Posted August 21, 2014
Where there are Breaches, there are Infections
– by Jason Lewis
Community Health Systems (CHS) recently announced their network of 206 Hospitals was hacked impacting the information of 4.5 million patients. On the surface, one would think that a company that deals with patient information would be vigilant about security, considering the high cost of HIPAA violations.
A quick search for Community Health Systems within our ScoutVision platform reveals an autonomous system number (ASN) and a number of CIDRs. Using this information we can search for current and historical infections and threats indicators on those networks. We immediately found 12,500 Internet Protocol (IP) addresses associated with CHS of which ten (10) are linked with various bots and blacklists below:
- ZeuS Gameover
These bots are known for performing SQL injections, Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. scams, spamming, bitcoin theft, data exfiltration, proxy services, click fraud and banking credential theft. Not surprisingly, these same IPs show up on SPAM: Unsolicited usually commercial messages (such as e-mails, text messages, or Internet postings) sent to a large number of recipients or posted in a large number of places. blacklists.
In every case, multiple threat indicators are associated with each individual questionable IP. That suggests these IPs are gateways or proxies with multiple hosts behind them. There is a high likelihood that these infected hosts are able to access a virtual private network (VPN) that connects back to CHS headquarters.
It’s concerning, but not surprising, that this network has active conficker infections. Conficker was discovered in 2008 and patches were available soon after. These infections are a strong indicator that systems have gone unpatched for years – a common theme in the healthcare industry.
Lookingglass has observed these IPs showing infections as early as January 2014 and as recent as today. If an advance nation-state penetrated this network, they probably didn’t have to work very hard to gain a foothold.