Segura, Jerome – Canadian hospital serves ransomware via hacked website – 20160321

Segura, Jerome – Canadian hospital serves ransomware via hacked website – 20160321

Ransomware attacks have made a lot of headlines in the past year with several high-profile cases, including that of the Hospital in Los Angeles which had its data encrypted and ended up paying the ransom to get it back. Recently, the Ottawa hospital in Canada was also hit but able to contain a ransomware attack.

We discovered the website of another Canadian hospital had been compromised to actually spread ransomware to its visitors: staff, patients and families being the most likely to have visited the site. Norfolk General Hospital, based in Ontario, became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009.

The web portal is powered by the Joomla CMS, running version 2.5.6 (latest version is 3.4.8) according to a manifest file present on their server. Several vulnerabilities exist for this outdated installation, which could explain why the site has been hacked.

Our honeypots visited the hospital page and got infected with ransomware via the Angler exploit kit. A closer look at the packet capture revealed that malicious code leading to the exploit kit was injected directly into the site’s source code itself.

Like many site hacks, this injection is conditional and will appear only once for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware.

Flow

The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.

Insecure web platforms still prevalent

We still see a large number of websites that are running outdated server-side software, namely WordPress and Joomla websites. Along with malvertising, hacked websites are the largest vehicle for new malware infections.

Common reasons for not updating a website include lack of resources, fear of breaking existing applications or simply forgetting to keep up with security patches.The truth of the matter is that any outdated or poorly secured website is simply a sitting duck waiting to be taken over via automated scanners before getting leveraged for spam, phishing or malicious redirections, just to name a few.

We contacted the Norfolk hospital and eventually were able to speak with their IT staff. We shared the information we had (screenshots, network packet capture) and told them about the ransomware payload we collected when we reproduced the attack in our lab. We were told that they were working on upgrading their version of Joomla with their hosting provider.

Ransomware in Canada

This particular attack prompted us to look at the state of ransomware in Canada. Since January of this year, Malwarebytes Anti-Malware has detected over ten thousand instances of ransomware affecting Canadians while many more were already proactively proactively blocked by our Anti-Exploit or Anti-Ransomware Beta products.

Here’s a break down for the top 10 Canadian cities most affected by ransomware according to our telemetry:

Toronto
Ottawa
Montreal
Markham
Calgary
Vancouver
London
Edmonton
Winnipeg
Saint Catharines
It is better to be safe than sorry when it comes to ransomware. Back up your files at least once a week and if possible keep those backups on an external media. Prevent infections by using proper security hygiene and multiple layers of defense.

Unfortunately, just as there are insecure websites, there are even more personal computers that are vulnerable and end up being infected. Because backups are seldom performed, a lot of users will find themselves in difficult situations where they desperately need their data back and feel forced to pay the ransom.

Sadly, those combined factors explain why ransomware is so prevalent and why new families and copycats are emerging all the time. Online criminals are fully tapping into this new haven that is extortionware.

IBM Healthcare Could Have Done Better Today

Today @IBMHealthcare tweeted this …

‏@IBMHealthcare Beyond the basics: Crafting an in-depth #healthcare #security strategy

… which linked to IBM’s Security Thought Leadership White Paper Healthcare Securing the healthcare enterprise: Taking action to strengthen cybersecurity in the healthcare industry (March 2015).

While I can’t comment on IBM’s business solutions “to strengthen cybersecurity in the healthcare industry,” I am surprised at the quality of information that IBM relies on to describe “the nature of today’s cyber attackers” to its potential customers.

For example, IBM presents a figure (reproduced below) and references a CNN Money report, Hospital network hacked, 4.5 million records stolen (August 18, 2014).

Leading source of data leaks in healthcare institutions
Figure 1. IBM’s leading source of data leaks in healthcare institutions

In fact, CNN is not the source for Figure 1. Another IBM publication, MSS Industry overview – Healthcare: Research and intelligence report (October 7, 2014) presents the same figure, and references “Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse.” IBM seems to have generated Figure 1 by querying an API on the Privacy Rights Clearinghouse website.

I wonder why IBM does not use authoritative, readily available data on breaches of protected health information to make its business case and to educate the public.

For instance, a research letter (Liu, Musen & Chou, 2015) published recently in the Journal of the American Medical Association1 described breaches of protected health information that had been reported from 2010 through 2013 by entities covered by the Health Insurance Portability and Accountability Act in the United States . Under the Health Information Technology for Economic and Clinical Health Act (2009), breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.

