Bombas de infusão vulneráveis ​​podem ser acessadas remotamente para alterar as doses

por Waqas em14 de junho de 2019 no site HackRead

Clean Medical

Pesquisadores da CyberMDX, uma empresa de segurança de saúde, identificaram duas vulnerabilidades diferentes em Becton Dickinson Alaris gateway Workstations ( AGW ) utilizados pelos hospitais em bombas de infusão médicas. Um dos bugs é tão grave que leva uma classificação crítica de 10 na escala de gravidade CVSS v.3.

O outro bug é comparativamente menos grave e é encontrado na interface de gerenciamento baseada na Web da estação de trabalho.

As estações de trabalho acima mencionadas são fabricadas pelo popular fabricante de dispositivos médicos Becton Dickinson. Essas falhas podem ser aproveitadas por um invasor remotamente e sem necessidade de qualquer autenticação para obter controle total da bomba de infusão.

Os bugs são o resultado de uma falha (rastreada como  CVE-2019-10959 ) no código de firmware do dispositivo e explorando essas falhas, um invasor pode facilmente seqüestrar o dispositivo para desativá-lo completamente, instalar firmware ou malware não autorizado e relatar informações falsas. Também é possível que o invasor se comunique diretamente com as bombas ligadas ao gateway para manipular as dosagens de drogas e até mesmo alterar as taxas de infusão, sendo ambos cenários drásticos.

Uma Estação de Trabalho Gateway Becton Dickinson Alaris.

Vale a pena notar que nenhum privilégio especial seria necessário pelo invasor para executar essas tarefas. Assim, sem muita demora, o atacante pode brincar com a vida dos pacientes, evitando o tratamento que salva vidas.

Essa exploração pode ser realizada por qualquer pessoa que tenha acesso à rede interna do hospital. Os arquivos transferidos através da atualização são copiados diretamente para a memória interna e autorizados a substituir os arquivos existentes, disseram os pesquisadores.

As estações de trabalho Alaris Gateway podem alimentar, monitorar e controlar o uso médico de bombas de infusão. Esses dispositivos são usados ​​em UTIs e enfermarias de hospitais para dispensar drogas planejadas automaticamente a um paciente. Essas bombas são usadas para fornecer uma variedade de medicamentos que exigem dosagem contínua, como insulina e analgésicos.

Na maioria dos casos, várias bombas de infusão conectadas a um único portal médico estão em uso pelo paciente em tratamento para tomar diferentes drogas. AGW é basicamente usado para se comunicar com as bombas de infusão, bem como para alimentá-los durante procedimentos médicos críticos, como transfusão de sangue, quimioterapia, administração de anestesia e diálise.

O fato não pode ser ignorado de que as bombas de infusão estão entre os kits mais usados ​​em um hospital e sua vulnerabilidade pode causar problemas extremos para os pacientes. Essas bombas são usadas para dispensar medicamentos que salvam vidas e fluidos intravenosos, e quaisquer alterações não autorizadas podem levar a resultados potencialmente fatais.

Além disso, geralmente, essas bombas são conectadas a uma única estação central de monitoramento, de onde a equipe médica em questão pode verificar a administração de medicamentos e fluidos em vários pacientes simultaneamente.

As falhas foram testadas independentemente e validadas pela CyberMDX, pelo Departamento de Segurança Interna dos EUA (DHS) e pelo fornecedor. Os pesquisadores do CyberMDX avaliaram a gravidade do risco e o declararam na forma de pontuações do Common Vulnerability Scoring System (CVSS) de base.

A vulnerabilidade de firmware do Alaris Gateway teve uma pontuação de risco CVSS de 10,0, o que significa que é muito crítico. A interface do usuário do navegador da Web da falha do AGW tinha uma pontuação de risco de 7,3, que pode ser considerada alta.

Os pesquisadores afirmam que, ao instalar o firmware malicioso no computador conectado à bomba, um invasor pode bloqueá-lo remotamente, o que desligaria a bomba ou a desativaria.

Além disso, a criação de um kit de ataque também é bastante fácil, mas a cadeia de ataque é bastante complexa, pois envolve vários estágios, como acessar a rede do hospital, obter o endereço IP da estação de trabalho e gerenciar o código malicioso personalizado. pesquisa na CyberMDX, Elad Luz.

Becton Dickinson sugere que os proprietários de dispositivos precisem atualizar para o firmware mais recente que contém correções para essas falhas.

Não pela primeira vez

Esta não é a primeira vez que os pesquisadores identificaram vulnerabilidades com risco de vida em bombas de infusão médicas. Anteriormente, as Bombas de Infusão de Seringa Médica da Smiths eram afetadas por falhas de alta gravidade,permitindo que atacantes remotos colocassem a vida do paciente em perigo.

No ano passado, durante o RSA 2018, um grupo de médicos demonstrou como alguém pode hackear uma bomba de medicamentos e modificar doses, levando à overdose de um medicamento em particular. O grupo também expôs vulnerabilidades críticas em marca-passos, bombas de insulina e desfibriladores, levando a conseqüências terríveis.

Assista: Hackers enviam mensagens explícitas para os passageiros em e-scooters hackeados

Por Uzais Anir em 27/04/2019 no site Hack Head - traduzito por Google Translate.

Arkansas Times

A Lime , fabricante de scooters sediada em Brisbane, vem testando seus E-Scooters nas ruas de Brisbane, mas, infelizmente, os aparelhos estão nos noticiários pelos motivos errados. Segundo relatos, oito e-scooters fabricados pela Lime foram retirados das ruas depois que os usuários os ouviram dizendo coisas ofensivas e questionáveis.

Lime afirma que os scooters foram hackeados para dizer essas coisas e este é um incidente "decepcionante". A declaração oficial do Lime dizia:

“Não é inteligente, não é engraçado e é semelhante a mudar um toque. É decepcionante que alguém tenha aproveitado a oportunidade para zombar de membros da comunidade de uma forma dolorosa. ”

Usuários de scooters hackeados estão postando sobre sua experiência no YouTube . De acordo com um desses post, assim que o usuário destrancou a scooter, ele disse: “Ok, se você for montar minha bunda, por favor, puxar meu cabelo, ok?”. Em outro vídeo, a scooter diz: “Don me leve por aí, porque eu não gosto de ser ridículo. ”

As notícias da estação de televisão Channel Seven, em Brisbane, também gravaram e publicaram vídeos de scooters de Lime que transmitem mensagens de voz. Tal como em uma das filmagens , a scooter diz ao motociclista após o término da viagem:

"Não, onde você vai?"

Isso não é tudo! Os scooters hackeados podem ser ouvidos fazendo todos os tipos de comentários ofensivos, e a maioria desses comentários pode ser denominada sexualmente explícita. Lime acredita que os hackers de alguma forma conseguiram trocar os arquivos de áudio em oito dos e-scooters, e é por isso que os scooters que circulam nas ruas de Brisbaneestão fazendo comentários tão sugestivos.

7NEWS Brisbane

✔@7NewsBrisbane

Brisbane: Lime Scooter users are reporting bizarre voice messages when connecting and disconnecting from rides. Video: Josh Clarke.

http://www.

7NEWS.com.au

#7NEWS

94

8:07 PM - Apr 22, 2019

76 people are talking about this

Twitter Ads info and privacy

A empresa afirmou ainda que eles já estavam trabalhando para obter as scooters de volta ao seu estado original. O representante da Lime, Nelson Savanh, explica que este poderia ser o trabalho de “vândalos” e que a empresa está atualmente inspecionando toda a frota de aparelhos para avaliar quantos deles foram adulterados.

"Estamos cientes de que oito scooters Lime em Brisbane tiveram seus arquivos de áudio alterados por vândalos gravando sobre o arquivo de áudio existente com discurso inadequado e ofensivo", disse Savanh. 

Internet Crime Complaint Center Impersonated for Malware & Phishing Scam

Por Wagas em 03/02/2018 no site HackRead

Another day, another phishing scam – This time, hackers are impersonating Internet Crime Complaint Center (IC3) to conduct malware and phishing scam.

The Federal Bureau of Investigation (FBI) has identified a new phishing scam where hackers have created a fake federal online crime complaint portal (Internet Crime Complaint Center (IC3) on social media to deceive users into giving out their private and confidential data. The FBI has also issued a security alert on 1st February informing that it has received complaints from numerous citizens who have reported about receiving emails from the Internet Crime Complaint Centre (IC3).

