Security firm InfoArmor discovered that a cybercriminal placed the source codes to all PilotFish Technology software for sale on the dark web. PilotFish develops legacy standards, systems and technology software, including middleware to integrate disparate systems and HL7-supported medical devices.

The threat actor, called ‘batwhatman,’ is offering the source codes on the underground marketplace called AlphaBay, which is on the TOR network and actively used by cybercriminals to sell illegal goods and services like stolen digital data. Currently, the marketplace has over 90,000 members.

It appears the bad actors may have compromised a corporate SVN server and stole various application codes written in JAVA, according to InfoArmor. Some of the source code listings and filenames point to PilotFish business applications with coding strings like ‘pieadmin,’ ‘EIPExecutor,’ and ‘eip-server.’ 

[Also: Security vendors ready ransomware decryption tools to help hospitals under cyberattack]

Based on the hackers comments it appears the source codes are from all of PilotFish’s products and include more than 10,000 files, according to Andrew Komarov, chief intelligence officer for InfoArmor.

“This is clearly a risk to users of PilotFish Technology’s software, particularly in the healthcare industry and should raise significant concerns regarding the potential associated with third party providers being targeted by cyber criminals,” Komarov said.

The user ‘batwhatman’ also accessed the PilotFish’s customer database and customer licensing system, which contains records and information about the company’s clients, according to the report. Further, it appears the bad actor also listed PilotFish Employee information and online usernames.

The database includes data from 1,797 companies from the U.S., Canada, Australia, China and EU countries.

“This is clearly a risk to users of PilotFish Technologies software, particularly within the Healthcare industry and should raise significant concerns regarding the potential associated with third party providers being targeted by cybercriminals,” according to InfoArmor, which made the discovery on August 9.

“As demand for new systems and technology accelerates, this growth will also increase the threat of cyber-attack as cyber criminals continue to look for ways to exploit this growth for their own gain,” the report authors added. “As new systems are adopted, attack surfaces grow and new threat vectors emerge, fueling cyber-crime.”

The cybercriminal ‘TheDarkOverLord’ claimed to have compromised data of a software vendor in July, but didn’t initially name the victim. However, he or she later attempted to extort PilotFish through a Twitter account that has subsequently been deleted.

InfoArmor notified the National Healthcare ISAC of its findings and other appropriate findings to further risk mitigation. 

“The next steps for PilotFish should start with notifying their customers about the data breach and securing source codes in order to avoid any tampering and malware distribution,” Komarov said. “Then, to revoke possibly compromised digital certificates in order to avoid malware code signing, using their brand.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn