How a coffee machine brewed up ransomware, and other startling findings in the HIMSS cybersecurity report

Keep those software patches up to date but don’t rely too heavily on vendors and, of course, know that any connected device can be hacked.
By Tom Sullivan
01:39 PM
Share
coffee machine infected monitors

Coffee machines connected to an internal control room network instead of an isolated WiFi spot were infected in a factory cyberattack. 

Ransomware: Now it’s on the breakfast menu. 

A chemical engineer with a degree in computer science, in fact, posted on Reddit an account of an attack that took factory systems down.

A factory worker encountered a ransomware message, called the help desk and, after rebooting systems, went to grab a mug of java and found the same nefarious message that he called IT about. Only now it wasn’t on his PC screen but right there on all the coffee machines' displays.

“So long story short, the coffee machines are supposed to be connected to their own isolated WiFi network, however, the person installing the coffee machine connected the machine to the Internal control room network,” the anonymous Reddit poster wrote. “And then when he didn't get internet access remembered to also connect it to the isolated WiFi network.”  

[Register Now: Upcoming HIMSS Healthcare Security Forum]

What does this amusing tidbit have to do with healthcare, anyway? Hospitals have coffee machines, for one. But also it’s among the unexpected findings HIMSS Director of Privacy and Security Lee Kim discovered while compiling her new HIMSS Healthcare and Cross-Sector Cybersecurity Report.

Coffee machines are not the only susceptible devices, either. “Basically, if you have something that is a connected computer-implemented or computer-enabled device, it can get infected,” Kim said. “Then, it turns into a quest of what else can get infected. What’s also connected to that same network?”

One  answer to Kim’s question is the SMBLoris vulnerability that manifested in July. That’s SMB, as in the server message block protocol. Anyone doing a little math on Microsoft operating systems would realize that SMBLoris is a nearly 20-year vulnerability that affects every Microsoft operating system since Windows 2000.

Microsoft has not shared plans to address this hole with a security update, but the software giant recommended enterprise customers consider blocking access from the Internet to SMBv1.

[Also: Experts to address AI, Blockchain, ransomware and executive leadership at Healthcare Security Forum]

So much for summer months being slow, news-wise. July, it turns out, was packed with cybersecurity revelations.

Another is the Win32/Industroyer, aka CrashOveride, which Kim described as sophisticated malware currently geared toward industrial control systems. The code is eye-opening because of its “highly configurable payloads” that hackers could tweak to target other industries as well.

And then there’s the Android OS. Some devices running Android.Triada.231, researchers found, have malware embedded into the libandroid_runtime.so system library. Yes, that means it could have an impact on just about every Android app.  

Infosec pros should also know that Adobe said it will cease updating the Flash player in 2020. Once that happens, the company will no longer issue security patches and HTML5 will take over as the new web platform. 

The top takeaways from Kim’s report this month: Don’t rely too heavily on vendors but definitely keep pace with installing security patches and, of course, any connected devices or systems can be hacked.  

“Nothing replaces good cyber hygiene and defense in depth,” Kim said. “Unfortunately, as we have more things that are connected, there are more things that an attacker can compromise. Having things connected to super sensitive networks is never a good thing.” 

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn