Data theft-It’s not just for medical facilities

 There’s been volumes written about data theft in medical facilities, methods, and effects. This is no

wonder given the mountain of data created daily from the patient care and operations. Another viable

target would be auto dealerships. This hold much the same data hospital would generally. When a

person purchases their vehicle, as a course of the process, they provide their name, address, data of

birth, SSN, financial information, and other data. The hospital or medical care facility collects much the

same, with additional data for the patient care.

In this case an automotive dealership was compromised. On or about May 27, 2023, the Jeff Wyler

Automotive Family an unauthorized party compromised their perimeter security and was able to access

the consumer information (e.g., name, date of birth, SSN, driver’s license or state ID #, medical

information, health insurance information, and financial information). This was detected on January 29,

2024.

The method of attack unfortunately was not detailed. Anytime this event occurs, there’s something to

learn and use to build up your defenses. This experience does highlight the need for regular

cybersecurity assessments. This, depending on the environment and budget, may consist of vulnerability

scans, per tests, and threat feeds for your equipment. This also includes working on the vulnerabilities to

remove these and secure your system.

SSH Tool Weaponized

 One of the more interesting facets of this industry is there’s always something new to learn. The

creativeness and inventive nature shine with the new tools introduced for attacks and subsequently to

improve defenses. One area that hasn’t seen many new tools created has been with SSH. This is widely

used and continue to be a primary security method.

The new security tool is SSH-Snake. This is an open-source tool. Originally released in January 2024, the

design was to work through a network using SSH private keys. This is done automatically. The program

through its work then creates a thorough network map and its dependencies. The result allows the

security staff to understand vulnerable points where an attacker could use SSH and private keys.

You can see the usefulness of this for the company. Like any tool, there are positive and negative uses.

The negative side of the coin here is the tool was weaponized. This was modified to self-modify and

replicate itself through the network. The upgraded tool has been coded to find locations where

credentials are generally kept and analyzes the shell history files.

As an additional aspect to circumvent security, the tool is fileless. While this is newer, it allows for an

increased level of difficulty in detecting the tool and allows it a greater level of flexibility. This is still a

tool to be used to improve your network security stance. The weaponized version should be on your

radar.

Oil Pipeline Targeted

 Companies are targeted for attack for various reasons. One predominant reason continues to be

revenue. Without the possibility of a payout, there isn’t much reason for a group to spend the resources

to attack the target.

One set of high value targets are pipelines. A few years ago, there was an issue with a pipeline in the US

(i.e., Colonial Pipeline in 2021). Another pipeline has been compromised with the same form of attack,

but in Canada. In this case, the Alpha V group successfully compromised the Trans-Northern Pipeline’s

systems in three provinces and applied the standard ransomware. They were able to exfiltrate

approximately 190GB of data. The successful attack occurred in 2023.

Unlike the US attack, there were no unplanned interruption for the pipeline’s operations. Unfortunately,

not much has been published as to the attack method used, depth of network penetration, and type of

data. Portions of this information could be helpful as to how best to secure other’s networks. If any

nuances would occur with this attack.

We must continue to be ever vigilant. This includes having internal systems checked more than once

over time.

Supply Chain Lesson #587

 Bank of America is massive with branches throughout most of the nation and other countries. Being

such a large operation, the bank could not reasonably maintain all aspects of their operations from a

central hub. The vast expanse of this would increase their FTEs significantly. This standard operating

procedure is used in most industries.

One area BoA uses this is with their service providers. Infosys McCamish Systems (IMS) was

compromised on or around November 3, 2023. The next day in the chronology was November 24 when

IMS notified BoA the data with their deferred compensation plans may have been compromised. This

included for the individuals their name, address, social security number, date of birth, and financial

information (account number, credit card number, etc.). For this compromise, approximately 57,028

clients were impacted. This ransomware attacked was claimed by LockBit.

This set of data is perfect to sell and be abused. With this the attackers or whomever purchases the data

has ample people to attack.

Authentication became much more difficult

 We all understand the issues phishing has caused over the last few years. There have been countless

compromises targeting email systems and pivoting off these into other areas. When we thought, this

was starting to get controlled at some level, there’s a new wrinkle.