The FBI noted: “As of December 2017, the IC3 had received over 100 complaints regarding this scam. No monetary losses have yet to be reported.”

It must be noted that the IC3 forum lets users file a complaint to the FBI. The scam email has four different variations, according to the FBI, and each of them claims that the recipient has become a victim of cybercrime or fraudulent campaign and therefore, the complaint center requires private, sensitive data to compensate for the loss. The email has been created in a way that it looks legit; such as it contains hyperlinks to certain news articles that are related to capturing of an online scammer.

This fake email also contains a text document that is to be downloaded by the users in order to complete the task. However, this document is infected with malware, which is embedded to further extend the data theft process. In one of the emails, a fake IC3 social media page is also evident that asks recipients to enter personal data if they want to report about any online fraud or cybercrime.

In another email, the recipient was informed that he or she has become eligible to receive compensation from the IC3 for being a victim of a recent scam and recipient can claim up to $2m or £1.5m as restitution payment. The content of one of the emails read:

“The perpetrator and his group of co-offenders had over 2000 aliases originating from Russia, Nigeria, Ghana, London, and much more masking their original identities. Our records indicate that you have been a victim of fraud because your contact details were found on several devices belonging to the perpetrator.”

In another fake email, the recipient was informed that for being treated unfairly by courier companies and banks, the victim is found eligible for restitution. The fourth email contained a form from the Internet Crime Investigation Center/Cyber Division and also had a fake case reference number. The email informed the recipient that the IP address that is being used is involved in a federal cybercrime, therefore, the recipient is required to contact the sender through the phone.

Screenshots of fake emails sent by hackers (Open in new tab for better preview).

The US Department of Homeland Security has also issued a security advisory citing the ongoing malware and phishing scam in the name of IC3.

Remember, cybercriminals have become persistent and sophisticated in their phishing attacks which has allowed them to steal millions of dollars from unsuspected users. In just last one week there have been three phishing attacks in which scammers stole $900,000 from Harris County, Texas, $150,000 in Ethereum from Experty ICO and $1M worth of Ethereum in BeeToken’s ICO as a result of a phishing scam.

Phishing Scam: Hackers Steal $150,000 in Ethereum from Experty ICO

Por Wagas em 29/01/2018 no site HackRead

Just a week after the biggest hack in the history of cryptocurrency business in which Japan-based Coincheck exchange was hacked to steal $534 million the much-awaited token sale called Initial Coin Offering or ICO by Experty has landed in no man’s land after a hacker tricked the ICO participants with a fake pre-ICO sale announcement and luring those who signed up for the notifications into sending Ethereum funds to wrong wallet address. Through this targeted attack, the hacker(s) manages to steal around $150,000 in Ethereum before ICO event was held.

ICO is quite similar to a conventional Initial Public Offering or IPO but what makes it different is that buyers receive a token from an online platform instead of getting stocks in a firm. Users are allowed to keep the token until the company that issues them is ready to repurchase them. They may even sell the tokens to others who us Ethereum.

Through ICO, Experty was looking to raise funds for a VoIP calling system that could facilitate voice and video conversations like Skype as well as allow secure cryptocurrency based payments via Blockchain. Experty had high hopes in this sale since Inc.com ranked this ICO as one of the top ten ICOs due to be held this year.

Phishing Scam

What actually happened was that between January 26 and 27, Experty users who receive the announcement and signed up for notifications were asked through email to send funds to an Ethereum wallet in order to buy EXY tokens and participate in the ICO. This was a fake email because the real ICO by Experty was to be held on January 31st; hence the email was sent by a hacker and the wallet address was also not owned by the Expert team.

Fake email address sent to Experty users

The fake Ethereum wallet address has at least $150,000 worth of funds that got collected through 71 transactions. It is worth noting that Experty has tied up with Bitcoin Suisse to initiate transactions. Now, both the firms are requesting users to not send money to the fake wallet.

According to the official statement, Experty and Bitcoin Suisse state that the hacker compromised the computer of one of the people who conducted the Proof-of-Care review for Experty. Initially, Experty stated that it will be giving 100 EXY tokens to every individual in its email database, which is equivalent to $120. However, now the company has announced additional compensation for users who managed to send the funds into the fake wallet.

