On Thursday 17th September, hackers kill through a technology attack. An attack by as yet unknown hackers attack caused the failure of IT systems at a major hospital in Duesseldorf, and ultimately resulted in the death of a patient.
Unknown hackers kill through recently attacked systems at Duesseldorf University Clinic. The criminals gained access to IT systems through a vulnerability in what the hospital described as “widely used commercial add-on software”. The criminals then encrypted data and left a ransom note. Unfortunately, the result of these actions was the death of a patient.
A vulnerability in “widely used commerical software” could mean anything. When an issue such as this exists, what can organisations do to mitigate the risk?
We start by identifying the issue. For this paper, we have identified the vulnerability. There is no patch available. The software is mission-critical and must remain. Where do we start?
Apply pressure to the cause
I would start by applying a considerable amount of pressure to the vendor. Weekly fix requests would be automated, and in the case of critical infrastructure, I would escalate these fix requests through government CERTs. You could go so far as to having a penetration test performed on the vulnerable software and publishing the results.
Isolate the server
The system that the vulnerability software resides on needs isolating. A firewall is merely not going to provide enough protection here. I would separate the system to its own network with an application layer firewall providing connectivity to other systems. The firewall will allow only the required services through to specific machines. For public internet access, I would filter the traffic through a service such as Cloudflare before my application layer firewall. I would further restrict access to only the countries that I would expect to be using the application.
Isolate the software
Isolating the software may or may not be possible. My starting point would assume the software is compromised, and exploitation is occurring. I would investigate whether it is possible to sandbox the software and put significant controls in place to restrict the level of any exploit. Sandboxing is very simple, and Microsoft provides a simple explanation here. There are *nix based solutions too.
Monitoring the system in question is critical. Running antivirus and antimalware is not going to be enough. Alerting on changes to binary files and the addition of executables will provide an early warning that the system is compromised. Services such as AlienVaults OSSIM can help identify signs of compromise quickly.
Apply considerable pressure to the vendor and be vocal about it. Engage with local and government CERTs, and maybe event NIST and MITRE to add more pressure. Isolate the server and the software and monitor the situation.
You can also read more on what to do if you have been hacked in one of our posts here.