Recently, we extended the original dataset of Liu et. al. to include breaches of health information up to the present. Table 1 summarizes the number of incidents and victims of breaches of health information in the United States from January 2010 to August 2015, inclusive.

Counts and Victims of Health Information Breaches - US 2010-2015
Table 1. Number of incidents and victims of breaches of health information. † 2015 data are for January – August inclusive only.

Notice the tremendous spike in the number of victims in 2015 – a dramatic development that IBM took no note of today.

Figure 2 depicts the distribution of victims/breach of health information as a series of boxplots.

Distribution of number of victims/incident (log scale) of breach of health information U.S. 2010-2015
Figure 2. Distribution of victims/incident (log scale) of breach of health information. † 2015 data are for January – August inclusive only.

We see that in seventy-five percent of all incidents, the number of victims/breach over the year has fallen consistently below 104 (10,000). A small number of incidents have involved 100,000 – 1,000,000 victims/breach, and an even smaller number have involved 1,000,000 – 10,000,000 victims/breach. Incidents involving more than 10,000,000 victims/breach made their first appearance in 2015.

 

In light of these dramatic developments, it’s a shame that IBM is relying on outdated information when it comes to educating the public and identifying potential solutions “to strengthen cybersecurity in the healthcare industry.”

 

  1.  Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.

Cyber Insurance – Readings

Cambridge Centre for Risk Studies

Miscellaneous

News

Toronto Citizen’s Arrest of South Korea’s Smart Sheriff

From The Citizen Lab, Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application, Appendix B: Legal and Policy Issues (2015)

South Korea is one of the most highly connected countries in the world when it comes to Internet and mobile phone access. Whereas 36.2 percent of Korean minors had smartphones in 2011, the number grew to 81.5 percent within two years, with high penetration rates even among elementary school children.

The South Korean government has taken steps to regulate the use of digital media among minors, maintaining a “shutdown” rule that restricts access to online gaming for minors under the age of sixteen after midnight.

In 2013, regulators began focusing on combating excessive smartphone use, requiring that schools organize “boot camps” where no Internet usage is allowed, teach classes on Internet addiction, and educate those as young as three on how to prevent overuse of digital devices and the Internet.

By 2014, schools were piloting a program that required students, with parental approval, to download an application that allowed teachers to remotely track and control students’ smartphones, including the ability to lock the phone or allow only emergency calls.

By April 2015, the Korean government enacted a new measure requiring telecommunications business operators that enter into service contracts with minors to provide a means of blocking harmful content on the minor’s mobile device and ensure that parents receive notifications whenever the blocking means becomes inoperative. This measure has ushered in the wide-ranging use of parental monitoring software, with Smart Sheriff one of the most prominent options for fulfilling the mandate. One month into the mandate, these applications were reportedly downloaded at least 480,000 times.

With cooperation on implementation from numerous entities in the public and private sector, the new requirements constitute a pervasive parental monitoring and control mandate.

While Smart Sheriff is not the only tool offered to support compliance with the new regulations on provision of means to block harmful content, the Korean government appears to have uniquely supported its development and promotion.

According to its terms of use, Smart Sheriff collects and retains for one year information about applications installed on the child’s smartphone, data related to account password, member name, phone number, child’s date of birth, IP addresses of service access, and log file information such as access time.

Smart Sheriff’s terms of use also provide for sharing the student’s data with the Office of Education and the student’s school for purposes of smartphone addiction counselling, and with telecommunications business operators for the purpose of complying with the notification obligations of the mandate on installation of means for blocking harmful content.

What could go wrong?

 

Breaches of Health Information (US 2010 – 2015)

A research letter (Liu, Musen & Chou, 2015) published recently in the Journal of the American Medical Association1 described breaches of protected health information that had been reported from 2010 through 2013 by entities covered by the Health Insurance Portability and Accountability Act in the United States . Under the Health Information Technology for Economic and Clinical Health Act (2009), breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.

We extend the original dataset of Liu et. al. to include breaches of health information up to the present. 2

Table 1 summarizes the number of incidents and victims of breaches of health information in the United States from January 2010 to August 2015, inclusive.

Counts and Victims of Health Information Breaches - US 2010-2015
Table 1. Number of incidents and victims of breaches of health information. † 2015 data are for January – August inclusive only.

The most striking feature is the fluctuation in the number of victims over time generally – and the tremendous spike in the number of victims in 2015 particularly.

Figure 1 depicts the distribution of victims/breach of health information as a series of boxplots.

Distribution of number of victims/incident (log scale) of breach of health information U.S. 2010-2015
Figure 1. Distribution of victims/incident (log scale) of breach of health information. † 2015 data are for January – August inclusive only.

