HC3 Warns Healthcare Sector Regarding Risk of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has given the healthcare and public health industry an alert regarding a surge in financially driven zero-day attacks, setting out mitigation techniques that ought to be followed to decrease risk to a low and acceptable level.

A zero-day attack exploits a vulnerability for which there is no patch yet. The vulnerabilities are known as zero-day since the developer has not released a patch yet to resolve the flaw.

Zero-day attacks are attacks that a threat actor has launched using a weaponized exploit for a zero-day vulnerability. Zero-day vulnerabilities are used in attacks on all industry fields and are not just a challenge for the healthcare market. As an example, in 2010, exploits were created for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which prompted Iranian centrifuges to self-destruct to interrupt Iran’s nuclear program.

Lately, in 2017, a zero-day vulnerability was taken advantage of to deliver the Dridex banking Trojan. Although it would typically be required for a person to take more actions after opening a malicious email attachment to download malware, by including a zero-day vulnerability exploit the cybercriminals are able to install the Dridex banking Trojan if a person merely opened an infected file attachment.

The very nature of zero-day vulnerabilities suggests it isn’t possible to remove risk completely, as software developers ought to create patches to correct the vulnerabilities, however, techniques can be used to minimize the possibilities for zero-day vulnerabilities to be leveraged.

The number of identified zero-day vulnerability exploits increased more than double between 2019 and 2021. This is partly because of the high price of exploits for zero-day vulnerabilities. The cost spent for working exploits increased by over 1,150% from 2018 to 2021. Though the market for zero-day exploits was restricted to a few groups with lots of money, there are now a lot of threat actors with substantial resources that are ready to pay because they know they could get their money back a number of times over by utilizing the exploits during attacks. At this point, a zero-day vulnerability exploit may be worth over $1 million.

Zero-day attacks particularly performed against the healthcare segment are very possible. In August this year, a zero-day vulnerability called PwnedPiper was discovered in the pneumatic tube systems utilized in hospitals to transfer biological samples and medicines. The vulnerability was discovered in the control panel, which will permit unsigned firmware updates to be employed. An attacker could take advantage of the vulnerability and seize control of the system and release ransomware.

In August 2020, four zero-day vulnerabilities were found that compromised OpenClinic patients’ test findings. Unauthenticated attackers can successfully obtain files that contain sensitive files from the medical test directory, which includes medical test data.

The best protection against zero-day vulnerabilities is to apply the patch immediately, however, patching is frequently slow, particularly in healthcare. A 2019 survey carried out by the Ponemon Institute showed that it took an average of 97 days to use, test, and deploy a patch for a zero-day vulnerability after the release of the patch.

The recommendation of HC3 is to “patch quickly, patch regularly, patch totally.” HC3 gives up-to-date data on actively exploited zero-days and the ready patches to correct zero-day vulnerabilities. HC3 additionally recommends employing a web-application firewall to assess incoming traffic and remove malicious input, since this can stop threat actors from getting access to vulnerable systems. It is likewise recommended to utilize runtime application self-protection (RASP) agents, which are inside applications’ runtime and can identify an anomalous pattern. Segmenting networks is likewise highly recommended.

The TLP: WHITE Zero-Day Threat Brief may be downloaded here.