Bitcoin Suisse also issued a statement claiming that the data that was submitted to Experty’s website has been hacked and compromised but nothing from Bitcoin Suisse has been exposed. Investors in ICO are recommended to double-check the wallet addresses sent by any project team before making transactions. They can use services like Clearify.io platform to verify the new address.

Refunds Due To The Data Breach

In a statement issued on January 28th, the company will be refunding its customers. 

“We will be contacting the victims that are in our database in order to distribute the proportional amount of EXY tokens to them, including the bonuses for their tier. If someone wishes to receive ETH instead, we ask them to please contact us privately about this.”

Any ETH sent to the scammer after this announcement [January 28, 2018, at 21:30 UTC] will not be refunded in order to prevent people purposely sending money to the scam address to receive EXY tokens.”

10th Breach Against A Cryptocurrency Platform In Last 6 Months

1: July 4th, 2017: Bithumb hacked and 1.2 billion South Korean Won stolen.
2: July 17th, 2017: CoinDash hacked and $7 million in Ethereum stolen.
3: July 24th, 2017: Veritaseum hacked and $8.4 million in Ethereum stolen.
4: July 20, 2017: Parity Technologies hacked and $32 Million in Ethereum stolen.
5: August 22nd, 2017, Enigma marketplace hacked and $500,000 in Ethereum stolen.
6: November 19th, Tether hacked and $30 million worth of tokens stolen.
7: December 7, 2017: NiceHash hacked and $70 million stolen.
9: December 21, 2017: EtherDelta hacked and $266,789 in Ethereum stolen.
10: January 26th, 2017: Coincheck hacked and $534 Million stolen

Phishing Scam: Hackers Steal $900,000 from County Office

Por Wagas em 28/01/2018 no site HackRead

Another day, another phishing scam – This time Harris County, Texas wired almost $900,000 after falling for a phishing email.

In normal circumstances, cybercriminals take advantage of the lack of knowledge of their victims but in this phishing attack, they have touched new lows by making a profit out of the devastation caused by hurricane Harvey.

Transfer $888,000 “She” Said

It all started on September 21st, 2017 when an estimated 30 percent of Harris County, Texas was submerged due to hurricane Harvey. The auditor’s office of the county received an email from a woman going by the supposed name of Fiona Chambers in which she posed as an accountant for D&W Contractors, Inc.

More: Phishing Scam: Hackers Steal $11 Million from Canadian University

D&W Contractors, Inc. is a legitimate company that happened to be working that day to fix the damage caused by the hurricane in the county. In the email, Chambers asked the office to transfer a sum of $888,000 to the new bank account of the Contractors as part of its contract. 

“If we can get the form and voided check back to you today would it be updated in time for our payment?” according to the email content mentioned by Houston Chronicle.

In return, the county transferred $888,000 to the bank account provided by Chambers without verifying if the bank account actually belonged to D&W Contractors, Inc. or not. The very next day, it turned out that the county has fallen for a tricky phishing scam and that there was no one by the name of Fiona Chambers in the company neither was there a bank account belonging to the contractors.

Now, the incident is being investigated by the FBI (Federal Bureau of Investigation) and their prime suspect is a group that is known for targeting local governments worldwide. On the other hand, the county has learned its lesson and vows to increase its cybersecurity and overhaul and learn from how it handled the situation.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you. I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money” said Harris County Judge Ed Emmett said.

Previous Scam Link Back To China

In June last year, a similar incident took place in which a state Supreme Court judge Lori Sattler, who was in the process of selling her apartment to buy another one received an email she believed came from a legitimate real estate lawyer.

In the email, the supposed lawyer asked her to transfer $1 million to a bank account. Following the instruction, she transferred a sum of $1,057,500 to the bank account, however, the money was sent to a bank in China, reportedly Commerce Bank of China rather than the lawyer.

It is unclear if both cases are related but what is similar in both cases is that attackers know the exact situation of their victims along with their business dealings. Nevertheless, phishing scams are becoming sophisticated and unsuspecting users need to remain vigilant, avoid downloading attachments from unknown emails and always confirm the authenticity of the email before giving away your personal information or wiring funds. 

Here are some useful tips to secure yourself from phishing attacks.

