Fully revealing the medical network security risks during the epidemic! More than 80% of health apps have high-risk vulnerabilities, and brute force attacks occur 800,000 times a day

The COVID-19 epidemic is still spreading, and all countries are at a critical juncture in the fight against the epidemic. However, criminals have used the epidemic as an excuse to launch cyber attacks and online fraud, causing adverse effects. Digital medical network security has gradually become the "second battlefield in the fight against the epidemic."

Recently, the Security Research Institute of the China Academy of Information and Communications Technology released the "2020 Digital Healthcare: Cybersecurity Risk Research Report during the Epidemic Prevention and Control Period" (hereinafter referred to as the "Report").

The report analyzes the cybersecurity risks faced by the medical field during the epidemic prevention and control period from four aspects: public Internet security, mobile app security, new medical equipment and network attack trends.

The results show that among the units observed in February, 10,013 units were vulnerable, accounting for 62.79% of the observed units. In addition, the proportion of medical units with database services and file services exposed to the public Internet reached 29.8% and 28.88% respectively, involving a total of 21,000 data assets.

At the hospital level, a total of 330 security vulnerabilities were found in the health care industry, involving 251 medical institutions, accounting for 1.57% of all observed objects. Among them, private hospitals are at a higher risk, and public hospitals are subject to more attacks.

In terms of apps, the report team scanned 21,846 apps in the health and medical industry for vulnerabilities, and detected a total of 346,974 vulnerability records, involving 61 types of vulnerabilities, of which 23 were high-risk vulnerabilities. In addition, 84.15% of apps in the health and medical industry had security vulnerabilities to varying degrees, with an average of 18.88 vulnerabilities per app, and 81.24% of apps had high-risk vulnerabilities.

In terms of malicious programs, a total of 806 health and medical apps were detected to contain malicious programs, accounting for 3.69% of apps infected with malicious programs. In terms of the types of malicious programs, 64.05% of apps were infected by malicious programs with rogue behaviors.

Through the analysis of medical network security risks and in-depth research on the changing trends of network security risks, the report provides work suggestions from four different aspects, providing ideas and references for building and improving the digital medical network security system.

If you want to obtain the full text pdf of this report, please reply to the keyword "317 report" in the Leiphone.com WeChat public account (leiphone-sz) to extract it.

Source: China Academy of Information and Communications Technology Security Research Institute "2020 Digital Healthcare: Cybersecurity Risk Research Report during Epidemic Prevention and Control"

Among the units observed in February, 10,013 units were vulnerable, accounting for 62.79% of the observed units. The vulnerability of network assets in the healthcare industry remains high.

Based on the observation results, the report team found that the vulnerabilities of the healthcare industry that are easily exploited for attacks are mainly concentrated in three aspects: sensitive services exposed to the public Internet (39.28%), low-version services with public vulnerabilities (44.39%), and open high-risk ports that can be exploited (49.46%).

In this observation, the proportion of medical institutions with database services and file services exposed to the public Internet reached 29.8% and 28.88% respectively, involving a total of 21,000 data assets. In terms of provincial distribution, Shandong, Guangdong, Sichuan, Jiangsu and other provinces have the largest number of exposed data services.

Timely upgrade of application service component versions is one of the important means of security protection. This observation found that 7,080 units used low-version component services with public vulnerabilities, accounting for 44.39% of all observed objects. Compared with last year's observation results, the number of units involved in OpenSSH, MySQL, Apache, etc. has increased to varying degrees, and the risk situation is extremely severe.

In terms of ports, the observation results show that the largest number of institutions open MySQL port 3306, followed by SSH port 22, Windows Remote Desktop port 3389 and network printing port 9100.

It is worth noting that due to the impact of the COVID-19 epidemic, activities such as remote office and remote operation and maintenance have increased, and the number of units with open remote login ports 22 and 3389 has increased by 31.76% and 34.95% compared to July 2019. The vulnerabilities of these two ports need to be paid special attention.

The research team conducted penetration tests on issues observed in the health care industry and found a total of 330 security vulnerabilities involving 251 medical institutions, accounting for 1.57% of all observed objects.

