HC3 Alerts Healthcare Sector Concerning Threat of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has published a notification to the healthcare and public health industry concerning a rise in financially inspired zero-day attacks, teaching mitigation strategies that must be implemented to minimize risk to a low and tolerable level.

A zero-day attack makes use of a vulnerability for which there isn’t a patch yet. The vulnerabilities are called zero-day, because the creator has not issued a patch yet to fix the vulnerability.

Zero-day attacks are attacks that a threat actor has conducted utilizing a weaponized exploit meant for a zero-day vulnerability. Zero-day vulnerabilities are taken advantage of in attacks on all industries and aren’t just a concern for the healthcare sector. For example, in 2010, exploits were designed for 4 zero-day vulnerabilities in the “Stuxnet” attack upon the Iranian nuclear program, which triggered Iranian centrifuges to self-destruct to disturb Iran’s nuclear plan.

Recently in 2017, a zero-day vulnerability was used as leverage to transmit the Dridex banking Trojan. Although it would ordinarily be mandatory for someone to take further steps after clicking open a malicious email attachment to download malware, by adding a zero-day vulnerability exploit the attackers could install the Dridex banking Trojan when somebody merely opened a corrupted file attachment.

The very character of zero-day vulnerabilities signifies it’s not possible to take away risk completely, as software developers have to build patches to resolve the vulnerabilities, nevertheless, tactics can be implemented to lessen the opportunity for zero-day vulnerabilities to be taken advantage of.

The number of found zero-day vulnerability exploits grew more than two times between 2019 and 2021. This is simply a result of the high price of exploits for zero-day vulnerabilities. The cost of working exploits went up by above 1,150% from 2018 to 2021. Though the market for zero-day exploits was confined to a number of groups having a fat purse, there are currently numerous cybercriminals with sizeable resources that are happy to pay because they know they will generate their money back several times over by making use of the exploits for attacks. Currently, a zero-day vulnerability exploit might be valued in excess of $1 million.

Zero-day attacks in particular executed against the healthcare segment are very probable. In August 2021, a zero-day vulnerability known as PwnedPiper was known to be in the pneumatic tube systems employed in hospitals to move biological samples and drugs. The vulnerability was discovered in the control panel, which could enable unsigned firmware upgrades to be implemented. An attacker can manipulate the vulnerability and assume control of the system and use ransomware.

In August 2020, four zero-day vulnerabilities were found that breached OpenClinic patients’ test data. Unauthenticated attackers may successfully get files comprising sensitive records from the medical test database, together with medical test records.

The best security against zero-day vulnerabilities is to use the patch immediately, still patching is usually slow, specifically in medical care. In a 2019 survey executed by the Ponemon Institute, it pointed out that it had taken about 97 days to implement, test, and set up a patch for a zero-day vulnerability following the availability of the patch.

The suggestion of HC3 is to “patch quickly, patch frequently, patch totally.” HC3 offers updated facts on actively exploited zero-days and the readily available patches to address zero-day vulnerabilities. HC3 furthermore advises using a web-application firewall to examine incoming traffic and check malicious input, since this can hinder threat actors from acquiring access to insecure systems. It is additionally advisable to employ runtime application self-protection (RASP) agents, which rest within applications’ runtime and could find anomalous activity. Segmenting networks is as well ardently recommended.

The TLP: WHITE Zero-Day Threat Brief can be downloaded on this page.