A finance worker of a multi-national firm attended a video conference call, just as so many of us do

every day. With this conference call, the finance worker was directed by the Hong Kong company’s

“Chief Financial Officer” to pay $25M. There were other “staff” in the call also. The message prior to the

meeting was a bit suspicious as it asked for the meeting to discuss a secret transaction.

Since other staff, who the finance worker recognized, were in the meeting, it seemed legitimate. The

$25M USD or $200M Hong Kong dollars were transferred. Well, not everything was as it seemed. The

CFO and other staff in the meeting were actually deep fakes. On the bright side, the police had arrested

six others with scams much like this.

Technology will find a way around the defenses and detection tools we put in place. We’ll improve the

defenses and tools only for the cycle to continue. In these instances where the transaction may not

quite feel right, the suspicious mind should overrule natural tendency of “It should be fine.” Our staff

training needs to be updated regularly to keep us with the new technology and attacks. Granted this

nuance is difficult to filter, but the human factor is there to apply common sense.

New Attack Focused on AV (autonomous vehicle) Sensors

 Attacks on AV sensors are popular at regional conferences and at the fountain of knowledge (aka

DEFCON). The different attacks are always interesting (e.g., SQL injection to gain access, creating a fake

object point in LiDAR, and others). Earlier this year a new attack emerged. The MadRadar is designed to

mask actual objects from the sensor or create fake/phantom objects for the sensor. Specifically, the

attack can provide the vehicle’s sensors with false positives, false negatives, and translation attacks.

The attack, created by a team at Duke University, is agnostic and may be used against any vehicle’s radar

system, making this exceptionally useful. The demonstration for this has shown the radar being tricked

into detecting a vehicle driving towards it instead of the vehicle driving away from the targeted vehicle.

Other demonstrations have created a vehicle where there was none. The attack is also flexible and can

adjust to different types of radar. This is done via the tool learning about the radar from the transmitted

signals. This ability to adjust is based on the target radar’s bandwidth, chirp time, and frame times.

This would be a viable attack against the different functions for vehicles using radar, as with adaptive

cruise control. With vehicles depending on sensors for autonomous driving, this is especially

problematic. This may also effect park assist, blind spot detection, and rear collision warming.

While this is from researchers, this is a viable attack to complicate AV operations.

Autonomous Vehicles (AVs) have a Substantial Attack Surface

 This is a fantastic age to live in. We have vehicles that notify us when another vehicle is near us, when we’re too close to the vehicle in front of us or the side of the road, when we are sliding inadvertently into the next lane, and log our activities. This is a massive step from the vehicles of 10-15 years ago. The sensors installed within the vehicle offer cutting edge technology for the driver. These also have improved safety for the occupants along with others on the roadmap. Have pentested an AV, I can attest this is a delight.

While I sing the praise of the AVs, there are issues. This has potential threats to the AVs due to the platform, sensors, and OS. These are all new attack surfaces and vulnerabilities. If exploited, these provide an opportunity for disaster. The new threats come from various sources. These new machines, as they are heavily dependent on software, are open to remote attacks. If successful, modules could be compromised. Depending on which one is targeted and breached, there are varying levels of criticality. For instance, steering or brake ECUs are relatively serious.

Data is the new gold and oil. This is especially the case with vehicles. Each collects a mass amount of data from general operations and the sensors. The data may be used in multiple scenarios.

While sensors have improved vehicle operations and safety, there are potential issues here also. The sensors could be spoofed, providing false data to the vehicle and data processing. The fake data could provide a false set of data for the surroundings. This could lead the vehicle on the wrong path.

While this could provide for issues, there are preventive measures to the taken. The software may be hardened, making these more robust. Patching is also pertinent. This occurring regularly limits the attack surface. Encryption should be used with vehicles data and communication. This limits the weak points which are targets.

  

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

Medical Device Connectivity

 

With our new technology advancing so rapidly on different fronts, the nuances in applications are growing. One of these is connectivity. Most of the public is aware of connectivity in vehicles. We see this as we’re driving with the infotainment system, making calls, or following a map. This is not by far the only industry embracing connectivity.

Another is the medical device field. Globally, this is estimated to triple its value by 2028. This may take the form of home health monitors, or cardiac monitors reporting data to the backend or receiving updates.

