McAfee’s Advanced Threat Research team has released two pieces of new research that reveal undiscovered links among major North Korean threat actors and malware families, as well as stunning revelations about the real cyberthreat risks to medical devices.
The research was announced during Black Hat USA 2018, which took place between August 4 and 9.
Douglas McKee, Senior Security Researcher for the McAfee Advanced Threat Research team, also outlined research on cyber-risks to medical devices in a blog on the cybersecurity firm’s website.
McAfee’s research team discovered a weakness in one of the networking protocols used by medical devices to monitor a patient’s condition and vitals. This protocol is utilised in some of the most critical systems used in hospitals.
The weakness discovered allows data to be modified by an attacker in real-time to provide false information to medical personnel. Lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors.
For this attack to be viable, an attacker would need to be on the same network as the devices and have knowledge of the networking protocol. Any modifications made to patient data would need to be believable to medical professionals for there to be any impact.
The research also outlined the general lack of security mitigations in the medical devices field, the risks they pose, and techniques to address them.
McKee wrote: “During our research we did not modify the patient monitor, which always showed the true data, but we have proven the impact of an attack can be meaningful. Such an attack could result in patients receiving the wrong medications, additional testing and extended hospital stays – any of which could incur unnecessary expenses.”
Both product vendors and medical facilities can take measures to drastically reduce the threat of this type of attack, he said.
Vendors can encrypt network traffic between the devices and add authentication.These two steps would drastically increase the difficulty of this type of attack.
Vendors also typically recommend that medical equipment is run on a completely isolated network with very strict network-access controls. If medical facilities follow these recommendations, attackers would require physical access to the network, greatly helping to reduce the attack surface.
McKee added: “One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape.
“Through responsible disclosure we aim to assist and encourage the industry toward a more comprehensive security posture. As part of our policy, we reported this research to the vendor whose products we tested and will continue to work with other vendors to help secure their products.”
Undiscovered links between North Korea’s malware families
Meanwhile, joint research from McAfee and Intezer revealed undiscovered links between North Korea’s malware families and some of the largest and most successful cyberattacks to date.
The research was carried out in a joint effort by Jay Rosenberg, Senior Security Researcher at Intezer and Christiaan Beek, Lead Scientist and Senior Principal Engineer at McAfee.
The researchers examined code re-use from the major threat actors believed to be tied to North Korea, such as Lazarus and Hidden Cobra, malware attack campaigns including WannaCry, the Mydoom variant Brambul and recent cryptocurrency attacks. It uncovered a new connection between them.
Four examples of reused code in larger-scale nationalism-motivated campaigns were discovered to only be seen in malware attributed to North Korea.
In their post, the researchers said: “Security vendors and researchers often use different names when speaking about the same malware, group or attack. This habit makes it challenging to group all the malware and campaigns.
“By taking a scientific approach, such as looking for code reuse, we can categorise our findings.”
For more information on the research, visit