Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
HC3 Threat Intelligence BriefingSupply Chain Threats
OVERALL CLASSIFICATION ISUNCLASSIFIED
TLP:WHITE
9/06/2018
UNCLASSIFIED TLP:WHITE
UNCLASSIFIED
Agenda Intro Overview Healthcare Supply Chain Attacks Healthcare Supply Chain – Attack Vectors Operation Red Signature Operation Red Signature – Attack Chain Protections and Mitigations Conclusion
8/30/2018UNCLASSIFIED 2
UNCLASSIFIEDTLP:WHITE
Non-Technical: managerial, strategic and high-level (general audience)
Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT)
Slides Key:
Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations and the ability to compromise such assets. (Trend Micro)
Thirty percent of all breaches reported to the U.S. Department of Health and Human Services (HHS) public breach tool in 2016 were claimed to be due to breaches of business associates and third-party vendors
The healthcare industry is more dependent than ever on cloud-based systems, third-party service providers, and vendors in the supply chain.
NIST and FDA frameworks and guidelines, respectively, have been developed to mitigate chain supply threats
9/10/2018UNCLASSIFIED 3
OverviewUNCLASSIFIED
TLP:WHITE
Patient Health• Systems used for
diagnosis, monitoring, and treatment
• Medical Devices• Medical Equipment• Hospital Information
System
Data Privacy• Patient PII records like
medical records and insurance info
• Employee PII• Research and drug trail data• Payroll• Intellectual Property
Hospital Operations• Staff scheduling databases• Hospital-paging systems• Building controls• Pneumatic tube support
systems• Inventory systems• Administration
Risk Areas
Healthcare Supply Chain
9/10/2018UNCLASSIFIED 4
⁻ Medical product/medicine/supplies manufacturer
⁻ Distribution center⁻ Shipping and transportation companies⁻ Suppliers⁻ Vendor/contractor (equipment, HVAC, ISP,
telephony or the like) or hospital staff ⁻ Mobile health (mHealth) app/HIS/other
software developer ⁻ Outdated and unpatched firmware in
medical devices/equipment⁻ Previous employees or non-core services
staff
Entry Points
Source: Trend Micro
UNCLASSIFIEDTLP:WHITE
Attacks
9/10/2018UNCLASSIFIED 5
Device Firmware AttacksThreat actors can access a medical device’s firmware source code to add malicious functionality or install a backdoor
Insider threats from hospital and vendor staffIntentional or unintentional. Staff can abuse privileges, leading to a breach.
Source code during manufacturingPerpetrators can access software source code via backdoor installation or device rooting
Third-party vendorsVendors have credentials that include log-ins, passwords, and badge access, all of which can be compromised.
mHealth mobile app compromisemHealth apps can be targeted to change functionality, deliver fatal level dosages, expose personal data, penetrate company systems, and cause HIPAA violations
Website, HER, and internal portal compromisePerpetrators can attempt to compromise hospital websites, EHR software and internal portals used by hospital staff and vendors
Spear phishing from trusted email accountsAttackers can gain control of vendor credentials and send clients spoofed emails.
Source: Trend Micro
UNCLASSIFIEDTLP:WHITE
Healthcare Supply Chain – Attack Vectors
9/10/2018UNCLASSIFIED 6
Firmware attacks on devices
Compromises to mobile applications
Insider threats
Compromises to websites
Source code during manufacturing
Spear phishing
Third-party vendors
Source: Trend Micro
UNCLASSIFIED TLP:WHITE
Operation Red Signature Researchers discovered an information theft-driven supply chain
attack targeting organizations in South Korea (Trend Micro)– Attacks were discovered around the end of July, while the media
reported the attack in South Korea on August 6. Threat actors compromised the update server of a remote support
solutions provider – delivered a remote access tool called 9002 RAT to their targets
of interest through the update process. Carried out by first stealing the company’s certificate then using it to
sign the malware. 9002 RAT Payload:
– an exploit tool for Internet Information Services (IIS) 6 WebDav(exploiting CVE-2017-7269)
– SQL database password dumper.
9/10/2018UNCLASSIFIED 7
UNCLASSIFIEDTLP:WHITE
Operation Red Signature Attack Chain
9/10/2018UNCLASSIFIED 8
1. The code-signing certificate from the remote support solutions provider is stolen.
2. Malicious update files are prepared, signed with the stolen certificate, and uploaded to the attacker’s server
3. The update server of the company is hacked.
4. The update server is configured to receive an update.zip file from the attackers’ server if a client is connecting from a specific range of IP addresses belonging to their targeted organizations.
