Healthcare organizations have been slow to correct the flaw in Remote Desktop Services that was patched by Microsoft on May 14, 2019, but a new report from cybersecurity firm Armis has revealed many healthcare organizations have still not patched the Windows Server Message Block (SMB) flaw that was exploited in the WannaCry ransomware and NotPetya wiper attacks in May and June 2017.
The WannaCry attacks served as a clear reminder of the importance of prompt patching. Microsoft released patches for the vulnerability on March 2017. On May 12, 2017, the WannaCry ransomware attacks started. In the space of just a few days, more than 200,000 devices were infected in 150 countries.
The hackers behind the attack used the NSA exploits EternalBlue and DoublePulsar to spread the malware across entire networks. The National Health Service (NHS) in the UK was hit particularly badly due to the extensive use of legacy systems and the failure to apply patches promptly. Around one third of NHS Trusts in the UK were affected, 19,000 appointments had to be cancelled at a cost of around £20 million, and the cleanup cost was around £72 million.
Globally, the attacks are estimated to have cost $4 billion, with $325 million of that amount paid in ransoms to recover files that were encrypted by the ransomware.
WannaCry is still active and is being used in attacks around the globe, even though the attacks could be prevented by applying Microsoft’s MS17-010 patch.
According to the Armis report, around 40% of healthcare delivery organizations have experienced at least one WannaCry ransomware attack in the past 6 months. It is a similar story in manufacturing, where 60% of companies in the sector have experienced at least one attack in the past 6 months.
The problem is the continued reliance on legacy software. “In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling,” said Armis VP of research, Ben Seri.
Searches on the Shodan search engine showed around 1.7 million devices are still vulnerable to attack, even though patches were released by Microsoft more than 2 years ago. Those devices are being attacked at an alarming rate.
According to Armis, attacks are taking place in 103 countries at a rate of around 3,500 devices per hour. Seri determined that around 145,000 devices are currently compromised.
Thanks to the identification and activation of a kill switch in May 2017, it was possible to prevent encryption, even on devices that had been compromised. While that prevented many organizations from having to pay the ransom, it did not mean the threat had been neutralized entirely. Several variants of the ransomware are now in use, some of which lack the kill switch.
In Q3, 2018, 30% of all ransomware attacks involved WannaCry and the United States has the highest number of attacks. In the United States there are around 130,000 new attacks conducted every week.
All it takes is for one device to be infected with WannaCry. That device can then be used to move laterally and infect many other vulnerable devices on the network through the use of the DoublePulsar exploit.
The failure to apply patches due to having to rebuild systems is not the only problem. Seri explained that healthcare organizations often have a large number of unmanaged devices. Security agents have been turned off or uninstalled out of frustration, unsanctioned devices are connected to the network, and many IoT devices are allowed to connect to the network, even though they cannot have security agents installed. This creates a major blind spot for IT teams who are unable to monitor those devices and, in many cases, they have zero visibility into their existence.
Preventing attacks is straightforward in theory, but time consuming and complicated in practice. Patches must be applied, even though that process is difficult and time consuming. It is essential for IT teams to maintain an asset inventory of all devices that connect to the network and to monitor those devices and monitor networks for other unknown, suspicious, or misplaced devices.
Solutions also need to be implemented that monitor and protect unmanaged devices that lack security controls. “Healthcare and manufacturing environments are rampant with such devices from MRIs to infusion pumps to ventilators to industrial control devices, robotic arms, HMIs, PLCs, etc. Without such solutions, these devices, and consequently your entire network, are sitting ducks for any hacker,” explained Seri.
According to Seri, 70% of devices in healthcare are running old operating systems such as Windows 7. Seri points out that Windows 7 will reach end of life in 2020 and will no longer be supported, which will leave the healthcare industry even more vulnerable to attack.
The latest patch for the flaw in RDS is also not being applied, even though the flaw can be exploited remotely with no user interaction required in a WannaCry-style attack. As Seri explained, many organizations will not consider patching until an exploit is developed and attacks commence. Of course, by then, it may be too late.