Tuesday, May 03, 2016
American Dental Association Mails Malware Infected USBs to Dentists Nationwide
The American Dental Association (ADA) has unintentionally mailed 37,000 USB flash drives, laced with malware, to dental offices across the U.S.
According to KrebsonSecurity.com, the problem was initially found in a post by a DSL Reports Security Forum member. Krebs wrote, that a “Mike” from Pittsburgh… “looked at the code inside one of the files on the flash drive and found it tries to open a webpage that has long been tied to malware distribution. The domain is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer.”
The ADA speculates that one of several duplicating machines in use at the manufacturer had become infected during one of its production runs. The association sent an email to its members alerting them about the infected flash drives, also noting that a computer’s antivirus software should detect any present malware… keyword there being “should”.
Joe Dahlquist, Product Manager of ThreatSTOP says, “The deployment of the malware was well executed, and allowed for a rapid proliferation of already difficult to detect software into a trusted network. Once plugged into a computer, the malware could – potentially – execute in the background, and go to work. This makes it both exceptional at doing what it does, and difficult to prevent what it specializes in: data theft. While the exact purpose of this security attack given is currently unknown to us, it’s safe to assume that the main goal was likely to export sensitive data, with healthcare data fetching a premium on the black market. In the meantime, the most elegant way to prevent communications to the C&C servers in cases such as this is to implement a DNS firewall to block communication attempts to known C&C servers, be it to drop off data or to attempt to simply ask what it is the program should do.”
Dodi Glenn, VP of cyber security at PC Pitstop says, “Two immediate things come to mind here. First, the ADA should stop using removable media to send out information. Not only is it more expensive to mail a device out, it is also (obviously) less secure. Second, the ADA and their manufacturer should work together to understand how the malware got on the USB devices in the first place. Additionally, the manufacturer should contact all companies that have recently used their services, to let them know that their devices may also be infected.”
Stu Sjouwerman, CEO of KnowBe4 says, “This is a clear case where effective security awareness training would have prevented malware infections caused by infected USB devices. Anyone that has stepped through our training would think twice before plugging a device like that into their computer.”