Compared with July 2019, the number of high-risk vulnerabilities has dropped significantly. At the same time, the problem of weak passwords has also been alleviated, from 411 to 48. Apache Struts2-related vulnerabilities are on the rise. It is recommended to pay attention to the relevant patch information of the service and fix the vulnerabilities in time.

Judging from the proportion of units with security vulnerabilities in each province, the top four provinces are Zhejiang, Beijing, Guangdong and Jiangsu.

In addition, the research team focused on the top five medical institutions with the most vulnerabilities: one Center for Disease Control and Prevention and four private hospitals. It is worth noting that all four private hospitals scanned out different types of high-risk vulnerabilities, which to some extent reflects that private hospitals are relatively backward in network security vulnerability protection.

In order to facilitate the analysis and evaluation of changes in cyber attacks on the healthcare industry during the epidemic, the research team compared observation data from November 2019, January 2020, and February 2020.

After the outbreak, the number of infected units of most malware, such as rogue or adware, communication with malicious hosts, mining software, and vulnerability exploits, showed an upward trend, with only a slight decrease in ransomware. It can be seen that during the epidemic, the health care industry faces a more severe network security situation, and the risk of infection by malicious programs such as zombies, Trojans, and viruses is higher.

Among the 10 medical institutions most seriously infected by malicious programs, 8 are public hospitals and 2 are private hospitals. The total number of malicious programs infected in these hospitals reached 907, accounting for 26.28% of the total number of malicious program samples. The relevant hospitals urgently need to improve their malicious program monitoring and protection capabilities.

According to the effect of website tampering, website tampering can be divided into explicit tampering and implicit tampering. Explicit tampering is mainly used to help attackers declare their own claims, so the tampered content is visible. If it is changed to illegal information, the impact is extremely bad. Implicit tampering is invisible, and generally helps attackers seek illegal economic benefits by implanting illegal information such as pornography, gambling, and fraud.

This observation found that the tampered websites involved 171 units in total, of which 157 units were involved in websites tampered with for gambling purposes, and 18 units were involved in websites tampered with for pornography purposes.

Judging from the attack trend of website tampering, website tampering attacks in February 2020 increased significantly compared to November 2019, with an increase of 44.92%, and the growth trend was basically the same among various institutions.

By comparing public hospitals and private hospitals in terms of the three major vulnerabilities of digital assets, we can see that although both public and private hospitals have a high proportion of network security risks, public hospitals are stronger than private hospitals in protecting against the three major vulnerabilities. This to a certain extent reflects that public hospitals have a stronger awareness of security protection than private hospitals.

In terms of security vulnerabilities, the proportion of private hospitals with high-risk and low-risk security vulnerabilities exceeds that of public hospitals. In terms of malware infection, the number and proportion of public hospitals infected with malware exceed those of private hospitals. With the outbreak of the COVID-19 epidemic, the number of units infected with malware has shown an upward trend, while private hospitals have not shown similar characteristics.

Based on the above analysis, we can see that in terms of cybersecurity risk protection, public hospitals have stronger security awareness and means than private hospitals, and private hospitals face greater cybersecurity risks. However, from the actual attack results, public hospitals are more infected and implanted with malicious programs, and the number is increasing with the outbreak. It can be inferred that public hospitals are under more pressure from security attacks.

The reporting team scanned 21,846 health care industry apps for vulnerabilities and detected a total of 346,974 vulnerability records, involving 61 vulnerability types, including 23 high-risk vulnerabilities.

Among apps in the health care industry, 84.15% have security vulnerabilities of varying degrees, with an average of 18.88 vulnerabilities per app. 81.24% of apps have high-risk vulnerabilities. Although this is a decrease from 88.83% in 2019, the risk of high-risk vulnerabilities in apps is still very serious.

Note: The figure shows the distribution of the top 10 high-risk vulnerability types.

In terms of high-risk vulnerability types, the number of apps with Janus vulnerabilities is the largest, accounting for 66.08% of the total monitored; followed by Java code packing detection, accounting for 53.89% of the total monitored; WebView remote code execution vulnerability ranks third, with 52.24% of apps having this vulnerability.

Attackers can exploit these vulnerabilities to impersonate apps, implant malicious programs, steal user sensitive information, attack services, etc., posing a serious threat to app security.