We see that in seventy-five percent of all incidents, the number of victims/breach over the year has fallen consistently below 104 (10,000). A small number of incidents have involved 100,000 – 1,000,000 victims/breach, and an even smaller number have involved 1,000,000 – 10,000,000 victims/breach. Incidents involving more than 10,000,000 victims/breach made their first appearance in 2015.

Table 2 presents the Medians and Inter-Quartile Ranges of the distributions of victims/breach.

Median and IQR of Victims of Health Information Breaches - US 2010-2015
Table 2. First Quartile (Q1), Median, Third Quartile (Q3), and Inter-Quartile Range (IQR) of the distribution of victims/incident of breach of health information. † 2015 data are for January – August inclusive only.

The median number of victims of breaches of health is tending to increase over time, with a related increase in the dispersion of the number of victims/breach about the median.

Our focus in a few subsequent posts will be understanding the dynamics and implications of those breaches that have compromised the health information of 100,000+ patients.

Name Date Victims
Affinity Health Plan, Inc. 2010-04-14 344,579
Millennium Medical Management Resources, Inc. 2010-04-29 180,111
AvMed, Inc. 2010-06-03 1,220,000
Siemens Medical Solutions, USA, Inc 2010-06-04 130,495
Governor’s Office of Information Technology 2010-07-09 105,470
Iron Mountain Data Products, Inc. (now known as 2010-07-19 800,000
BlueCross BlueShield of Tennessee, Inc. 2010-11-01 1,023,209
Triple-S Management, Corp.; Triple-S Salud, Inc.; 2010-11-04 475,000
Medical Card System/MCS-HMO/MCS Advantage/MCS Life 2010-11-09 115,000
Ankle + Foot Center of Tampa Bay, Inc. 2011-01-03 156,000
Seacoast Radiology, PA 2011-01-10 231,400
GRM Information Management Services 2011-02-11 1,700,000
EISENHOWER MEDICAL CENTER 2011-03-30 514,330
Oklaholma State Dept. of Health 2011-04-11 132,940
IBM 2011-04-14 1,900,000
NA 2011-05-27 400,000
The Nemours Foundation 2011-10-07 1,055,489
Science Applications International Corporation (SA 2011-11-04 4,900,000
Sutter Medical Foundation 2011-11-17 943,434
Utah Department of Technology Services 2012-04-11 780,000
Emory Healthcare 2012-04-18 315,000
South Carolina Department of Health and Human Services 2012-04-24 228,435
Memorial Healthcare System 2012-08-16 105,646
Alere Home Monitoring, Inc 2012-10-18 116,506
Crescent Health Inc. – a Walgreens Company 2013-02-22 109,000
Digital Archive Management 2013-05-07 189,489
RCR Technology Corporation 2013-07-01 187,533
Shred-it International Inc. 2013-07-11 277,014
Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group 2013-08-23 4,029,530
AHMC Healthcare Inc. and affiliated Hospitals 2013-10-25 729,000
Horizon Healthcare Services, Inc 2014-01-03 839,711
Triple-C, Inc. 2014-01-24 398,000
St. Joseph Health System 2014-02-05 405,000
Indian Health Service 2014-04-01 214,000
Sutherland Healthcare Solutions, Inc. 2014-05-22 342,197
Montana Department of Public Health and Human Services 2014-07-07 1,062,509
Community Health Systems Professional Services Corporation 2014-08-20 4,500,000
Xerox State Healthcare, LLC 2014-09-10 2,000,000
Touchstone Medical Imaging, LLC 2014-10-03 307,528
Walgreen Co. 2014-12-15 160,000
Georgia Department of Community Health 2015-03-02 557,779
Georgia Department of Community Health 2015-03-02 355,127
Virginia Department of Medical Assistance Services (VA-DMAS) 2015-03-12 697,586
Anthem, Inc. Affiliated Covered Entity 2015-03-13 78,800,000
Premera Blue Cross 2015-03-17 11,000,000
Advantage Consolidated LLC 2015-03-18 151,626
CareFirst BlueCross BlueShield 2015-05-20 1,100,000
Beacon Health System 2015-05-22 306,789
University of California, Los Angeles Health 2015-07-17 4,500,000
Medical Informatics Engineering 2015-07-23 3,900,000
Empi Inc and DJO, LLC 2015-08-20 160,000

 

  1.  Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.
  2. Our source of data is the Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, Office for Civil Rights, U.S. Department of Health and Human Services, accessed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf on September 1, 2015.