The Soft Underbelly of Healthcare and Embedded Systems
A long time ago when I was first getting my start in the world of tech, I worked for a really awesome guy, John, who for some reason saw some potential in me and gave me a chance to learn IT while working in his silicon wafer reclaim business. They built out a multi-million dollar wafer reclaim facility and part of the line was supported by an expensive tool that had a networking option, which cost several thousand dollars and consisted of a $25 network card and some drivers. Thus, I got to put on a cleanroom bunny suit and install a NIC on this wafer processing tool.
I was young and naïve and thus was shocked to find out that this huge, expensive and sophisticated tool was being run by and old version of Windows several generations out of date. Fortunately the NIC still came with old drivers and by some miracle setup.exe actually worked. Hallelujah, get me out of this bunny suit. Surely in the near future someone will solve this problem of expensive tools running old operating systems….
Fast forward to the present day and the whole paradigm of expensive, specialized gear being driven by systems running on old or obsolete operating systems is alive and well.
Case in point, Orangeworm, a recent attack group, leveraging malware called Kwampirs. These guys seem to have cracked the code with regards to certain verticals tending to run old/legacy operating systems, and healthcare is one of those verticals and an increasingly attractive target for the badguys.
One of the challenges is that systems like X-Ray machines are very expensive, relatively long lived tools. The companies that make them are not usually focused on IT and related issues, so they are most interested in shipping the tool and don’t necessarily think about updates and patches ten years down the line or even security beyond whatever is required by HIPAA (a commenter on The Register suggested putting some credit card data on those systems and watching how quickly PCI gets previously un-updatable systems updated and patched).
Other environments, like manufacturing or just about any sort of place where you can find SCADA systems, can be somewhat similar – expensive equipment that does not go obsolete overnight made and installed and maintained by people who probably don’t really focus on IT can lead to similar outcomes – lots of embedded XP or other similarly old and obsolete and vulnerable operating systems embedded in not easily updatable ways.
It may seem hard to believe how hard it is to update some of these systems, but it is. Some of the reason may be certification related – with significant changes requiring expensive and time-consuming recertification. In some cases there might be an expensive support contract that gets voided if you touch things, in others there may be stuff soldered to a motherboard or special hardware that requires drivers that only run on an old OS or any of a number of other reasons why rip and replace or “just virtualize it” won’t work.
Because of these reasons, Orangeworm was able to impact a fairly large number of organizations using relatively old malware, in this case Kwampirs. While the combination is not particularly sneaky, trick or sophisticated, they have proven adequately skilled to get in to a number of production healthcare, industrial, logistics and manufacturing networks. Orangeworm doesn’t seem to care too much about flying low and slow and trying to avoid detection. To the contrary, they do a lot of noisy, easy to detect things that seem a lot more like kicking down a weak front door than picking the lock. While the purist may cringe, considering the state of IT in many of the target verticals, maybe stealthy approaches would not buy a bad actor very much.
Next Steps
Next steps for organizations running networks, particularly those in health care, manufacturing include:
1. Make sure existing tools (X-Ray, MRI, CAT etc) are patched and updated to the extent possible.
2. You may want to explore network segmentation and create highly protected network segments with fairly restrictive ACLs etc for vulnerable IoT devices.
3. To ensure the steps you have taken to protect your devices have been effective, you may want to test your security with a product such as BreakingPoint or CyPerf.