Exploring Shodan for healthcare insights
As many threat researchers are aware, Shodan is a tool that crawls the web for open ports and header information, collects it all into one giant database, and allows account holders to search through it based on key terms such as protocol, organization, country, or IP address.
It’s a very useful website to analyze one’s own personal devices (you can try to research your own home router IP or a personal website, for example), but like all useful things, in the hands of an unethical individual, it’s a dangerously effective targeting tool.
Reviewing this data from a patient’s perspective, how does the patching response for some of these vulnerabilities look? Would you rather take your chances at a hospital whose IT team is addressing these threats when they are announced… or one where they’ll fix it when they feel like getting around to it?
Judging by the numbers here (less than 100 found at the highest peak for CVE-2021–31206), I’m thinking that Shodan probably hasn’t picked up on every single device at every entity identified as a hospital in the U.S. Additionally, there are other factors to consider: the severity of the CVE, a.k.a. Common Vulnerabilities and Exposures, the potential isolation of the target, and the difficulty involved in successfully exploiting the vulnerability, for example.
One issue that definitely leaps off the page, however, is the number of CVEs from 2014 and 2015. In the above chart, it shows that 2 additional 2014 CVEs were found in August 2021. This suggests two things to an attacker: an older, possibly obsolete operating system facing the Internet and a very, very slow patching cycle, if any.
Narrowing the dataset down to the top ten values brings issues into focus.
At first glance, it might seem like these numbers are not so bad. The highest one is less than 25 total count. Most of them are from 2021, so, pretty recent, right? Maybe IT just needed a little more time to patch. That starts to fall apart once you start to take a closer look at what these CVE designations actually represent.
The following chart adds in the descriptions and criticality scores for each of the CVEs mentioned.
The list reveals a handful of cipher-related vulns from 2015, embarrassing, if not quite tragic. The batch of 2021 CVEs are much more concerning, however, for anyone who was following HAFNIUM attacks last year.
In March 2021, threat actors were scouring the internet seeking vulnerable Microsoft Exchange servers to exploit. Patching was considered a high priority at the time. By September, the ProxyShell exploits, as they came to be known, were known to have been exploited by the Conti gang, one of the largest ransomware groups in operation.
That set of exploits, along with other Exchange Server vulnerabilities, account the spike in data in 2021. That’s to be expected. But the chart below shows that some of these same vulnerabilities, well known at this point to be targets of nation-state threat actors and ransomware groups alike, remain unaddressed as recently as March 2022.
So, how do you think your local hospital is doing?
Interested? Try it for yourself at trends.shodan.io.