In terms of malicious programs, a total of 806 health and medical apps were detected to contain malicious programs, accounting for 3.69% of apps infected with malicious programs, while the infection rate in 2019 was only 0.86%; it can be seen that the risk of infection by malicious programs in health and medical apps has increased.

In terms of the types of malicious programs, 64.05% of apps are infected by malicious programs with rogue behavior. Such malicious programs will pop up advertisement windows without user authorization, affecting the user experience and may cause privacy and security risks due to accidental clicks.

In addition, 16.01% of apps are infected by malicious programs that consume user fees. These malicious programs will cause user fee losses by frequently connecting to the network without the user's knowledge or authorization, and have fee-consuming attributes.

SDK is the abbreviation of Software Development Kit, which is a collection of relevant documents, examples and tools to assist in the development of a certain type of application software.

In the development process, developers often embed third-party SDKs in order to improve efficiency and reduce costs. However, third-party SDKs have security vulnerabilities, malicious programs, hidden collection of personal information and other security issues. Embedding third-party SDKs often brings security risks to the App.

This test found that a total of 9,636 health and medical industry apps embedded third-party SDKs, accounting for 44.11% of the total number of tests. On average, each app embedded 2.37 SDKs, and apps embedded with 5 or more SDKs accounted for 9.88%.

In comparison, in 2019, the proportion of health care industry apps embedded with third-party SDKs was only 25.58%. This shows that third-party SDKs are more commonly used in health care industry apps, and the security risks brought by SDK applications are also continuing to increase.

Android apps written in Java can be easily cracked to expose the app source code, which in turn leads to security issues such as app piracy, secondary packaging, and injection.

"Security reinforcement" is an important means of protecting App security, which can effectively prevent disassembly analysis of App. After security reinforcement, App not only improves its system stability, but also has the ability to avoid a certain degree of security risks.

This detection found that the proportion of apps in the health care industry that have been reinforced has dropped to 18.04% (the reinforcement ratio was 24.83% in 2019), and more than 80% of apps have not undergone security reinforcement, and the risk of Android app source code exposure has further worsened.

During the epidemic prevention and control process, driven by government policies, many scientific research talents in the industry have devoted themselves to the research and development of innovative medical equipment. Various new medical devices combining AI technology and robotics technology have been gradually applied and promoted.

For example, dedicated CT machines equipped with AI can quickly identify images of COVID-19, greatly reducing the workload of doctors in reading films; various types of robotic medical equipment that provide services such as disinfection, meal delivery, medication, temperature measurement, consultation, nursing, companionship, transportation, and ultrasound have rushed to the front line of defense; remote diagnosis and treatment video equipment, ultrasound equipment, surgical equipment, etc. based on 5G technology have supported the efficient application of remote medical collaboration, consultation, and surgery during the epidemic.

New medical devices are rapidly entering the market and being put into practice under the impetus of the COVID-19 epidemic. At the same time, the epidemic has also stimulated the rapid development of the medical device market. According to statistics from Ebrun Power, from January 1 to February 7, 2020, more than 3,000 companies nationwide added "medical devices" to their business scope.

While promoting the application of various new medical devices, we need to be vigilant about the network security risks brought by the application of new medical devices. Due to the particularity of medical devices, once a network security problem occurs, it may directly endanger the life and health of patients and cause extremely serious consequences.

At present, my country's post-market supervision of medical devices is mainly through adverse event reporting and recall. However, due to the failure of medical device manufacturers to report adverse events and other safety issues in a timely manner, it is common for the units or users to face huge losses.

According to the "National Medical Device Adverse Event Monitoring Annual Report (2018)" released by the National Medical Products Administration in October 2019, the National Medical Device Adverse Event Monitoring Information System received more than 400,000 suspected medical device adverse event monitoring reports in 2018.

With the implementation of various new medical devices, the network security of medical devices will face huge challenges. my country's network security supervision of medical devices is still in the construction stage, and the standard system and mechanism for network security supervision of various medical devices need to be further improved and perfected.

After the outbreak of the COVID-19 epidemic, phishing attacks using themes related to COVID-19 have occurred frequently, becoming the most important means of cyber attacks during the epidemic.

