Hospital Hit With Cryptocurrency Mining Malware
HealthcareInfoSecurity, Marianne McGee, February 8, 2018
Do healthcare entities face a growing risk of being hit with cryptocurrency mining attacks, which have become more common in other sectors? A Tennessee hospital may be the first victim in the sector, and some security experts predict many more such incidents.
Cryptocurrency mining refers to solving computationally intensive mathematical tasks, which are used to verify the blockchain, or public ledger, of transactions. As an incentive, anyone who mines for cryptocurrency has a chance of getting some cryptocurrency back as a reward. Some miners hack into computer systems and install malware to enable them to get extra computing power. This can make systems run slower.
Decatur County General Hospital in Parsons, Tennessee, is notifying more than 20,000 individuals that their health information was potentially compromised by an incident last year involving cryptocurrency mining software discovered on an electronic medical records server.
In a recent statement, the hospital says that on Nov. 27, 2017, it received a security incident report from its EMR system vendor, which it did not name, indicating that unauthorized software had been installed on the server the vendor supports on the hospital’s behalf.
“The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency,'” the hospital says. “Following receipt of the incident report, we began our own investigation into the incident. At this time, our investigation continues, but we believe an unauthorized individual remotely accessed the server where the EMR system stores patient information to install the unauthorized software.”
The software was installed on Sept. 22, 2017, or earlier, and the EMR vendor replaced the server and operating about four days later, the hospital says.
The hospital’s statement did not offer an explanation about why the EMR vendor apparently took more than two months to notify the hospital about the cryptocurrency mining discovery. And the hospital did not immediately respond to an Information Security Media Group’s request for additional information about the incident.
Other healthcare entities are at increasing risk of cryptocurrency mining attacks as they become more popular among cybercriminals.
“This type of attack is quite commonly targeting database servers running MS SQL and MYSQL databases. Certain researchers have identified a Chinese criminal group targeting these servers to mine cryptocurrencies, exfiltrate information and for building a DDoS botnet,” notes Mac McMillan, CEO of security consulting firm CynergisTek.
” Cryptocurrency miners aren’t specifically seeking systems in healthcare; they compromise any system they can find.”
—Keith Fricke, principal consultant, tw-Security
Keith Fricke, principal consultant at tw-Security, says cryptocurrency mining schemers “scan the Internet for systems with vulnerabilities that can be exploited, granting them unauthorized access for purposes of installing cryptocurrency mining software. This becomes a cheaper alternative to purchasing their own hardware and paying for electricity to run it. Cryptocurrency miners aren’t specifically seeking systems in healthcare; they compromise any system they can find.”
Despite the growing cryptocurrency mining threat, Fricke contends that ransomware is still likely a bigger threat to healthcare entities because of the potential disruptions to care delivery as well as possible privacy breaches ransomware poses.
But McMillan says certain types of cryptocurrency miners could be just as damaging as a ransomware attack.
“In fact you could argue that an undetected cryptocurrency attack with a remote access capability to the database could be more damaging from an unauthorized access or identity theft perspective, while a successful ransomware attack that disrupts the hospital’s ability to deliver services would be worse from a patient safety/business impact perspective,” he says. “Pick your poison.”
“Because these cryptocurrencies miners work around the clock, they tend to hog bandwidth so watch for slowing of systems infected, heightened electrical use, and check database user accounts for those typically associated with known cryptocurrency mining malware and/or unknown user accounts.”
Healthcare entities face other related risks with cryptocurrency mining, contends Jonathan Tomek, senior director of threat research at LookingGlass Cyber Solutions.
“There are great risks to any compromise or infection of hospital data,” he says. “Beyond impacting the power bill and annoyance of fans blaring, medical data could be on the line. Medical records may be backed up. However, that does not mean they are secured if the backup systems fail or are compromised. Another concern is the kinetic expression of a cyberattack. For example, there could be a fire due to a huge demand on a computer, which could destroy one system, many systems, or risk human life.”
Steps to Take
Healthcare entities can take steps to better detect these incidents as well as reduce their risk of becoming victims of cryptocurrency mining malware attacks.
“Cryptocurrency mining software can tax the processing capabilities of a system, leading to a degradation in system performance,” Fricke notes. “Additionally, look for suspicious software services running in the system’s memory. There may be some unexpected outbound traffic from the compromised server communicating computation results to an external party.”
McMillan suggests that entities “harden their servers according to MS SQL hardening guides, then reinforce access controls. Make a list of the systems that have access to database servers, particularly any that also connect to the internet, and both reduce those connections to the least necessary and strengthen security on those that remain.”
Other key steps, he says, include improving cybersecurity hygiene, enhancing detection and monitoring and improving reaction/response capabilities.
Tough to Detect
Researchers from Cisco Talos, in a recent report, noted: “Attackers are not stealing anything more than computing power from their victims, and the mining software isn’t technically malware. So theoretically, the victims could remain part of the adversary’s botnet for as long as the attacker chooses.”
Talos research indicates that cryptocurrency-mining botnets could generate up to $100 million a year. Individual infections generating the equivalent of spare change still add up: Talos says creating a modest botnet, consisting of 200,000 nodes, could pull in $500 a day in monero cybercurrency, or $182,500 annually.
Anti-malware vendor Malwarebytes, in a research report issued in late 2017, noted that due to the growing popularity and market value of cryptocurrencies, “we have seen an increase in not only the number of malicious attacks using cryptominers, but also the methods used for attack. We define the malicious use of cryptominers to include any method that uses the system resources of an unsuspecting victim in order to mine cryptocurrency. We call this drive-by mining.” (See Ransomwre Outlook: 542 Crypto Lockers and Counting.)
The Decatur County General Hospital breach is listed on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website as a “hacking/IT incident” impacting 24,000 individuals and involving a network server. The HHS website, commonly called the “wall of shame”, lists health data breaches impacting 500 or more individuals.
The breach, which was reported to the wall of shame on Jan. 26, is listed as having had no business associate involved, despite the hospital’s statement about the incident being detected by an EMR vendor.
In its statement, the hospital notes that based on its investigation so far, and “numerous news stories about computer systems around the country being affected by similar incidents involving the unauthorized installation of this type of software … we do not believe that your health information was targeted by any unauthorized individual installing the software on the server.” Still, the hospital has not been able to “reasonably verify” that attackers did not access patients’ protected health information.
Data contained on the affected server included demographic information, such as patient names, addresses, dates of birth, and Social Security numbers; clinical information, such as diagnosis and treatment information; and other information, such as insurance billing information, the hospital says.
The hospital is offering one year of free credit monitoring to affected individuals.