Cloud Hosting

Vedere Labs recently developed a proof-of-concept (PoC) ransomware for IoT (R4IoT) using as an example attack scenario a hospital network containing IoT devices such as IP cameras, IT workstations and OT in the form of building automation controllers. The goal of R4IoT was to:

This type of attack exploits an increased IoT attack surface and adds a new layer of extortion to common ransomware threats by targeting IoT and OT. We developed the concept based on threat intelligence we collected about the direction that ransomware actors could soon be moving to and the intent of helping organizations prepare for it. In the technical report accompanying the PoC, we describe in detail readily available detection and response actions for an R4IoT attack that serve as a playbook for organizations looking to defend against both current and future threats.

While novel, the R4IoT threat applies to almost every industry and organization nowadays. However, we chose a hospital for our attack scenario because of the diversity of IT, OT, IoT and Internet of Medical Things (IoMT) devices that healthcare delivery organization (HDO) bioengineers and SOC teams must manage. In this blog post, we explore why healthcare organizations would be a perfect target for an R4IoT-like attack, what that attack might look like and, most importantly, what you can do to avoid becoming a victim.

Healthcare was either the most or second-most affected vertical in Vedere Labs recent vulnerability research. That is true whether we look at vulnerabilities we found and disclosed on TCP/IP stacks (Project Memoria), IoT remote management platforms (Access:7) or OT equipment (OT:ICEFALL).

As mentioned above, that distinction is mainly due to the diversity of devices in HDOs. These complex institutions host a broad range of devices that are increasingly interconnected, frequently run legacy software and are often poorly segmented. IT devices process and exchange sensitive data, such as patient health records and financial information. OT and IoT devices are used for diverse functions such as building automation and patient entertainment. Unique to healthcare is the Internet of Medical Things (IoMT) connected medical devices essential to clinical care that can generate and exchange patient data with other devices.

These new connected technologies improve efficiency and quality of care. They also introduce new security risks. Especially since the COVID-19 pandemic, there has been an increase in the number and sophistication of cyberattacks on hospitals. So far, these attacks have been mainly ransomware targeting IT systems. But the increased connectivity and associated vulnerabilities are not restricted to IT devices.

Ransomware attacks on HDOs increased 94% from 2021 to 2022, with 41% of these attacks targeting U.S. institutions. More important than the increase of attacks is their growing sophistication. Three points stand out from recent activity:

Although these characteristics are similar to trends we have observed in other industries and organizations, they point to a changing ransomware landscape where attackers are constantly looking for new ways to gain access to and impact their targets.

The original R4IoT attack, shown in Figure 1, leverages internet-exposed IoT devices (such as IP cameras) for initial access and their connection to corporate assets (such as network video recording and other workstations) for lateral movement. Once the attacker reaches a machine that can communicate with a building automation controller, that device is taken offline by exploiting DoS vulnerabilities.

Figure 1 The original R4IoT scenario

Building automation devices are used in hospitals to control functions such as physical access control, fire alarm systems, lighting and HVAC (heating, ventilation and air conditioning). These functions are not directly connected to patients, but they are critical to delivering patient care.

HVAC systems, for instance, maintain temperature, humidity and air quality throughout a hospital per regulations. Changing some of these parameters can have disastrous consequences: reduced ventilation can increase the spread of airborne diseases such as influenza and COVID-19, and drastic changes in temperature can render operating rooms unusable or spoil biological samples.

So clearly, by taking building automation systems offline, the original R4IoT attack could impact HDOs well beyond data encryption. However, that original scenario stopped short of what singles out healthcare as a target: the clinical network hosting connected medical devices or IoMT, which all too often lacks appropriate segmentation and hosts vulnerable devices. Examples include:

Figure 2 shows a scenario like the original R4IoT, but instead of leveraging a workstation to attack building automation devices, the attacker leverages a doctors workstation to take offline connected medical devices on the clinical network. This obviously has an even greater effect on patient care, since some of these devices are critical to monitor a patients condition, sustain life support, or in some cases enable surgeries and other urgent procedures.

Figure 2 An R4IoT scenario targeting infusion pumps, imaging devices and patient monitors

Several variations of R4IoT attacks are possible in HDOs. Another example would be the attacker gaining access via vulnerable internet-connected patient telemetry devices, moving laterally to an unpatched nurses workstation connected to that telemetry device, then moving to a server hosting patient records, where communication with command-and-control servers is established, and finally attacking either the building automation system or other connected medical devices as in previous scenarios.

There are multiple ways to mitigate the impact of ransomware for IoT and minimize the risk of this threat. Here are three mitigation steps based on the NIST Cybersecurity Framework that could be applied to ransomware attacks:

Implementing the right mitigation requires extensive visibility and enhanced control of all assets in a network. Forescout Continuum Platform helps to achieve that via:

Figure 3 shows several possible mitigation actions enabled by Forescout against R4IoT, such as visibility of vulnerable assets, detection and stopping of malicious communications.Figure 3 Possible mitigations against R4IoT

As a concrete example, Figure 4 shows eyeInspect raising an alert for an RDP brute forcing attack from the IP camera to the NVR workstation, which is the first malicious action the attacker takes after gaining a foothold, to be able to move laterally to the corporate network. Figure 5 then shows an eyeSight policy to block the IP camera on the network switch once the malicious RDP brute forcing is detected. This effectively severs the attackers connection to the network, thus preventing the rest of the attack from ever taking place.

Figure 4 An eyeInspect alert for the RDP bruteforcing attack from the IP camera to the NVR workstation

Figure 5 An eyeSight policy to block the IP camera on the network switch once the malicious RDP brute forcing is detected

Sophisticated ransomware attacks can take healthcare organizations out of action for weeks or even months, as we saw beginning in 2020 with a series of high-profile Ryuk attacks on hospitals. Take this deep dive into defenses based on Ryuk that you can implement now.

The post What to Do When Ransomware Meets the Internet of Medical Things appeared first on Forescout.

*** This is a Security Bloggers Network syndicated blog from Forescout authored by Vedere Labs. Read the original post at: https://www.forescout.com/blog/what-to-do-when-ransomware-meets-the-internet-of-medical-things/

Visit link:
What to Do When Ransomware Meets the Internet of Medical Things - Security Boulevard