CarefusionNew evidence suggests that a Web site hosting software updates for life saving medical equipment was the victim of a massive SQL injection attack and may have been redirecting visitors to a site serving up attacks and malicious software for months before the company became aware of the compromise.

The Web site viasyshealthcare.com was infected for more than two months, from March 23, 2012 to May 31, 2012, according to data from the anti-spam Web site Clean MX. The length of the compromise makes it likely that CareFusion’s customers – hospitals and other medical offices – may have been exposed to Web based attacks when they attempted to download software updates for the company’s medical devices.

Viasyshealthcare.com is a Web property that belongs to health care equipment maker CareFusion and used to distribute software updates for CareFusion’s Alaris-brand infusion pumps and AVEA, AirLife and LTV series ventilation and respiratory products. CareFusion did not respond to repeated requests for comment. The viasyshealthcare.com site was offline Monday afternoon. A message from CareFusion said the site was “temporarily unavailable.”

An analysis of viasyshealthcare.com suggests that the site was redirecting visitors to a Web domain, gbfhju.com. That domain was among those used by the “LizaMoon” gang to serve up malicious software to unsupected Web surfers

The infection on CareFusion’s software update Web site came to light last week after Kevin Fu, an assistant professor at the University of Massachusetts, Amherst, attempted to download a software upgrade for CareFusion’s AVEA respirators. The Web site offering the update was blocked by Google’s Safe Browsing service because it was serving up malicious content. Fu contacted CareFusion, DHS and the FDA regarding the incident.

While the exact source of the attack is unknown, an analysis by the Department of Homeland Security (DHS) last week revealed that CareFusion had been lax in updating the software used to host viasyshealthcare.com. Some of CareFusion’s Web sites were relying on six year old versions of ASP.NET and Microsoft Internet Information Services (IIS) version 6.0, which was released with Windows Server 2003. Both platforms have known, critical vulnerabilities and are highly susceptible to compromise if not patched and properly managed. 

DHS’s Industrial Control System (ICS) Computer Emergency Response Team (CERT) is working with CareFusion to address the widespread infection, Threatpost has learned. The FDA did not respond to a request for comment on its response to the infection at the medical device maker. That agency is responsible for the integrity of medical devices, though cyber security is an area that the FDA has been slow to embrace.

It is unclear how many CareFusion customers may have been affected by the Web site compromise.

The LizaMoon attacks date to March of 2011 and affected more than a million Web sites with malicious links to rogue antivirus products and other malware. The attacks targeted Web sites running on a wide variety of server platforms with SQL injection attacks that exploit holes in Web based applications using specially formed SQL (structured query language) statements that can give remote attackers access to back end systems and applications.

In the case of the viasyshealthcare.com domain, a SQL injection attack was used to insert malicious javascript, dubbed redirector.j, into the vulnerable site’s Web pages. Redirector.j is was then used to forward visitors to the viasyshealthcare.com site to gbfhju.com, a domain hosted in Russia and associated with the distribution of malware, phishing scams and other questionable content.

Categories: Compliance, Critical Infrastructure, Data Breaches, Malware, Privacy, Vulnerabilities, Web Security