{
	"id": "3369d93c-5adb-48ec-8be0-c558c5b17926",
	"created_at": "2026-04-06T00:13:36.357582Z",
	"updated_at": "2026-04-10T13:12:07.259593Z",
	"deleted_at": null,
	"sha1_hash": "575387ef16724c2727b65c2db13d71c9d8884541",
	"title": "Time of death? A therapeutic postmortem of connected medicine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1726096,
	"plain_text": "Time of death? A therapeutic postmortem of connected medicine\r\nBy Denis Makrushin\r\nPublished: 2018-03-13 · Archived: 2026-04-05 14:51:47 UTC\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\n#TheSAS2017 presentation: Smart Medicine Breaches Its “First Do No Harm” Principle\r\nAt last year’s Security Analyst Summit 2017 we predicted that medical networks would be a titbit for\r\ncybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing.\r\nAccording to public data, this year is no exception.\r\nFor a year we have been observing how cybercriminals encrypt medical data and demand a ransom for it. How\r\nthey penetrate medical networks and exfiltrate medical information, and how they find medical data on publicly\r\navailable medical resources.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 1 of 14\n\nThe number of medical data breaches and leaks per year (source: HIPAA Journal)\r\nOpened doors in medical networks\r\nTo find a potential entry point into medical infrastructure, we extract the IP ranges of all organizations that have\r\nthe keywords “medic”, “clinic”, “hospit”, “surgery” and “healthcare” in the organization’s name, then we start the\r\nmasscan (port scanner) and parse the specialized search engines (like Shodan and Censys) for publicly available\r\nresources of these organizations.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 2 of 14\n\nMasscan report extract\r\nOf course, medical perimeters contain a lot of trivial opened ports and services: like web-server, DNS-server,\r\nmail-server etc. And you know that’s just the tip of the iceberg. The most interesting part is the non-trivial ports.\r\nWe left out trivial services, because as we mentioned in our previous article those services are out of date and need\r\nto be patched. For example, the web applications of electronic medical records that we found on the perimeters in\r\nmost cases were out of date.\r\nThe most popular ports are the tip of the iceberg. The most interesting part is the non-trivial ports.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 3 of 14\n\nThe most popular opened ports on medical perimeters (18,723 live hosts; 27,716 opened ports)\r\nUsing ZTag tool and Censys, we identify what kinds of services are hidden behind these ports. If you try to look\r\ndeeper in the embedded tag you will see different stuff: for example printers, SCADA-type systems, NAS etc.\r\nTop services on medical network perimeters\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 4 of 14\n\nExcluding these trivial things, we found Building Management systems that out of date. Devices using the\r\nNiagara Fox protocol usually operate on TCP ports 1911 and 4911. They allow us to gather information remotely\r\nfrom them, such as application name, Java version, host OS, time zone, local IP address, and software versions\r\ninvolved in the stack.\r\nExample of extracted information about Niagara Fox service\r\nOr printers that have a web interface without an authentication request. The dashboard available online and allows\r\nyou to get information about internal Wi-Fi networks or, probably, it allows you to get info about documents that\r\nappeared in “Job Storage” logs.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 5 of 14\n\nShodan told us that some medical organizations have an opened port 2000. It’s a smart kettle. We don’t know why,\r\nbut this model of kettle is very popular in medical organizations. And they have publicly available information\r\nabout a vulnerability that allows a connection to the kettle to be established using a simple pass and to extract info\r\nabout the current Wi-Fi connection.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 6 of 14\n\nMedical infrastructure has a lot of medical devices, some of them portable. And devices like spirometers or blood\r\npressure monitors support the MQTT protocol to communicate with other devices directly. One of the main\r\ncomponents of the MQTT communication – brokers (see here for detailed information about components) are\r\navailable through the Internet and, as a result, we can find some medical devices online.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 7 of 14\n\nNot only Smart Home components, but also medical devices are available via MQTT Spirometer\r\nThreats that affect medical networks\r\nOK, now we know how they get in. But what’s next? Do they search for personal data, or want to get some money\r\nwith a ransom or maybe something else? Money? It’s possible… anything is possible. Let’s take a look at some\r\nnumbers that we collected during 2017.