InfoArmor, providers of identity protection solutions and elite cyber intelligence services, investigated several targeted cyber-attacks against select US-based healthcare institutions. It examined claims of known bad actors who boasted of exfiltrating more than 3TB of data containing sensitive personally identifiable information (PII) that identified patients and exposed other confidential medical data.
The findings were recently published in the July 2016 InfoArmor report: Healthcare Under Attack: Cybercriminals Target Medical Institutions. (note: link opens a PDF)
At the end of June 2016, bad actors published 10,000,000 stolen record for sale. According to InfoArmor’s Chief Intelligence Officer, Andrew Komarov, all of the identified attacks reflect similar attack vectors. These malicious attacks were accomplished by intrusion into the network through weak remote administration channels, and the use of privilege escalation which ultimately enabled the exfiltration of additional data from network segments that shared converged connections with other medical devices.
"These communication channels allow complete access to these systems, as if users were sitting in front of them,” says Scheidler. “But as they can be accessed any time & from anywhere, and visibility on what exactly happens there is often lacking. Certainly application logs can reveal some insight, but more often than not, these do not contain enough details or their use is very inefficient,” he added.
This remote access ability is especially problematic when it involves Privileged Accounts. The ‘root’ and ‘Administrator’ account of server systems allow unconstrained access to its user to any data or applications running on the servers in question. This includes the ability to terminate logging functionalities, making IT and security completely blind in the case of security breaches.
Scheidler further asserts that real-time behavior analytics and contextual security technologies can help prevent and alert to such data breaches, removing IT security blind spots without constraining business.
"In the case of the healthcare firms in question, attackers initially used a normal user account and then acquired super user privileges using Local Privilege Escalation,” adds Scheidler. “This means that even though the initial access was for a normal user account, they gained privileged access after logging in.”
The approach is virtually identical to the attack vector used in the Target breach, where bad actors initially gained entry through compromised 3rd party credentials for access to and management of HVAC systems.
“Current best-of-breed session monitoring solutions offer CCTV-like recording of user sessions, complete with screen contents, mouse movements, clicks and keystrokes, without using agents deployed on the server or the client,” says Scheidler. “With intimate knowledge of a user's daily activities, behavior analytics can be applied to find the interesting data: just as with actual CCTV footage, IT and security want to focus investigations on sections where something noteworthy actually occurred, and User Behavior Analytics enables that. It returns a list of ranked sessions that list the most suspicious ones on the top and identifies potential misuse,” he adds.
"This is another perfect example of the fact that attackers are after two things, and in this order: credentials and data,” says Laub. “If an attacker was trying to rob your home without being detected, the best thing they could do would be to obtain the keys to your doors. In the absence of an alarm system with streaming video cameras, they could run rampant around your house, taking whatever they please without detection or record of what was stolen. In the case of this breach, if the keys (user credentials) weren’t so easy to compromise and the stolen assets (data) were being monitored and recorded, it could not have been so easy to exfiltrate 600,000 records and over 3 terabytes of data without sounding an alarm.”
He concedes that perimeter and endpoint defenses have their place and are part of the ‘healthy breakfast’ that is information security. Laub points out that all organizations – and particularly those handling sensitive data such as PII - need to spend a lot more time and focus on the underlying cause of their data breach dilemma: “Poorly-secured credentials and data that are largely unchecked, under-governed, under-monitored, and now more than ever, under attack."
Adam Laub is the Senior Vice President of Product Marketing at STEALTHbits Technologies. He is responsible for setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization and all aspects of product evangelism.
Prior to becoming Chief Intelligence officer at InfoArmor ATI, Andrew Komarov worked in both private and public sectors to investigate major financial crimes, human and drug trafficking cases and was involved in collaborating with anti-terrorism operations with International law enforcement agencies.
Balázs Scheidler is a co-founder and CTO of BalaBit. Balazs has been engaged with IT security and software engineering for almost two decades now, during this time he helped create a series of security related products such as syslog-ng, Shell Control Box, Blindspotter and Zorp.