Price Health is one of the most reputable healthcare institutions with multiple clinics or healthcare centers across Korea that provides advanced medical support and equipment.
Kathy, a medical supervisor, working at the frontline service, which has access to all patient information from Price Health’s internal server, has received a series of fraudulent email alerts from the IT team to change her password via a provided link for security purposes. Considering it a priority, she proceeded to click on the link and changed her password via a phishing site that resembles the legitimate company’s website.
Unknowingly, her workstation (client terminal) has been attacked with encrypted malware, which was embedded in a legitimate SSL certificate. Since the malware is encrypted, it bypasses the network firewall/IPS/IDS in the network. The antivirus solution has also been avoided as the attacker used a mix of open source and modified tools to stealth the malware.
The malware began its operation and attempted to clone all database entries from the central internal server that contains the patient records into the command and control center. These accelerated I/O operations led to a continuous reading in the firmware core of X-PHY®. However, X-PHY® trusts no-one. It uses a sophisticated AI algorithm that continually monitors all the operations at the Firmware kernel level, leading to the detection of this unusual trait of increased reads in the flash storage.
The AI algorithm then triggered the X-Guard threat lock to restrict physical access of the NAND flash storage and lock down the data at the firmware level. Alert notifications are immediately sent via Secured Ethernet Network gateway that supports pre-configured Bluetooth (BLE) to warn the security operations center and the network team to restrict all external network access to the database followed by access filtering from the internal network. The X-factor encryption lock feature will be activated to request 2FA verification to unlock the data.
X-PHY Protection Method
1. Guardian Pro-X and Security Scout features within the X-Guard Threat Lock use AI at the firmware level to survey a large amount of data in real-time to detect malicious behavior characteristics like illegal data cloning activity.
2. X-Factor Encryption lock feature triggers data lockdown to prevent the attacker from accessing it and activates the Keycode 2-factor.
3. X-PHY® enters safe mode and asks for a password to complete the 2-factor authentication.
4. While these events are occurring, the X-File Forensic Agent feature actively monitors these events on X-PHY®.
5. The X-PHY® Forensic Agent is categorized into Forensic front-end and Forensic back-end. The front-end monitors the I/O requests, data writing average, LBA hashing tables, accumulative I/Os, etc. while the back-end parses monitored events for these attributes as it takes care of the alert notifications, detection of threats, behavioral analysis of threats, etc.
6. Active Detective feature logs the operations in the time domain during the monitoring window of I/O’s request like LBA block read/write style and the data inward/outward flow in a hash table.
7. Deep Investigation feature helps to further analyze the modification and stealth techniques adopted for data exfiltration by malware to improve the self-training AI algorithm.