Milan (Lombardy, Italy): Palazzo Lombardia, modern building hosting the government of the Region: the glass ceiling of the court

To serve and response

A recent cyber-attack on a government office led our incident responders to defuse a challenging cyber event, where creative, outside-of-the-box thinking was needed in order to eliminate the threat.

This is how it played out:

8:42 pm

A customer calls our incident response hotline to report weird logs coming out of their DLP products. Our response team rapidly establishes a secure remote connection in order to see what’s going on.

A quick overview indicates data exfiltration activity, although in a very low volume. Further investigation leads our team to inspect network traffic while searching for suspicious activity.

10:22 pm

A dubious client-server communication is spotted, where the client is located within the network and the server is outside. An IP geolocation investigation points to a server that is in fact in a different country. At this point, our team decides to install internal tools on the suspicious endpoint in order to gain better visibility, while maintaining zero interruptions on the attacker’s activity.

11:07 pm

It is now clear that we are dealing with a sophisticated attacker who has managed to bypass almost every control the office has to offer. After a successful lateral movement, he’s gained access to several endpoints across the organization.

12:15 am

After informing the management team on the customer side, we begin to take action. The first step is to implement honey pots so that we can learn about the attacker’s techniques and the tools he’s using. This is a great success – the attacker fell for almost every honey pot we deployed.

The next step is to use the credentials he’s using to communicate with his servers and evaluate what information he’s gained access to so far so that we can later on destroy it.

Finally, the last step is to stop his malicious activity using tools like Cynet and others.

2 days later

Our team heads over to the customer site in order to brief everyone at the office on the chain of events, including our successful incident response activity.

Doctor's desktop with medical equipment, computer and X-ray of human lungs.

Your vital signs’ monitor may need critical care

Hospitals around the globe rely on many types of medical devices to deliver the most up-to-date patient care. They also spend hundreds of millions of dollars in backup systems, redundancy, and business continuity to ensure the 100%-functionality of these systems, which are critical to saving lives.

Doctors and nurses rely on these devices on a daily basis, as it allows them to focus on the challenges and complexities that require their human expertise. But there is a scenario that no medical professional is prepared for during their training, and something that is often overlooked by hospitals. That is – how safe are medical devices in the face of a cyber-attack?

This case study will examine how a major hack on a hospital’s medical monitoring technology can directly affect patients’ lives.

Patient monitoring devices provide a snapshot of a patient’s health status, including a full vital signs’ analysis, like heart rate, temperature, blood oxygen levels, etc. This allows medical staff to quickly evaluate the patient’s status.

Samples can be taken every few hours, or, in cases where patients are being monitored consistently, a staff member can observe several patients at once from the nurses’ station. If the monitor detects a deviation from the normal level of measurement, an alarm goes off at the nurses’ station, prompting the staff to check on the patient.

Recently, a known monitor manufacturer asked BugSec to conduct a security product evaluation. We quickly discovered that the communication channel between the monitoring devices and the reporting unit at the nurses’ station was based on a simple radio frequency (RF) protocol, which would allow us to freely receive and transmit data above the channel with the right tools.

After sketching an attack surface, we decided to go with this approach. We connected the monitor to a live person and measured his signs. We also set up a mock nurses’ station with screens showing data from the demo patient.

During the simulated attack, we used sophisticated tools to pick up the frequency that the device was transmitting on. After learning how every sign is interpreted by the system, we started playing around with it a bit and managed to transmit different messages on the same pattern, causing the device to relay false patient data to the nurses’ station. This, of course, is a serious vulnerability, not only due to the impact on patients’ lives, but also because hospitals are a public space and the ease of access by a malicious party is so great.

We immediately reported the vulnerability to the manufacturer, including our recommendations on how to mitigate the threat, and they were able to immediately stop the false transmission.