Stories from a Hacker - Hospital Kiosk Nets 800K Patient Records

Recently, a mid-sized hospital system engaged NetWorks Group to perform a full scope penetration test as part of their HIPAA risk assessment.  When we perform these tests, we become a real attacker using all of the same tactics an actual adversary would employ to gain access to your most sensitive data – phishing, vishing, attacking your website, and ultimately trying to gain access into your internal network.

We had already performed a phishing attack and scrutinized their public-facing website, with no luck; it was just a simple Wordpress website with little functionality to target.  A couple of employees had visited our malicious look-alike website, but the malware we planted to gain access to their computers wasn’t working for some reason. With few options remaining, we decided it was time to visit one of their clinics in person to see what we could do!

On a bright Monday morning, about an hour after the clinic opened, I pulled into the parking lot and started scoping out their main location.  I saw a few people trickling in and out, but didn’t observe any security guards or other potential hazards to worry about.  I grabbed my backpack loaded with my attack laptop and some covert-entry tools and headed in the main entrance to see what I was up against.  There were a few people in the lobby who appeared to be waiting to be called in.  I must have looked confused as I looked around, as one of the patients pointed to the computer in the corner wearing a “Check in here” banner on the monitor.  I grabbed my USB thumb drive* and headed over to the kiosk, where I was greeted by a generic window asking for my patient information.  I minimized the Patient Information window and was shown a familiar Windows desktop littered with dozens of icons.  I’m sure I had an evil grin across my face as I slipped the thumb drive into a free USB port on the front of the computer.  After a few seconds of Windows considering its next move, a silhouetted window popped up, some text flashed on the screen, and just as quickly the window vanished.  In less than ten seconds, I had established a direct network connection with our systems back in Ann Arbor, Michigan, about 800 miles away.

I received a notification on my phone from our alert system that tells us when we get a successful connection, so I knew we now had the ability to access this machine remotely from anywhere in the world. I switched the screen back to the sign-in software, pulled out the thumb drive, and sat back down. Instead of attracting any attention by bringing out my laptop, I messaged my Ann Arbor co-hacker with a Hollywood-esque “I’m in, get me DA”, meaning Domain Administrator (accounts with complete access over every system in the target domain).  After about three minutes of me looking around awkwardly at the few additional people that had wandered in and eventually found their way to the check-in machine, I got a message from my team saying “Done.”  In less than five minutes from walking in the front door, we had gone from zero access to complete control over the entire hospital’s domain. This was largely due to a shared local Administrator password being used across many network computers.  After about an hour of additional work (me in my hotel, and my coworker back at the office), we had infiltrated several file servers and databases containing names, phone numbers, addresses, medical history, social security numbers, and drug information of almost 800,000 patients.  At the most conservative estimate, this data is worth millions to sell on the dark web.  Not bad for a quarter day’s work!

‍

Lessons Learned

Reflecting on this engagement, several lessons learned come to mind immediately:

1. Conduct routine pentests!  This glaring vulnerability was discovered by us, ethical hackers, instead of any real cyber adversaries.  Thankfully, we found it first, provided the clinic with an extensive report and recommendations and they were able to take immediate actions to resolve this finding.
2. Stop sharing and/or reusing local administrator passwords! With the advent of password managers, there’s simply no reason to share passwords – or even have a password that you can remember.  Use a password manager (i.e. 1Password, KeyPass, LastPass, Dashlane) and generate passwords that are so long and complex that you absolutely cannot remember them.
3. If you have any public-facing infrastructure, such as kiosks in your lobby, keep them isolated from your core network, secure any and all ports, and lock down the operating system so curious citizens (and aspiring hackers) cannot interact with the computer in unintended ways. Again, there is software and physical hardware designed specifically for these use cases; in 2022, there is no reason why a multi-million dollar data breach occurred because of an insecure lobby kiosk that otherwise could have been prevented with $100 worth of software and hardware.

At NetWorks Group, we specialize in conducting cyber threat assessments of complex and sensitive infrastructure, including external and internal networks, web applications, mobile apps, wireless networks, and unique, industry-specific devices.  If you have not yet conducted your annual pentest, reach out to us to learn more about how we can help you secure your environment.

* The thumb drive was actually a Rubber Ducky, a USB device that behaves and is installed just like a standard keyboard.  When it gets plugged in, the device waits a few seconds for any Windows drivers to load, then can be programmed to type arbitrary commands.  In our case, it ran a Windows-Key+R to bring up the Windows “Run” dialog, typed CMD and Enter to bring up a command prompt.  Then it printed out a (very long) single line command that downloaded and ran malicious code from the Internet. This was the code that was used to establish the command and control beacon back to our listening server.

‍

###

Published By: Mike Walker, VP of Ethical Hacking, NetWorks Group

Publish Date:  October 25, 2022