There are several factors driving this massive increase. One of these includes telehealth. Our population has endured much through the pandemic and post-pandemic. This has shaped how we shop, gather information, and utilize healthcare. The need and want for home healthcare has assisted in the growth. If the patients didn’t want it, there wouldn’t be the need or market for this. Related to this is remote patient monitoring. This may involve cardiac or other monitoring. This advance allows the patient to stay in their home while the device collects the data and uploads it to the doctor or other device.

While this works great for the patient and doctor, this also adds to the attack surface and provides another point to test. This is another area to secure, test, and maintain through the SDLC. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

New International Medical Device Standard

 With standards, regulations, statutes, etc., many feel this is a speedbump for their product. In the interest of the field, industry patient safety, and security these are a great idea. Without these in place, medical device cybersecurity could become like the Weld West with every entity doing their own thing, not following any guidance.

The FDA has recognized three new standards focused on medical device software security. These cover the total product lifecycle of medical device cybersecurity, data logging, software use, and reasonable software testing.

The first noted standard was ANSI/AAMI 2700-2-1. This standard is focused on medical device software’s safe usage in the integrated clinical environment (ICE). The specific usage is for data loggers to appropriately collect data in these systems. This includes the recording, data, storage, and playback for the data. The data usage would be for safety, quality assurance, and forensic analysis.

The second standard was ANSI/AAMI SW96:2023, which provides guidance on methods to manage security risks. Medical devices present a unique security risk. The standard addresses several security areas to identify threats and vulnerabilities and the controls to put in place to mitigate these.

Lastly ISO IEC IEEE 29119-1 provides guidance on germane topics in the field including software.

These standards provide additional guidance and a framework to further the safety and security for the products. By adding these into our security tools, the attack surface is decreasing, and potential attacks are mitigated.

 Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

IoT Devices Need Cybersecurity Attention

 IoT devices have evolved and expanded into commercial, and consumer uses. These appear throughout people’s homes with refrigerators, ovens, thermostat, light bulbs, and many other pieces of equipment.

Smart thermostats have become more prevalent in residences in the last few years. These are a nice addition in that these are trained to learn your optimal temperature, when you on average are in the house, and other useful assists.

While these have beneficial aspects with this, let’s not forget about detriments. When smart thermostats have not included cybersecurity through their dev cycle and SDLC, you can be answering many questions from clients, federal agencies, and other interested persons and stakeholders when something goes wrong (i.e., a significant compromise).

Recently two models for smart thermostats have been noted to have multiple security vulnerabilities. When successfully exploited, the bad actors would be executing the code they wanted on the device. The device could be weaponized with modified or rogue firmware.

The vulnerability allows an unauthenticated connection from a local network. The attack point is the WIFI microcontroller. This acts as a network gateway. This has been corrected, but only after the vulnerability had been known and open. This emphasizes the need for cybersecurity to be applied through the dev cycle, with security being at each gate. This also requires staff being comfortable in working with embedded systems, and all the nuances associated with these. Embedded systems require a different set of skills, different than the traditional IT.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

 

Standards Assist with Medical Device Cybersecurity

 The technology expansion is pushing the options for medical device connectivity. The options and configurations used to be relatively limited. Connectivity continues to grow in its different forms. While this is great for the industry, doctors, and patients, applied cybersecurity also needs to be addressed in every step of the way.

These connected devices connect to the network using Bluetooth, BLE, or WIFI for communications. If configured correctly and cybersecurity being incorporated throughout the process, generally this should work well. To assist with this and provide guidance there are standards for medical devices (e.g., IEC 62304, ISO 14971, and FDA guidance). These provide directed guidance. The key though is documentation. The documents need to show not only you have secured these standards but have implemented them. Part of the plan and implementation includes the product’s risk analysis. I mention this specifically is the risk analysis or TARA is the bedrock for risk analysis. When thorough this will show the vulnerabilities, which need to be addressed. This system’s review will build a solid cybersecurity plan and product for your customers.

 Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

Chicago Children's Hospital Targeted

 

There’s been a lot written about medical facilities being targeted and compromised over the last five years. The compromises have varied with their penetration into the network and data. The greater the attack’s expanse, the more potential for patient suffering. In late January/early February, Lurie Children’s Hospital system was compromised. This was rather significant with their phones, email, internet service, and medical equipment affected. These systems are in different operational areas in their network, which indicates this was a bit more than the usual attack. The department for penetration in the different systems is notable.

The timeframe for the affected systems was relatively short, at two days. This was still devastating for the staff and patients. The situation was further complicated by the data from the operations that did continue having to be merged into existing data sets.

With hospitals holding so much valuable data, this trend will continue if not grow. There is ample to do with all the patient PII, insurance information, medical history, and other data the hospitals have accumulate every day.

To rebound from this is much more than getting the systems up. The security staff needs to also understand the attack vector and how it was implemented, what systems were breached (not only the ones that were overly noticed), and what data was accessed.

The hospital has much work to do with the incident response. This unfortunately is a prime example of what can happen. Systems need not only be secured but monitored and the tooling reviewed at a regular cadence. Just like the industry is dynamic, so is the tolling. There may be better options or configurations available in the next review cycle.

 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

Repository=Malware Depository

 Not too long ago, repositories were not targeted. If you used a library or repository, there was a reasonable assumption it could be trusted and used without an issue. There started to be a trend around 2017 with malicious packages being placed in the Python Package Index (PyPI). There was also the case of the University of Minnesota sending buggy packages to Linux as a research experiment. Somehow this was approved by their research ethics board. The University was banned for their behavior from the repository.

In January 2024, more malicious packages were detected in the PyPI. One piece of malware noted this time around was the White Snake Stealer. These were uploaded by a bad actor named “WS”. The malware is designed to harvest data from web browsers, cryptocurrency wallets, and apps.

This is one reason not to blindly trust the repositories. You never know. Generally, you will be fine. As President Reagan is often quoted, “Trust, but verify.” There are several tools openly available to scan these for vulnerabilities. The last thing you want is to poison your elegant code with malicious code from a “trusted” repository. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

Medical IoT Devices

 The technology with medical devices and the protocols continue to improve. For example, we started with WIFI, moved to BlueTooth, and improved to BLE (BlueTooth Low Energy). There are many other examples throughout the products. One of the latest pushes is for AI integration. This has vast potential to improve the entire device’s operations and security. The full integration of IoT into medical devices cannot be overlooked.

There are several factors driving this. There is an increasing demand for remote patient monitoring. Our population is aging. The demographics are clear. The aging population has more chronic diseases, which tends to need more of this remote patient monitoring. These can provide real-time monitoring for the patient’s vital signs, for example. This allows for ease of collecting data and proactive management for chronic diseases.

The connectivity has also been beneficial. The updated protocols allow for the ease of data transmission. These also have greater security, which likewise is a bonus.

With the vast amount of data collected, the patient’s doctors can provide a much more specialized level of patient care. The diagnosis and treatment have the potential to be specifically tailored for them.

With the ease of use, functionality, and improved security, these may be used in many more types of facilities. This includes hospitals, rehabilitation centers, homes, and other facilities.

 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511

Energy Sector's Criticality

 

The attacks on the energy sector have been increasing. This is a critical vulnerability for the nation. A successful attack on, for example, the electrical grid would be a disaster from every view. I still remember the time when the grid in the NE region of the US went down in the early 2000s. This was unintentional yet if you lived in the region and was out of power, both consumers and commercial clients, the effect was devastating.

Looking to recent events, there have been attacks that continue to show the vulnerabilities and the effects from these, both financial and human. We can remember the 2021 Colonial Pipeline ransomware attack. The company experienced large financial losses and disrupted their operations. On the attacker’s side, they removed without authorization (i.e., stole) approximately 100GB of data and received $4.4M. A significant portion of this was retrieved, however overall, this had direct negative impacts on the business.

This isn’t a US issue, but global. In 2022, European oil refining ports and storage facilities were targeted. This included 17 terminals. This industry needs the blue team cybersecurity attention. Without this, we will have direct issues affecting our daily lives. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Product Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) |

Supply Chain Cybersecurity Review 

Reverse Engineering

 charles.parker@mielcybersecurity.net 810-701-5511