The Network: A 150-bed hospital in the Caribbean that provides in and outpatient services.
The Expectation: IT resources are to be used to serve internal hospital requirements.
The Catch: A member server dedicated to a proximity card access system was observed to have very high CPU utilization
The Find: The server was infected with quark bitcoin miner malware. This was causing the very high CPU usage, as well as periodic attempts by the malware to reach out to an external IP address (the payout address) on a non-standard port (8080) that is associated with multiple poor reputations domains (ending in .xyz). Analysis showed that the malware was running as a process called LogonUI.bak launched from the C;\Windows\Logs folder. This process is always running, ostensibly to provide the login screen, thus ensuring the malware survived reboot. In addition, the folder in which the malware was running had been added to the exclude list for the Antivirus.
The Fix: This type of infection is very hard to remove. The best solution was to quarantine the server, re-image the hard drive, and reinstall the card access proximity system.
The Lesson: Up-to-date AV and patching is necessary, but not sufficient in today’s threat landscape. Monitoring of outbound access by non-browsers, especially to non-standard ports, is necessary.