on the internet company Dyn revealed new vulnerabilities to cyber attackers through inter-connected devices known as the Internet of Things, the FBI stated in a notice to industry on October 26. “The exploitation of the ‘Internet of Things’ (IOT) to conduct small-to-large scale attacks on the private industry will very likely continue due to the open availability of the malware source codes for targeting IoT devices and insufficient IOT device security,” the FBI’s Task Force stated in the notice.
The October 21 cyber attack targeted Dyn, a company that conducts domain name service hosting—the electronic translation of words into numerical addresses on the Internet. More than 80 websites crashed in at least two waves of attacks that used a variation of the Mirai malware, according to the FBI.
Two earlier major cyber attacks using the same malware and botnets knocked out a gaming server and a cyber security blog in September, the FBI said. The cyber security blog was Krebs on Security, run by investigative journalist Brian Krebs. The blog was hit by Mirai malware in one of the largest cyber attacks of its kind on record. According to security analysts, Mirai uses a list of 62 commonly used usernames and passwords to scan the Internet for vulnerable connected devices. The hacker who developed Mirai has boasted that the software has hijacked over 380,000 devices, which were used in the Krebs on Security attack. Mirai malware also was used to attack the French web hosting service OVH. The web devices that were used in the September cyber attacks involved mainly home routers, network-enabled cameras, and digital video recorders. A variation of Mirai known as Bashlite is said to be engaged in similar cyber attacks that exploit weak default usernames and passwords.
“Recent reporting demonstrates that botnets comprised of [Internet of Things] devices can be used to conduct unprecedented and powerful attacks that can take down websites,” the FBI notice said. The hackers behind the attack have not been identified, the FBI said. “Despite certain groups claiming responsibility in open source, the FBI does not have any confirmation of a group or individuals responsible for the DDoS,” the notice said.
Director of National Intelligence James Clapper stated last month that early indications are a “non-state actor” was behind the attack and that it did not appear to be carried out by a foreign nation’s hackers. A pro-Wikileaks group known as New World Hackers tweeted on October 22 that it was behind the Dyn attacks. The claim could not be verified. The cyber attack followed the release of the Mirai malware on the Internet. The publication of Mirai’s source code allowed other hackers to set up botnets—large networks of Internet-linked devices that are hijacked and used by hackers to make massive numbers of automated and electronic requests for domain name service. The millions of requests overloaded the servers at Dyn and disrupted service to major companies, including Twitter, Paypal, Spotify, Amazon AWS, Amazon Ads, and Reddit. A Dyn security official said the company detected “tens of millions” of Internet addresses linked to the Mirai botnet. The code took control of large numbers of electronic devices networked through the Internet, including webcams, security cameras, DVRs, smart TVs, routers, and similar devices.
A particular concern is increasing attacks against devices that use the Linux operating system, an open-source software. Dozens of new malware variations have been targeting Linux devices. “Most of the Linux malware variants scan the internet for IOT devices that accept Telnet, which is used to log into a device remotely, and try to connect to vulnerable devices by using brute force attacks with common default login credentials,” the notice states. To avoid large-scale cyber attacks like the Dyn incident, the FBI recommended taking steps to respond to attacks, including backing up data and keeping sensitive and proprietary data in separate locations. Firewalls can be used to prevent denial of service attacks and increase security for Internet of Things devices, many of which use easily guessed default log-in credentials.
The Department of Homeland Security’s U.S. Computer Emergency Readiness Team has issued a report for countering large-scale denial of service attacks. FBI spokesman Raushaunah Muhammad said the notice is part of the FBI’s public-private partnerships. “The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations,” Muhammad said. “This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”
Last week there was quite a bit of discussion in the news concerning the Hollywood hospital hack. So, this week we’re going to take a brief break from our NSA Watch Your Back series to discuss why this attack is more important than most people realize.
