Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

An Attackers’ Perspective on Cybersecurity Exploits

An Attackers’ Perspective on Cybersecurity Exploits

The best way to build a proper defense is to understand your opponent. During our recent webinar, CloudWave dissected some of the most recent and impactful cyberattacks—getting “inside the mind” of a cybersecurity attacker—including those targeting SSH, BIOS, and critical infrastructure within healthcare.

With healthcare cyberattacks becoming more frequent and sophisticated, staying informed and prepared is critical. The knowledge and strategies needed to defend against these emerging threats and ensure the security of your healthcare IT infrastructure include an understanding of the following:

  • The latest attacker tactics targeting SSH and BIOS
  • Advanced persistent threats targeting firmware to maintain long-term control over systems
  • How these attacks impact healthcare and critical infrastructure
  • Why traditional penetration testing may no longer be sufficient
SSH Compromise (CVE-2024-3094) Impacting Linux

SSH is usually found in network appliances, routers, wireless access points, and medical device infrastructure. Attackers can exploit a critical backdoor in the XZ utilities library, used primarily through Linux distributions to support SSH access and sessions, to gain unauthorized access. If an attacker uncovers a system with this vulnerability that is not patched correctly, they can execute arbitrary code to gain remote command and control.

People looking at this approach perform reconnaissance to identify candidates, typically using three steps:

Passive reconnaissance: An attacker can fingerprint your environment without touching it by looking at certain external factors. For example, if an IT/IS job posting requires specific experience within a targeted area, that is a technology that is present and important in the IT environment. Other areas that can create exposure are social media postings and sales calls that offer details about the technology environment.

Network scanning: Nothing sophisticated is required for this. Nmap with custom scripts can focus on different parts of your environment to show a vulnerability.

Vulnerability scanning: Bad actors look for vulnerabilities in specific Linux environments, again using Nmap scans. The best defense includes firewalls, utilizing a DMZ, and ensuring that patches are 100% current.

Unless an attacker performs a bot attack, they will likely start with passive reconnaissance because it’s easy to do and follow up with vulnerability scanning. In addition to keeping patches updated, organizations should consider how to shut down external-facing systems if there is an SSH compromise. Being proactive and treating the perimeter as the last line of defense is critical in these situations.

How to find where vulnerabilities exist:

Initial research: Examine the code. Hackers can purchase any technology an organization owns, including switches, EHRs, and more. Look at all documentation available for a product.

Source code review: This includes static, fuzzy, and dynamic review and testing. Tools are getting better at identifying where vulnerabilities may exist, and some are starting to employ AI to enhance their functionality.

Once a potential vulnerability is identified, attackers must determine if it’s exploitable. Although determining where an exploit exists in the source code or system still requires some engineering capabilities, tools are getting better at pointing out the location.

Some software engineers must consider input validation more comprehensively, including at the backend. The basic rule for writing secure systems is any input should be sanitized and have clear fallbacks if inappropriate data is passed.

Furthermore, several vulnerable areas keep emerging, including input validation accounts. When dealing with critical infrastructure systems, ask if partners follow OWASP and what practices are in place to address these security issues.

The Vicious Nature of BIOS Attacks

BIOS attacks exploit firmware vulnerabilities to inject malicious code that runs during the boot process. These attacks are particularly dangerous for healthcare’s critical infrastructure and medical devices as they can lead to persistent, hard-to-detect infections that compromise the integrity and functionality of essential systems.

At the BIOS level, attackers can interact with or intercept everything that happens in that system. They run below the operating system (OS) and can inject into and take over any process, command, data exchange, or network connectivity.

Survivability for BIOS attacks is, unfortunately, impressive. Even after installing the OS, reinstalling the OS from scratch, or putting in a new hard drive, the BIOS will remain so the attack will survive. Knowing if there is a BIOS-level attack is also challenging, as it requires indirect observation to determine if the BIOS has been manipulated. Furthermore, suppose a hospital learns that 300 smart pumps have BIOS malware. The clinical engineering team must update the firmware, which is typically resource-intensive.

BIOS attackers also turn off protections like firewalls and antivirus tools. Relying on integrity checks or secure boots, in that case, creates a false sense of security.

