So for blog #3, I decided
to write about ethical hacking since I took a boot camp and retrieved my
certification just a week ago. The reason I am going to discuss this with
regards to healthcare is specifically the vulnerabilities I have addressed in
past blogs, and how ethical hacking could have been used to prevent this
incident from happening. First I want to talk about the boot camp for Certified
Ethical Hacker itself.
The class taught us first
how to conduct open source intelligence collection. In other words it taught us
how to look at websites for information that may be helpful to a pet tester.
For example, the pen tester may find organization charts, or the email address
format. They can search information on specific employees. For example, using myself
as an example. If you search for my name, typically you find a lot of
information that shows I am an avid runner, including race results and even
pictures of me running. You can also see that I am a Cubs fan and a fisher,
just off of pictures using a Google search. You can see my LinkedIn profile
that shows my profession. There are also webpages that show I have supported a
respiratory health charity. You can find that I am a Florida State Alum. All of
this is information that can be used against me to attempt to send a spear
phishing email to me. In fact this has been used against me.
A year or so ago, someone
spoofed what appeared to be a friend’s email. The name that showed up appeared
to be a family friend. Inside the email itself, was a link for information
about a “race”. Even the wording was crafted quite well, and stated something
along the lines of, “Hey Steve I know you love running in races, here is this
one I just found, <link>”. It even made it appear to be a charity run.
Thankfully, I knew better. This family friend never emails me, so that sent up
a red flag right away. I hovered over the name and saw that it was not her
email address. I then hovered over the link and showed that it wasn’t to the
page it says it was. All of the information they found about me, the attacker
tried to use against me.
Had I fallen for this,
chances are there could be malware that could allow the attacker backdoor
access to my system. They could use exploits that were pre-written from certain
software platforms like Metasploit (discussed later). Once they had this access
they could continue to scan my network for an internal network that might
exist. They would scan for open ports and services to exploit. For example,
EternalBlue which was used for WannaCry exploited an SMB vulnerability. For
example, if I were to click on the link at work. They could then use open ports
and services to traverse the internal network. At this point they would also
want to establish persistence to ensure that even if I were to turn off my
computer, when I turned it back on, the computer would call back to the
attacker.
Since the attacker had
access, they could have used that backdoor to install a key logger that could
record ever keystroke I typed. Maybe from there they then retrieve my banking
username and password. They could compromise the camera on my computer and
watch what I do (which is a reason I cover the cameras on my systems). All of
these attack vectors we performed against systems in a lab. We also exploited
wireless devices. The detail is a little more complex here, but basically you
can catch and intercept traffic. Of course a lot of medical devices now have
wireless capabilities, so you can see how this could become a problem. So how
could this skill affect the healthcare industry? This is where WannaCry comes
in as an example.
WannaCry struck in May of
2017. It searched for and encrypted 176 different file types (https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack).
Then the attackers demanded a ransom on the order of US$300 in bitcoins to
unlock the data. It especially affected the health care industry as evidence of
Britain’s National Health Service. It specifically targeted Windows machines,
in particular unpatched systems. It was known as EternalBlue which affected
Windows systems from “XP to Windows 7 and various flavors of Windows Server
2003 and 2008” https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/. An example of the code is show below:
The vulnerability was
actually found a month before the attack began and a patch was created for it.
Patches were even created for XP systems which were no longer supported by
Microsoft. Yet, there were many companies and industries still using XP to
conduct their work. Something else that I should point out, was this did not spread
via phishing emails or social engineering campaigns. It directly exploited the
vulnerability. In fact, below is a screen shot of the virus working.
As you can see the code sets up a back door into the
system for the attacker to exploit.
As an
ethical hacker, someone can test these vulnerabilities directly. There are
several tools to allow doing this. One of them we used in the boot camp quite a
bit is the Metasploit Framework as discussed earlier. This tool has preloaded
exploits that allow an attacker to “point and click”. For example, in the image
below the user selected the external blue exploit, which was the exploit used
in WannaCry, and did a show options. This shows the pen tester what information
needs to be entered.
The only information the
pen tester really needs to add is the receiving host IP address as the other
information is typically default and works (unless the user modified things).
All that needs to be done is fire the exploit. This exploit simply gives the
attacker access to the system. From there they can do a lot of harmful
malicious things. For a pen tester; however, this allows them to find these
vulnerabilities to patch.
This boot camp offered me
the opportunity to test vulnerabilities against a lab environment. It was interesting
to see how easy attacks were to make against unpatched systems. It also showed
us how hard it was to access patched and updated systems. In fact, some of the
boxes, the only way we could exploit them was via phishing. Hence, as mentioned
several times this is why the healthcare industry should hire pen testers to
test their network and ensure they are patched. The boot camp was a week long
and offered by ECCouncil. They provided a test voucher with the camp. I
recommend it if you are interested in penetration testing.
.
No comments:
Post a Comment