As a quick refresher, on February 5th, 2016 Hollywood Presbyterian Medical Center experienced a large breach in security when ransomware hit the medical center’s network. Note: Many news organizations were referring to Hollywood Presbyterian Medical Center as Hollywood Hospital and so we will do so as well for familiarity to the reader. NBC Los Angeles was one of the first news organizations to report the breach.
For those of you who haven’t heard of ransomware, it is one of the new evolutions of viruses that is now being regularly seen on the internet. Typically, what happens is that the ransomware will do one of a couple of things: lock the user out of their computer until they pay a ransom, or the ransomware will encrypt all of the files on the computer (and reachable network drives) and then require the owner to pay a ransom in Bitcoin. In the end the Hollywood hospital hack cost the medical center $17,000 (40 Bitcoins).
Ransomware is a (dis)reputable business from the criminal hacking world. Disreputable in that what they’re doing is just plain wrong. But, reputable in that if you pay the ransom then the attackers will release your computer from being held hostage. It’s just business to them. The attackers want everyone to know that if you pay the ransom then access to your data will be restored. The executives in charge were probably informed of this and so made the decision to simply pay the ransom in the Hollywood hospital hack.
Analysis of Situation
There are security professionals on both sides of the fence on whether the ransom should have been paid in the Hollywood hospital hack (or any other ransom attempt). From a business actuarial perspective I agree with their decision to pay the ransom. Here is why: This is conjecture, but I’m guessing their decision was guided by several basic assumptions:
As a medical center the first and foremost mission is to ensure the safety of the patients and those under their care.
It is both costly and dangerous to transport patients to other medical institutions (in spite of the fact that they had to do this).
If the computer systems are inoperable for more than one day patients in critical care must be transported to other medical institutions.
The medical center is a business, and must be operationally functional in order to be financially successful.
The operational costs of the medical center for one day exceed the ransom by some amount X.
The medical center’s security is inadequate to repel this attack.
Restoring the infrastructure will take longer than one day.
These assumptions enable the business to perform a basic cost/benefit analysis to determine whether they should pay the ransom or restore service via standard IT recovery procedure. To demonstrate why I say that what they did makes financial sense we can do a quick calculation. According to item 17 on Becker’s Hospital Review the cost of a for profit bed is $1,629 per day. Let’s assume that 20% (I don’t actually know the actual number) of their 434 beds were being utilized, so 87 beds. That means their per day cost is: $1,629 * 87 = $141,723. Now, if we add in the cost of an $800 ambulance ride for 10 patients (while it was reported that some patients were moved the number wasn’t specified) that must be moved after one day: 10 * $800 + $141,723 = $149,723.
Note, this calculation doesn’t take into account the cost of administration fees to move the patients, or the negotiations involved in the cost for other medical institutions to accept the patients. Nor do we make any attempt to a calculate necessary network cleanup or brand reputation damage. Finally, it was claimed that care was not disrupted for patients (although I find this claim suspect due to the fact that they had to move patients to other medical institutions). So, we’ll be charitable and say that the Hollywood hospital hack resulted in the reduction of 20% effectiveness to perform their mission, leaving us with the cost of one day at .2 * $149,723 = $29,944.60. By paying the ransom the medical center would save $29,944.60 – $17,000 = $12,944 for the first day alone ($29,944.60 would be added to the cost for each additional day of delay).
Please be aware that the above calculations are simply an exercise (albeit realistic) to determine why it made business sense for them to pay the ransom. All in all, this was a cheap lesson for them; well, it is if the Office of Civil Rights (OCR) doesn’t ask the Department of Justice to investigate their organization for HIPAA violations. And, due to the fact that their Electronic Health Records were at significant risk during the compromise I don’t think that an investigation is out of the question. According to the 2015 Cost of Data Breach Study: the United States by the Ponemon Institute the cost per capita for a healthcare record breach in 2015 was $398. Let’s say that we later discover that 10,000 patient records were breached. The Hollywood hospital hack could cost the organization up to 10,000 * $398 = $3,980,000. You read that right; it could cost them up to $3.9 million dollars. Let me be clear: no one has said that any records have been breached, but if a breach in records is discovered through forensic study then this situation could turn very nasty for the medical center.