Many BIOS attacks stay hidden and use timer-based deployments. Sometimes, a visible attack like ransomware occurs, followed by a secondary, unrelated BIOS attack. The BIOS attack laid dormant in the system and was triggered by the efforts to clear the ransomware.

Getting to the BIOS to install the exploit is trickier as the attacker may wait until a reboot occurs. From there, every keystroke can be logged, and each mouse movement is examined, so as people enter user IDs and passwords, they are grabbed, and anything can be done – it’s just a matter of how covert it stays.

Mitigating Attacks from Midnight Blizzard

A group called Midnight Blizzard (aka, APT29 or Cozy Bear) has been implicated in firmware attacks, showing its sophistication. There are ways for organizations to defend themselves, including:

Regular firmware updates: Keep firmware updated with patches from trusted vendors. Create a process and reminders within your organization to know when to review firmware. Check for manufacturer updates and inventory what firmware versions are running, especially in medical devices and IoT systems.

Enable secure boot: Configure secure boot to ensure only trusted firmware OS components are loaded during startup.

Hardware-based security: Utilize trusted platform modules (TPMs) to ensure firmware integrity and prevent unauthorized access.

Firmware integrity monitoring: Deploy tools capable of monitoring and verifying integrity to detect unauthorized changes.

Restrict administrative privileges: Service accounts granted admin privileges are a source of vulnerability. Limit administrative privileges and monitor for privilege escalation attempts to prevent unauthorized firmware updates.

Oracle Weblogic Server OS Command Injection

For this type of attack, think about the extensive data exchange in healthcare – HL7 and XML messages flowing across networks. The first step in this attack is making a malicious HTTP request, setting up the underlying environment to allow the attacker to bypass security, and then uploading or sending an XML file to give someone nefarious command execution capabilities.

This works because of how the code is implemented: when you walk through the XML file, you parse it and execute the commands. A malicious payload can be embedded within a SOAP envelope, and once this passes through to the backend system, an attacker controls it.

Typically, reverse commands are used that allow the system to call back. The attacker then gives an IP address or a hostname to establish a reverse tunnel and gain access at an admin level. In this case, even if the server is shut off, network connectivity for the attack is preserved.

Limitations of Traditional Penetration Testing

Penetration (pen) testing is one defense an organization uses to test its security. However, the traditional approach is becoming insufficient against sophisticated cyber threats as most pen testing methods are outdated, performing some service level analysis but overlooking more sophisticated approaches—and rarely looking at firmware and BIOS attacks. Additionally, many tests are not tailored to the healthcare sector and focus primarily on meeting compliance and regulatory rules.

Attackers are evolving, researching, and finding ways to bypass common protections. The way pen testing is being done also needs to evolve. A modernized, comprehensive approach is required to effectively protect sensitive patient data and ensure the integrity of healthcare services.

Healthcare organizations should utilize continuous security assessment and consider the following:

Advanced threat simulation: This includes red team exercises, attack surface management, and attack dissection.

Firmware updates and hardware security: Can someone get into the hardware through firmware? What would that mean?

Comprehensive internal and external testing: As the sophistication of pen testing increases, it will probably be more expensive and time-consuming. Pick a few critical systems, like EHR or domain controller, and go deep into them.

If a healthcare organization is hit with a true cyber-attack, critical patient care systems must become operational as quickly as possible, including the domain controller, EHR, lab, pharmacy, and portals. Understanding how well those systems can withstand a proper pen test attack dissection is critical.

Summary

Healthcare is a frequent target of attacks by adversaries who are determined and patient. Understanding how they think provides insight into defending against them. To explore this critical subject in more detail, listen to the on-demand webinar, “An In-Depth Look at Cyber Exploits from the Attackers Perspective,” provided to our CloudWave Cybersecurity Insider Program members.

Not a member? Join now for access to live monthly educational webinars, on-demand training sessions, threat intelligence alerts, and more. If you have any additional questions about cybersecurity breaches and mitigating their impact or want to discuss your cybersecurity strategy with one of our experts, please email customersfirst@gocloudwave.com.

Richard Phung
Director
Cybersecurity Tactical Operations Center