Based on observation data, the research team found that the virus, Trojan and malicious programs used to carry out phishing by taking advantage of the new coronavirus epidemic are mainly folder viruses, worm viruses, backdoor remote control Trojans, backdoor program Trojans, etc., and are prefixed with keywords related to the epidemic, such as "Wuhan pneumonia", "new pneumonia", "coronavirus", "epidemic dynamics", and "list of mask manufacturers".

The black industry team modifies the virus sample name, disguises it and induces the victim to download and run it, so as to steal data, control user devices, etc. The organizations that carry out phishing attacks in this way include APT organizations, hackers and black industry gangs, and the attacked regions include China, the United States, Japan and other countries.

In addition, the research team compiled 6 typical samples of phishing attacks - "new coronavirus formula.com", "open new coronavirus information.exe", "5 medical staff infected with new coronavirus!!.com", "new coronavirus training class.exe", "epidemic sundries.exe", and "epidemic important matters report.exe", which can be used for full network control and protection.

The Spring Festival holiday is a period of rest for companies to "block the Internet". The timeliness of corporate security policy updates is worse than usual, which makes it easy for hackers to launch attacks during this period.

After the outbreak of the COVID-19 epidemic, in order to avoid the risk of cross-infection caused by the gathering of people, a large number of enterprises and institutions delayed their resumption of work or switched to remote work. In order to facilitate employees' remote work, enterprises often open up remote services to the outside world, directly connecting to sensitive information systems and even office intranets. In this case, authentication brute force cracking has become the most commonly used method by hackers.

On January 31 (the seventh day of the first lunar month, the first day of work in previous years), hackers' brute force attacks on the medical industry reached a peak of 800,000 times per day. Among them, the remote desktop service RDP and the database service SQLServer in the Windows ecosystem became the hardest hit areas.

From the distribution of attack sources, more than 70% of authentication brute force attacks against medical industry customers on Tencent Cloud came from 125 countries outside China. As the control of data centers in the United States has become stricter, the United States has become a "cold area" for attack sources, while attacks from India and Russia have jumped to the forefront.

With the in-depth application of new technologies such as the Internet of Things and 5G in the field of digital medicine, new medical devices and medical applications are constantly emerging, and there is an urgent need to build a sound and complete network security standardization system for the health and medical industry.

We should make full use of the practical experience of safe application of new technologies in the ICT field, support and build a security standard system in the fields of new medical equipment and medical applications, and promote the safe development of the field of digital medicine and ICT integration.

Cybersecurity risks are long-term and dynamically changing, and they vary from industry to industry. Therefore, it is very important to establish a cybersecurity risk observation mechanism and platform for the health care industry.

At the same time, dynamic risk monitoring needs to form a closed loop with risk feedback and disposal, and the monitored security risks should be fed back to the medical institutions at risk as soon as possible to repair relevant security vulnerabilities or upgrade relevant service versions, so as to effectively control and reduce the overall security risks of the health care industry.

In fact, security risks discovered during security observations, such as data service exposure, low component versions, and open high-risk ports, are directly or indirectly related to people's lack of network security awareness.

Therefore, we should promote and strengthen network security-related training for health care industry practitioners, establish and improve internal network security management rules and regulations for medical institutions, standardize internal security operation processes from multiple aspects and perspectives, such as safe design, development, and maintenance of medical information systems, safe operation, and maintenance management of medical equipment, and safe collection, storage, and sharing of medical data, so as to effectively enhance the network security awareness of relevant personnel and implement network security responsibilities.

Institutions related to the health care industry should enhance their comprehensive network data security protection capabilities, increase investment in the field of network data security, establish a systematic security guarantee system, and build a long-term security mechanism:

• Accelerate the network security level protection assessment work, identify security issues, and eliminate security risks.

• Regularly carry out cybersecurity risk assessments, evaluate the security status of medical equipment and medical information systems, and identify potential security risks.

• Collaborate with national professional security agencies to establish a safe integration and application mechanism for new medical equipment and technologies to ensure the safe development of new digital medical technologies.

Leifeng.com Note: The pictures in the article are taken from the "2020 Digital Healthcare: Cybersecurity Risk Research Report during Epidemic Prevention and Control"