Posted August 21, 2014
Where there are Breaches, there are Infections
– by Jason Lewis
Community Health Systems (CHS) recently announced their network of 206 Hospitals was hacked impacting the information of 4.5 million patients. On the surface, one would think that a company that deals with patient information would be vigilant about security, considering the high cost of HIPAA violations.
A quick search for Community Health Systems within our ScoutVision platform reveals an autonomous system number (ASN) and a number of CIDRs. Using this information we can search for current and historical infections and threats indicators on those networks. We immediately found 12,500 Internet Protocol (IP) addresses associated with CHS of which ten (10) are linked with various bots and blacklists below:
- ZeuS Gameover
These bots are known for performing SQL injections, phishing scams, spamming, bitcoin theft, data exfiltration, proxy services, click fraud and banking credential theft. Not surprisingly, these same IPs show up on spam blacklists.
In every case, multiple threat indicators are associated with each individual questionable IP. That suggests these IPs are gateways or proxies with multiple hosts behind them. There is a high likelihood that these infected hosts are able to access a virtual private network (VPN) that connects back to CHS headquarters.
It’s concerning, but not surprising, that this network has active conficker infections. Conficker was discovered in 2008 and patches were available soon after. These infections are a strong indicator that systems have gone unpatched for years – a common theme in the healthcare industry.
Lookingglass has observed these IPs showing infections as early as January 2014 and as recent as today. If an advance nation-state penetrated this network, they probably didn’t have to work very hard to gain a foothold.