Honeypot Draws Thousands of Hackers to Fake Medical Websites

Jack Murtha
FEBRUARY 20, 2018
healthcare hack,ssh healthcare,doctor hack,hca news
Image has been cropped and resized. Courtesy of Armor.

From the outset, the medical practice’s 2 websites drew plenty of eyeballs. But it wasn’t the kind of attention anyone wants. Hackers, it turned out, were flocking to the platforms in droves. On average, 1 server attracted more than 560 scans and attempted attacks per week, a clear mark of the urgent cybersecurity threat facing healthcare.

Fortunately, the website was a so-called “honeypot,” a ploy designed to lure hackers to record and analyze their movements. The cybersecurity company Armor had teamed up with a third party to create the trap, launching 3 servers—1 with no firewall, 1 with some degree of protection, and a third with Armor’s proprietary technology, each mimicking a “public cloud environment that would be deployed by small and midsized businesses,” according to the resultant report. In this case, the honeypot used 2 medical practice websites, MetropolisPrimary.com and MetropolisMed.com.

“Unsurprisingly, the network was hit early and often,” Armor researchers wrote in the report. “Attacks started within minutes of the honeypot sensors being activated. Ultimately, each instance was scanned thousands of times by likely attackers.”

By the trial’s end, hackers had attacked the unsecured server more than 19,000 times, for roughly 2,500 attempts per week, over about 3 months, according to the survey. The server with a native firewall sustained an average of 563 hits each week, and the most guarded server saw 509 attacks per week.

Most of the attacks were SSH brute force authentication attacks, which experts said were automated to try to sneak into the serves by way of a large list of usernames and passwords. MySQL authentication attacks proved the second-most prevalent, according to the Armor report. In many cases, scanners searched for open ports but didn’t try to bust in, the authors noted.

Hackers tried to “move deeper into the system” hundreds of times, and roughly 3 “focused exploits” occurred each day, in each instance, wrote Wayne Reynolds, Armor’s vice president of security. “This malicious activity means that even a small misconfiguration or insecure application can quickly lead to a compromise by an opportunistic attacker,” he added.

Although researchers couldn’t determine if an IP address was legitimate, they found that most of the attacks were launched in China and the United States. (It’s possible that hackers employed steps to hide their tracks, but the Armor team did check whether the strikes came from TOR.) The Netherlands, meanwhile, set off more assaults than any other European country, and others came from South America, particularly Brazil, according to the report.

So, what can hospital administrators and other healthcare leaders learn from the honeypot?

“From a defensive standpoint, the attack data shows the importance of paying close attention to SSH security. Hackers certainly are,” Armor wrote. Further, best practices and password management must be “critical elements” in any cloud security strategy.

Armor also touted its services as a means to understand, report, and remediate the attacks.

Finally, the company noted, healthcare organizations should limit access, making only the necessary components available outside the company—and behind a firewall; restrict administrative control by establishing source IP-based controls; and keep their software up to date.

SHARE THIS SHARE THIS
107
Become a contributor