Security firm TrapX first reported on the MEDJACK attack back 2015 and updated its research again in 2016. At the RSA Conference last week, TrapX detailed the latest evolution of the MEDJACK attack.
The basic idea behind the original two MEDJACK attacks were that attackers were able to design specific malware tools that enabled backdoor access within medical devices. With that access, the attackers were able to steal data from the impacted hospitals and even deploy ransomware-type attacks.
With the new MEDJACK.3 attacks, Anthony James, VP of marketing at TrapX Security, told eSecurityPlanet that researchers at his firm found an increasingly sophisticated form of medical device attack. With MEDJACK.3, the malware now includes anti-virtual machine (VM) and anti-debugging capabilities that can detect when it is inside of a virtualized environment.
MEDJACK.3 is specifically going after medical devices with older operating systems, including Windows XP and Windows Server 2003. When the new MEDJACK.3 malware encountered newer operating systems, it simply ignored them looking instead for the older systems, which were easily exploited.
The new attacks detected by TrapX specifically went after a medical system called PACS (Picture Archiving and Communications System) that has access to a large repository of patient images and other medical records. Once a target system was infected, the MEDJACK.3 malware then polled the network every three hours looking to spread out to other devices on the network.
Simply rebooting an infected machine isn't enough to get rid of MEDJACK.3, as the attack also includes a persistence capability that adds it to the Windows autorun capability at system startup.
To help detect and reduce the risk of attacks like MEDJACK, TrapX has a deception platform called DeceptionGrid that is now being updated to version 6.0 The basic idea behind DeceptionGrid is that it deploys 'traps' that are fake services that aim to trick attackers into thinking they are actually attacking real devices.
With DeceptionGrid 6.0, as opposed to just application or device traps, there is now the ability to simulate a full operating system, enabling a very sophisticated full stack trap. The new update also provides enhanced visualization for attacks as well as improved identification to help determine if an attack is automated.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.