Most recent

Botnets: The Living Dead of The Malware World

By Eitan Bremler

Mirai. Reaper. Hajime. 

The biggest IoT botnet threats to the healthcare industry today.

You've been on the lookout for botnet malware since Paras Jha's Mirai worm brought the world to its knees on October 2016. A former Rutgers University student and a fan of Japanese anime, Jha had named the Mirai botnet after the anime series Mirai Nikki. Both Reaper and Hajime are based off Mirai, but the identity of their authors remains a mystery.

The Botnet Army: The Shape-Shifters of The Malware World

In zombie movies, the dead are held hostage by a virus.

In many cases, the virus metastasizes into newer malignant forms under certain conditions.

That's science fiction. 

In the real world, botnet viruses work in a frighteningly similar manner. Both the Reaper and Mirai worms amassed their zombie botnet armies through a traditional command-and-control (C&C) server infrastructure. 

There's a difference, however. Reaper can potentially generate greater damage on a multiplicity of devices. While Mirai only exploited poorly secured Telnet ports, Reaper actually used targeted hacking approaches to breach IoT networks. Cyber-security experts warn that at least a million IoT devices are on standby, waiting for the hacker-controlled C&C server to inject them with virulent malware. Once the devices are infected, the botnet army metastasizes, undetected and unchallenged. 

Meanwhile, Hajime's surface benignity hides the potentiality of greater IoT breaches than those caused by Mirai or Reaper. Notably, Hajime is based on a decentralized peer-to-peer network infrastructure, which makes it harder to detect. However, it's currently not equipped with DDoS payload capabilities. The anonymous hacker responsible for Hajime assures us that he's a well-meaning white hat idealist. But, can we trust his word?

Cyber-security experts contend that the Hajime actually seals off Mirai-vulnerable ports such as 5358, 23, 7547, and 5555. However, its modular design means that it can be re-purposed for malignant uses at any future date. Currently, the Hajime uses a tracker-less torrent to facilitate C&C based exchanges and BitTorrent’s DHT protocol to enable peer exchanges. In the last year, cyber-security experts have issued industry warnings about Hajime's increasingly aggressive nature.

This is because Hajime recently "updated" its code to begin exploiting the TR-069 standard used by Internet service providers. So much for the benign white hat persona.

Is the Healthcare Industry A Sitting Duck for Botnet Attacks?

The short answer is an unfortunate yes.

According to P&S Market Research, the healthcare IoT market is slated to reach $267.6 billion by 2023. The market is driven by a rising demand for portable wearable devices and remote patient monitoring devices. In other words, 21st century telemedicine made possible by the IoT.

So, why is this important?

The vast IoT network system lends a sense of immediacy to medical care, raising the quality of life for chronically-ill patients. A doctor can now treat and monitor a bed-ridden patient remotely. Additionally, health professionals receive ping alerts when wearable heart and blood pressure monitors show abnormal vital sign spikes.

The IoT is just as versatile in an emergency. Wi-Fi-connected robots can perform uniform chest compressions when a patient suffers a sudden cardiac arrest, freeing caregivers to focus on other life-saving procedures. In the aftermath of CPR intervention, the robot can send device reports to medical staff. 

To date, an aging global population continues to fuel the growth of the IoT medical device industry. The United Nations reports that by 2050, every region in the world except Africa will have nearly 25%  or more of their populations at age 60 and above. 

The implications are dire.

Many IoT medical devices are connected to hospital networks that house sensitive patient data such as medical histories, Social Security numbers, and pharmaceutical care plans. Cyber thieves can use this data to impersonate their victims and purchase medical equipment or drugs. In turn, they can sell what they acquire at exorbitant prices on the Deep Web.

Other hackers may even file fictional claims using appropriated provider license numbers. And how is medical data stolen? A popular method is via DDoS attacks facilitated by malicious botnet networks. 

The Solution: Is There One That Works?

The Ultimate Promise of Technology is to Make us Master of a World that we Command by the Push of a Button — Volker Grassmuck

The reassuring answer is yes. Many organizations use reverse-proxy access, VPN and SSL VPN access, and S/ FTP access to grant third party access to sensitive data. However, these have the disadvantage of DMZ-stored SSL keys and certificates, which expose networks to Mirai, Hajime, or Reaper-based botnet attacks.

For an optimum solution, consider software-defined perimeter access. Unlike conventional access procedures, all users are authenticated before being granted entry to network systems. Additionally, all incoming firewall ports are sealed to reduce attack vectors for botnet-fueled DDoS attacks. It's 100% all-around protection for your healthcare organization. For more information about how software-defined application access gives you that level of protection, download our seminal SDA white paper. It's time to send botnet criminals packing.
Software Defined Access

All posts