HIMSS cyber report for August: New threats arise but old security vulnerabilities never die

Ropemaker, IRS and FBI phishing scams, leaked IoT creds and more arose during the month that just closed.
By Tom Sullivan
09:33 AM
HIMSS Healthcare and Cross-Sector Cybersecurity Report

Another month and another new cyberattack technique. Last month it was ransomware in coffee machines and, before that, June saw the emergence of malware that could execute in Microsoft PowerPoint when a user simply hovers over a malicious URL.

Now, meet ROPEMAKER. For health and infosec pros not yet acquainted, ROPEMAKER stands for Remotely Originated Post-delivery Email Manipulation Attacks by Keeping E-mail Risky. That’s right.

“E-mails getting modified after they have been sent to the recipient is an interesting finding. Whether this ROPEMAKER technique will be leveraged remains to be seen,” HIMSS Director of Privacy and Security Lee Kim said. “According to the MIMECAST report, there is no known activity in the wild. No one has actually done this, but I don't see why it couldn't be done.”

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

ROPEMAKER is perhaps the most intriguing development in Kim’s monthly HIMSS Healthcare and Cross-Sector CyberSecurity Report, but infosec pros will also want to know about the others.

Take the IRS warning, for instance. The U.S. Internal Revenue Services cautioned about a new phishing scheme that impersonates both the taxman and the Federal Bureau of Investigation in what would appear to many would-be victims as a convincing request. Kim said telltale signs include grammatical mistakes as well as errors of fact about laws and regulations.

[Also: The biggest healthcare breaches of 2017 (so far)]

Security vendor Proofpoint, meanwhile, uncovered the Defray strain of ransowmare and determined that the healthcare and education sectors are specific targets – though it is currently a small campaign that has yet to wreak havoc on either.

That brings us to the fourth finding. Internet of Things. Ankit Anubhav, a researcher at New Sky Security reported thousands of leaked IoT telnet credentials. “Telnet credentials and data can be ‘sniffed’ or otherwise stolen by using certain popular hacking tools available on a variety of platforms,” Kim wrote. 

The fifth element to Kim’s report is the U.S. Food and Drug Administration emphasizing on August 29 that many medical devices can be vulnerable to both exploits and intrusions and FDA pointed specifically to St. Jude Medical’s implantable cardiac pacemakers. St. Jude constructed a firmware update and the FDA approved it.

“We are hearing more and more about new vulnerabilities – but old vulnerabilities never die. There are well-known vulnerabilities that are 10-15 years old that are still pretty effective against many systems,” Kim said. “When you are deciding what to patch, don't just focus on what's new. Pay attention to what's old and effective as well.”

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com