But wait, I said that all in all paying the ransom was a cheap lesson. $3.9 million definitely doesn’t sound like a cheap lesson. Here’s why I said it’s cheap: so far as the only costs we know the medical center has suffered have been the following (not limited to): ransom, costs associated with transporting patients, forensic recovery experts from a security firm, cost of lost effectiveness, cost of having to turn patients away during the outage, the cost of remediating the infiltrated infrastructure, and brand reputation damage. Yes, that number is easily going to be north of $80,000 in total, but it’s a heck of a lot better than $3.9 million if the records weren’t breached.
The Important Lessons Learned
Okay, so we now understand why the lesson was cheap, but what was the lesson? What should they have learned during this experience? I would suggest that they and every other healthcare organization should begin by recognizing the fact that they must take security seriously and readily allocate more than an adequate budget to cover their needs. The hospital’s security must be prevalent in every aspect of the organization. The reason is simple: the electronic equipment in a hospital is responsible for keeping patients alive, and yet the standards to protect hospital networks are infantile in comparison to the standards protecting simple credit card data theft.
The security issue becomes terrifying once you realize that many life support systems are built on Microsoft Windows or Linux, and both of those two operating systems are the largest malware targets. An attacker doesn’t have to be intentionally attempting to harm someone like in the show Homeland where the attackers targeted the Vice President’s pacemaker. Instead, malware and viruses simply need to do what they do best: infect entire networks, move laterally, and render the user’s computer unusable.
Except, in this case, the user’s computer could be a blood transfusion device or an IV infusion pump. No one would be the wiser until a nurse or doctor visually inspected and confirmed that the equipment was or wasn’t working exactly as expected. Here’s another possibility: the malware infects the IV infusion pump and the monitoring station and simultaneously locks them. A patient could very possibly die during the time it takes to resolve the malware issue.
There are many more cases where viruses, malware, and ransomware could do catastrophic damage to patients and yet no one would be the wiser. According to the Online Trust Alliance (OTA) over 90% of data breaches could be easily prevented. So, how can you minimize the bull’s eye on your organization? Begin with a Security Assessment; not a HIPAA assessment. HIPAA assessments help you check boxes and pass muster with auditors; Security Assessments take a holistic view of your organization’s security posture. I recommend that a third party performs the Assessment simply because they look at your organization with fresh eyes, and they will definitely see things to which the internal staff is blind.
Next, realize that operationally the traditional IT security paradigm won’t protect you. I won’t go into depth on these as each on their own could be multiple multipage articles. Here are the highlights: Antivirus, perimeter firewalls, and sacrificing chickens DO NOT PROTECT YOUR INFRASTRUCTURE! You need to move to application white-listing, malware hunting, unified firewall orchestration, IDS/IPS, and SIEM to watch everything going on in your network. I would argue these newer approaches are fundamental to IT security, but they are not all-encompassing. There are many solutions that provide these types of functionality, and each solution has its pros and cons. It’s important to weigh those pros and cons carefully, and if your staff doesn’t have direct experience working with those types of technologies find a solution provider who can help you.
The Hollywood hospital hack was just the tip of the iceberg. I hope it serves as a wakeup call to the medical industry that what happened was simply an inconvenience. Furthermore, losing patient medical records isn’t good either, but it’s nothing compared to the fact that at some point in the next year or two patient lives will be held for ransom. Sadly, the hacker on the other side of the world probably will not realize that they are potentially harming or killing innocent people by their actions. They’ll just know that they’ve had another successful day of collecting Bitcoins, and then will proceed to build even more dangerous malware variants. Remember, it’s nothing personal; it’s just business.
Protect your healthcare organization by contacting Cybriant, your competent security solution provider.