Hacker Used Malware To Hike Prices for Gas Station Customers

Por Wagas em 24/01/2018 no site HackRead

Russian authorities have identified an extensively distributed malware campaign targeting electronic gas stations using software programs at the pumps. Until now, dozens of gas stations have been attacked as customers are conned into paying more for fuel than what has actually been pumped into their vehicle tanks. Reportedly, around 3 to 7% increment per gallon of pumped gas has been added to the cost customers paid at the gas stations due to this new scam.

In lieu of this scam campaign, Russian Federal Security Service (FSB) captured Denis Zayev this Saturday from Stavropol, Russian. Zayev is a hacker and he has been charged with creating software programs for the primary purpose of swindling gas station customers and defrauding them with malware installed on the pumps.

It is worth noting that the software Zayev created was identified on several electronic gas stations where he installed the IT systems. Pumps located in and around Southern Russia have been the predominant targets in this campaign so far.

According to the investigation, the software developed ran on gas pumps as well as cash registries. This aspect allowed Zayev and his affiliates to steal at least 3% and up to 7% more on actual fuel pumped into customer cars. The software was allegedly deployed by Zayev with the approval from the operators at the gas stations since it is discovered that the malware was sold to the operators by Zayev and he remained a partner in their malicious scheme and received a share of the fraudulent earnings.

According to local media “A giant scam covered almost the entire south of Russia in which viruses were found in dozens of gas stations in the Stavropol Territory, Adygea, Krasnodar Territory, Kalmykia, several republics of the North Caucasus, etc. A whole network was built to steal fuel from ordinary citizens – they did not bear any financial loss.”

What actually happened was that the operators left the gas tank empty whenever a new gas fraud cycle took place and when customers returned to refuel their cars the malware redirected between 3 to 7% of the fuel customers already bought to the empty tank without even alerting the customer. The gas pump displayed full details and the cash register issued a receipt for both attempts of gas refueling. When the empty gas tank filled up, operators put the present gas up for sale so as to hide the transactions.

How this scheme was identified is not yet disclosed by the FSB and all that we have been told is that the authorities found it at Russian territories of North Caucasus and Stavropol, Adygea, Krasnodar, Kalmykia. Zayev has been charged with large-scale fraud, development of malicious software and selling the programs to gas station employees. “Hundreds of millions of rubles” have been collected by the schemers, investigators noted.

Malware infected fake Telegram Messenger app found in Play Store

por Wagas em 12/01/2018 no site HackRead

The Google Play Store is home to more than 3.5 million apps but at the same time, there are tons of apps that are malicious and infected with adware or some kind of malware targeting users who download them believing that Google is handling their security the same way it does with other platforms.

But the reality is far from the truth as the IT security researchers at Symantec have identified the presence of a fake Telegram Messenger app in Google Play Store that is, in reality, a malicious app infecting Android devices with malware and spamming them with ads.

The fake app is called “Teligram [New version updated]” in which attackers have replaced the letter “e” with “i” and changed its theme color from blue to black hoping that unsuspecting users will ignore the difference and tricked into downloading the malicious app.

The difference is obvious (Credit: Symantec Via: PlayStore)

To make it a sophisticated scam, the fake app even functions as an instant messaging app, however, at the same time it contains advertisement libraries that spam users with ads to make money. Moreover, Symantec researchers have noted that the malware (Trojan.Gen.2) which Teligram installs on Android devices is built using the open source Telegram code, which is distributed to third-party app stores.

According to John Hou of Symantec’s Threat Intelligence, “While open source projects can be of huge benefit to developers and consumers, they can also be used by criminals to create convincing imitations of trusted apps.”

Furthermore, once the app is installed it executes the malware that ends up installing an ad clicker or a backdoor. Hou believes the main motive of this malware is to make money rather than stealing personal data from users however it is possible that attackers behind this scam can add features that may steal user data and perform other malicious activities in the future.

Spamming devices with ads (Credit: Symantec)

At the time of publishing this article, Teligram app was booted off from Play Store.

Remember, hackers are becoming sophisticated in their attacks. On January 11th, Trend Micro researchers discovered first ever malware app in Play Store written Kotlin language. Kotlin is used in writing Android apps and being used by prominent apps including Pinterest, Netflix, and Twitter.

Android users are advised to be vigilant, avoid downloading unnecessary apps and in case you are downloading APK files from a third party store make sure to scan it with an updated security software before installing it on your device.