\r\nThe statistics are a bit worrying. More than 60% of medical organizations had some kind of malware on their\r\nservers or computers. The good news is that if we count something here, it means we’ve deleted malware in the\r\nsystem.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 8 of 14\n\nAttacks detected in medical organizations, 2017\r\nAnd there’s something even more interesting – organizations closely connected to hospitals, clinics and doctors,\r\ni.e. the pharmaceutical industry. Here we see even more attacks. The pharmaceutical industry means “money”, so\r\nit’s another titbit for attackers.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 9 of 14\n\nAttacks detected in pharmaceutical organizations, 2017\r\nLet’s return to our patients. Where are all these attacked hospitals and clinics? Ok, here we the numbers are\r\nrelative: we divided the number of devices in medical organizations in the country with our AV by the number of\r\ndevices where we detected malicious code. The TOP 3 were the Philippines, Venezuela and Thailand. Japan, Saudi\r\nArabia and Mexico took the last three spots in the TOP 15.\r\nSo the chances of being attacked really depend on how much money the government spends on cybersecurity in\r\nthe public sector and the level of cybersecurity awareness.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 10 of 14\n\nAttacked devices in medical organizations, TOP 15 countries\r\nIn the pharmaceutical industry we have a completely different picture. First place belongs to Bangladesh. I\r\ngoogled this topic and now the stats look absolutely ok to me. Bangladesh exports meds to Europe. In Morocco\r\nbig pharma accounts for 14% of GDP. India, too, is in the list, and even some European countries are featured.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 11 of 14\n\nAttacked devices in pharmaceutical organizations, TOP 15 countries\r\nOn one in ten devices and in more than 25% of medical and 10% of pharmaceutical companies we detected\r\nhacktools: pentesting tools like Mimikatz, Meterpreter, tweaked remote administration kits, and so on.\r\nWhich means that either medical organizations are very mature in terms of cybersecurity and perform constant\r\naudits of their own infrastructure using red teams and professional pentesters, or, more likely, their networks are\r\ninfested with hackers.\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 12 of 14\n\nHacktools: Powerpreter, Meterpreter, Remote admin, etc.\r\nAPT\r\nOur research showed that APT actors are interested in information from pharmaceutical organizations. We were\r\nable to identify victims in South East Asia, or more precisely, in Vietnam and Bangladesh. The criminals had\r\ntargeted servers and used the infamous PlugX malware or Cobalt Strike to exfiltrate data.\r\nPlugX RAT, used by Chinese-speaking APT actors, allows criminals to perform various malicious operations on a\r\nsystem without the user’s knowledge or authorization, including but not limited to copying and modifying files,\r\nlogging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as well as Cobalt Strike,\r\nis used by cybercriminals to discreetly steal and collect sensitive or profitable information. During our research we\r\nwere unable to track the initial attack vectors, but there are signs that they could be attacks exploiting vulnerable\r\nsoftware on servers.\r\nTaking into account the fact that hackers placed their implants on the servers of pharmaceutical companies, we can\r\nassume they are after intellectual property or business plans.\r\nHow to live with it\r\nRemove all nodes that process medical data from public\r\nPeriodically update your installed software and remove unwanted applications\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 13 of 14\n\nRefrain from connecting expensive equipment to the main LAN of your organization\r\nMore tips at “Connected Medicine and Its Diagnosis“.\r\nSource: https://securelist.com/time-of-death-connected-medicine/84315/\r\nhttps://securelist.com/time-of-death-connected-medicine/84315/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/time-of-death-connected-medicine/84315/"
	],
	"report_names": [
		"84315"
	],
	"threat_actors": [],
	"ts_created_at": 1775434416,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/575387ef16724c2727b65c2db13d71c9d8884541.pdf",
		"text": "https://archive.orkl.eu/575387ef16724c2727b65c2db13d71c9d8884541.txt",
		"img": "https://archive.orkl.eu/575387ef16724c2727b65c2db13d71c9d8884541.jpg"
	}
}