Where there are Breaches, there are Infections
– by Jason Lewis
Community Health Systems (CHS) recently announced their network of 206 Hospitals was hacked impacting the information of 4.5 million patients. On the surface, one would think that a company that deals with patient information would be vigilant about security, considering the high cost of HIPAA violations.
A quick search for Community Health Systems within our ScoutVision platform reveals an autonomous system number (ASN) and a number of CIDRs. Using this information we can search for current and historical infections and threats indicators on those networks. We immediately found 12,500 Internet Protocol (IP) addresses associated with CHS of which ten (10) are linked with various bots and blacklists below:
- ZeuS Gameover
These bots are known for performing SQL injections, Phishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait. scams, spamming, bitcoin theft, data exfiltration, proxy services, click fraud and banking credential theft. Not surprisingly, these same IPs show up on SPAM: Email or postings containing irrelevant, inappropriate or indiscriminate messages sent to a large number of recipients. LookingGlass Cyber (n) - tons and tons of emails sent out with no relevance to anyone, or anything. blacklists.
In every case, multiple threat indicators are associated with each individual questionable IP. That suggests these IPs are gateways or proxies with multiple hosts behind them. There is a high likelihood that these infected hosts are able to access a virtual private network (VPN) that connects back to CHS headquarters.
It’s concerning, but not surprising, that this network has active conficker infections. Conficker was discovered in 2008 and patches were available soon after. These infections are a strong indicator that systems have gone unpatched for years – a common theme in the healthcare industry.
Lookingglass has observed these IPs showing infections as early as January 2014 and as recent as today. If an advance nation-state penetrated this network, they probably didn’t have to work very hard to gain a foothold.