Crypto Currency Miner Exploits Hospital

The Network: A 150-bed hospital in the Caribbean that provides in and outpatient services.

The Expectation: IT resources are to be used to serve internal hospital requirements. Devices that perform critical healthcare functions should not be negatively impacted by malware that steals CPU processing resources.

The Catch: A member server dedicated to a proximity card access system was observed to have very high CPU utilization, a tell-tale sign of coin mining.

The Find: The server was infected with crypto currency miner malware. This was causing the very high CPU usage, as well as periodic attempts by the malware to reach out to an external IP address (the payout address) on a non-standard port (8080) that is associated with multiple poor reputations domains (ending in .xyz). Analysis showed that the malware was running as a process called LogonUI.bak launched from the C;\Windows\Logs folder. This process is always running, ostensibly to provide the login screen, thus ensuring the malware survived reboot. In addition, the folder in which the malware was running had been added to the exclude list for the Anti-Virus software.

The Fix: Crypto coin minters can remain undetected for a long period of time. Remediation and mitigation steps include:

  1. Quarantine the server, re-image the hard drive, and reinstall the card access proximity system.
  2. Deploying solutions like Netsurion Endpoint Security can also detect and block crypto miners.
  3. Ensure that organizations are using web browser extensions that have anti-crypto mining extensions.
  4. Security awareness training should also include crypto currency mining warnings.

The Lesson: Up-to-date Anti-Virus and patching is necessary, but not sufficient in today’s threat landscape. Comprehensive SOC monitoring by security experts of outbound access by non-browsers, especially to non-standard ports, is necessary.