5. The malicious update.zip file is sent to the client when the remote support program is executed.
6. The remote support program recognizes the update files as normal and executes the 9002 RAT malware inside it.
7. 9002 RAT downloads and executes additional malicious files from the attackers’ server.
Source: Trend Micro
UNCLASSIFIED TLP:WHITE
Indicators of Compromise
9/10/2018UNCLASSIFIED 9
UNCLASSIFIEDTLP:WHITE
Indicators of Compromise (IoCs) (Trend Micro):
Related hashes (SHA-256):•0703a917aaa0630ae1860fb5fb1f64f3cfb4ea8c57eac71c2b0a407b738c4e19 (ShiftDoor) —detected by Trend Micro as BKDR_SETHC.D•c14ea9b81f782ba36ae3ea450c2850642983814a0f4dc0ea4888038466839c1e (aio.exe) —HKTL_DELOG•a3a1b1cf29a8f38d05b4292524c3496cb28f78d995dfb0a9aef7b2f949ac278b (m.exe) —HKTL_MIMIKATZ•9415ca80c51b2409a88e26a9eb3464db636c2e27f9c61e247d15254e6fbb31eb (printdat.dll) — TSPY_KORPLUG.AN•52374f68d1e43f1ca6cd04e5816999ba45c4e42eb0641874be25808c9fe15005 (rcview.log) — TROJ_SIDELOADR.ENC•bcfacc1ad5686aee3a9d8940e46d32af62f8e1cd1631653795778736b67b6d6e (rcview40u.dll) — TROJ_SIDELOADR.A•279cf1773903b7a5de63897d55268aa967a87f915a07924c574e42c9ed12de30 (sharphound.exe) — HKTL_BLOODHOUND•e5029808f78ec4a079e889e5823ee298edab34013e50a47c279b6dc4d57b1ffc (ssms.exe) — HKTL_PASSDUMP•e530e16d5756cdc2862b4c9411ac3bb3b113bc87344139b4bfa2c35cd816e518 (w.exe) — TROJ_CVE20177269.MOX•28c5a6aefcc57e2862ea16f5f2ecb1e7df84b68e98e5814533262595b237917d (Web.exe) — HKTL_BROWSERPASSVIEW.GA
URLs related to the malicious update file:•hxxp://207[.]148[.]94[.]157/update/rcv50/update.zip•hxxp://207[.]148[.]94[.]157/update/rcv50/file000.zip•hxxp://207[.]148[.]94[.]157/update/rcv50/file001.zip
URLs related to additionally downloaded malicious files:•hxxp://207[.]148[.]94[.]157/aio.exe•hxxp://207[.]148[.]94[.]157/smb.exe•hxxp://207[.]148[.]94[.]157/m.ex_•hxxp://207[.]148[.]94[.]157/w•hxxp://207[.]148[.]94[.]157/Web.ex_
Related C&C server (9002 RAT and PlugX variant):•66[.]42[.]37[.]101
Protection & Mitigations
Standards and Guidelines
⁻ NIST: Framework for Improving Critical Infrastructure Cybersecurity
⁻ FDA: Postmarket Management of Cybersecurity in Medical Devices
⁻ HITRUST CSF
9//2018UNCLASSIFIED 10
UNCLASSIFIEDTLP:WHITE
⁻ Network segmentation⁻ Firewalls⁻ Next-generation firewalls/Unified Threat Management
(UTM) gateways⁻ Antimalware solutions⁻ Antiphishing solutions⁻ Breach Detection Systems (BDS)⁻ IPS/IDS⁻ Encryption technologies⁻ Patch management (physical or virtual)⁻ Vulnerability scanner⁻ Deception technologies⁻ Shodan scanning
⁻ Perform vulnerability assessment of new medical devices⁻ Purchase medical devices from manufacturers who go through rigorous security
assessment of the products ⁻ Develop a plan for patching and updating code/firmware for devices implanted in
patients and for hospital medical equipment.⁻ Perform risk assessment on all suppliers and vendors in the supply chain. ⁻ Identify third-party vendor software and perform security and vulnerability
testing to ensure they are safe from hackers
Non-Technical Recommendations for Hospitals
Technical Recommendations for HospitalsSource: Trend Micro
Upcoming Briefs Trends in Malicious Macro Usage Cryptomining Landscape Various APT/FIN Groups
Analyst-to-analyst webinars are available
Questions / Comments / Concerns?
HHS HCCIC Email Address: [email protected]
11
UNCLASSIFIED TLP:WHITE
6/21/2018
Conclusion
8/9/2018UNCLASSIFIED
UNCLASSIFIEDTLP:WHITE