Cryptomining Software Discovered on Tennessee Hospital’s EMR Server

Por David Bisson em 08/02/2018 no site The Sate of Security

A Tennessee hospital discovered cryptomining software installed on a server that hosts its electronic medical records (EMR) system.

In January 2018, Decatur County General Hospital began notifying patients of a incident involving its electronic medical record systems. Its breach notification letter (PDF) reveals the hospital first learned about the security event from its EMR vendor:

On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as “cryptocurrency.”

Decatur County General Hospital. (Source: Nashville Public Radio)

Decatur County General Hospital subsequently launched its own investigation into the incident. So far, it’s determined that a remote actor likely accessed the server on which its EMR system stores patients information including their names, addresses, dates of birth, Social Security Numbers, insurance details, and medical treatment records. It’s also found that the cryptomining software had been active since at least 22 September 2017.

The hospital’s EMR vendor replaced the server and operating system four days after discovery.

At this time, Decatur County General Hospital cannot confirm whether the individual responsible for the breach accessed patients’ information stored on the server. It tells patients as much:

Again, while our investigation continues into this matter, we have no evidence that your information was actually acquired or viewed by an unauthorized individual, and based upon reports of similar incidents, we do not believe that your health information was targeted by any unauthorized individual installing the software on the server. Our investigation to date, however, has been unable to reasonably verify that there was not unauthorized access of your information.

Cryptomining emerged as a salient threat in 2017. Tools responsible for generating new units of cryptocurrency preyed upon 1.65 million users over the first eight months of the year. Since then, researchers have discovered a single Monero mining campaign that victimized 15 million users in the fall of 2017. Such findings have led some security experts to wonder whether cryptomining will supplant ransomware as the most widespread form of digital crime in 2018.

Given that possibility, it’s important that hospitals and other healthcare organizations maintain the security and integrity of their EMR systems. They can find guidance for that objective here.

To learn more about how Tripwire can protect your healthcare organization against digital threats, click here

Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

Por Swati Khandelwal em 08/02/2018 no site The Hackers News

A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer's components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage.

Air-gapped computers are those that are isolated from the Internet and local networks and so, are believed to be the most secure devices that are difficult to infiltrate.

Whereas, Faraday cages are metallic enclosures that even blocks all electromagnetic signals, such as Wi-Fi, Bluetooth, cellular and other wireless communications, making any device kept inside the cage, even more, isolate from outside networks.

However, Cybersecurity Research Center at Israel's Ben Gurion University, directed by 38-year-old Mordechai Guri, has developed two techniques that helped them exfiltrate data from computers placed inside a Faraday cage.

Dubbed MAGNETO [pdf] and ODINI [pdf], both the techniques make use of proof-of-concept (PoC) malware installed on an air-gapped computer inside the Faraday cage to control the "magnetic fields emanating from the computer by regulating workloads on the CPU cores" and use it to transmit data stealthily.

"Everyone was talking about breaking the air gap to get in, but no one was talking about getting the information out," Guri says. "That opened the gate to all this research, to break the paradigm that there's a hermetic seal around air-gapped networks."

According to the researcher, once a computer (no matter if it is air-gapped or inside a Faraday cage) has been infected, hackers can exfiltrate stolen data without needing to wait for another traditional connection to the infected machine.

How MAGNETO & ODINI Attacks Work:

Once a motivated attacker somehow succeeded in planting malware on an air-gapped computer, the malware then collects small pieces of information, like keylogging data, encryption keys, credential tokens, and passwords.

Also Read: CIA developed Malware for Hacking Air-Gapped Networks.

The PoC malware developed by the team then electrically generates a pattern of magnetic field frequencies by regulating CPU's workload, which can be achieved by overloading the CPU with calculations that increase power consumption and generate a stronger magnetic field.

These electromagnetic (acoustic, optical and thermal) emissions from the infected computer are powerful enough to carry a small stream of stolen data to a nearby device, a receiver planted by the hacker.

The process involves translating data first into binary, i.e. 0 and 1, and the transmitting it into morse-code-like patterns in accordance with electromagnetic emission.

"The transmitting program leaves only a small footprint in the memory, making its presence easier to hide from AVs. At the OS level, the transmitting program requires no special or elevated privileges (e.g., root or admin), and hence can be initiated from an ordinary userspace process," the paper reads.

"The transmitting code mainly consists of basic CPU operations such as busy loops, which do not expose malicious behaviors, making it highly evasive from automated analysis tools."

Also Read: Stealing Data from Air-Gapped Computers Using CCTV Cameras

While both MAGNETO and ODINI attacks are designed to exfiltrate data from a secured computer using electromagnetic emissions, the only difference between the two is:

• MAGNETO is a short-distance attack where an Android app installed on the attacker's smartphone can receive stolen data with the help of phone's magnetometer— a magnetic sensor that can transmit data even if the smartphone is placed inside a Faraday bag or is set to airplane mode.
• ODINI attack enables attackers to capture electromagnetic signals from a slightly longer range using a dedicated magnetic sensor.

In case of MAGNETO, the team managed to achieve only up to 5 bits/sec over a distance of up to 12.5 cm (5 inches), while ODINI is quite more efficient with a maximum transfer rate of 40 bits/sec over a range of 100 to 150 cm (3-5 feet).

Both ODINI and MAGNETO also work if the targeted air-gapped device is inside a Faraday cage, which is designed to block electromagnetic fields, including Bluetooth, Wi-Fi, cellular, and other wireless communications.

Researchers suggest three different approaches that can be used to prevent attackers from establishing a covert magnetic channel, i.e., shielding, jamming, and zoning.

Video Demonstration of MAGNETO And ODINI Attacks

The team published proof-of-concept video demonstrations for both MAGNETO and ODINI attacks, which shows both the attacks in action.

It's not the first time Ben-Gurion researchers came up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap computers include:

• aIR-Jumper attack that steals sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision.
• USBee attack that can be used steal data from air-gapped computers using radio frequency transmissions from USB connectors.
• DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
• BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
• AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes;
• Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
• GSMem attack that relies on cellular frequencies.