Cyber-Bedrohungsjagd im Gesundheitswesen, Teil 2: Dateibefall, Botnets

In unserer vorherigen Untersuchung deckten wir eine neue Kampagne des chinesischen Bedrohungsakteurs Silver Fox auf, der Philips DICOM-Viewer missbrauchte, um Opfer mit einem Backdoor-Trojaner zu infizieren. Diese Entdeckung ging aus einer Bedrohungssuche nach bösartiger Software auf VirusTotal (VT) hervor.

In dieser Folgeanalyse gehen wir näher auf unsere Suchmethodik ein und zeigen, wie wir auf VT nach Malware gesucht haben. Wir haben die Liste der Standardanmeldeinformationen von eyeInspect und REM zusammen mit einer Datenbank der beliebtesten Namen von medizinischer Software im Gesundheitswesen genutzt, um Malware zu identifizieren, die die folgenden Verhaltensweisen aufweist:

• Tarnen als legitime Anwendungen im Gesundheitswesen, indem bekannte Softwarenamen missbraucht werden.
• Ausnutzung von Anmeldedaten für medizinische Systeme, um einen ersten Zugriff zu erlangen.
• Interaktion mit medizinischen Geräten durch Missbrauch von Gesundheitsprotokollen wie DICOM und HL7.

Wichtige Ergebnisse der Bedrohungsjagd

Unsere Analyse ergab drei bedeutende Malware-Cluster, die auf Gesundheitssysteme abzielen:

1. Ein Cluster von Siemens syngo fastView DICOM-Viewern, die mit Floxif/Pioneer infiziert sind.
2. Eine Probe der Mindray Central Monitoring Station (CMS), die mit „Panda Burning Incense“ infiziert ist. Diese CMS kommuniziert mit Patientenmonitoren über eine IP-Adresse, die kürzlich von CISA und der FDA als potenzielle chinesische Backdoor gekennzeichnet wurde.
3. Zwei Botnet-Beispiele, die Anmeldedaten für GE Healthcare MUSE Cardiology Information Systems (CIS) missbrauchen.

Diese Ergebnisse unterstreichen, wie IT-Malware häufig Systeme im Gesundheitswesen ausnutzt, entweder indem sie direkt auf sie abzielt oder indem sie schwache Systeme infiziert, die mit medizinischen Geräten interagieren. Erfreulicherweise haben wir keine Malware-Beispiele gefunden, die DICOM oder HL7 direkt missbrauchen, was für die Verteidiger klinischer Netzwerke eine gute Nachricht ist.

In unserem Medical Threat Hunt Blog (Teil 2) analysieren wir jedes dieser Ergebnisse im Detail, untersuchen ihre Auswirkungen auf die Sicherheit im Gesundheitswesen, verknüpfen diese Forschung mit unseren früheren Erkenntnissen über riskante medizinische Systeme und geben Empfehlungen zur Schadensbegrenzung für Organisationen im Gesundheitswesen (HDOs).

 

Portable Executable Infectors in Medical Software

The first set of results includes two clusters of files infected with Portable Executable (PE) infectors – a type of malware that appends malicious code to legitimate Windows executables to facilitate further compromise.

During our analysis, we discovered 19 instances of Siemens syngo fastView DICOM viewers infected with Floxif/Pioneer.

Siemens syngo fastView is typically distributed to patients alongside their medical imaging results, allowing them to view DICOM images on a personal Windows workstation. This software is not intended for use on medical workstations. It is also no longer maintained by Siemens and is known to contain vulnerabilities.

Floxif/Pioneer is a backdoor that infects executable and DLL files, enabling it to download and execute further malware on the victim’s system. It was initially discovered in 2012 and gained notoriety when it was used to distribute a trojan-ized version of the CCleaner utility in 2017. In 2021, it was identified OT/ICS environments, though no confirmed targeted infections were reported.

All infected samples were submitted to VT from the US or Canada between November and December 2024.

We also identified one instance of a Mindray CMS infected with Panda Burning Incense/Fujacks. This CMS is a hospital software application that connects to multiple patient monitors and centralizes patient vitals and diagnostics.

Panda Burning Incense is a Chinese worm originally developed in 2006. It infected over 10 million devices before its creators were arrested in 2007. An updated version emerged in 2009 and the malware was last observed infecting enterprise systems in 2019.

The sample we identified was submitted in 2022 from the United States and exhibits behavior identical to the 2019 variant, specifically: downloading additional malware from 9z9t[.]com and reporting the infection to daohang08[.]com. As of this writing, the first domain no longer resolves to an IP address, but the second currently resolves to 154.85.233[.]136, a Hong Kong-based IP address.

CISA has flagged the Mindray CMS default connection behavior as a potential security risk. This CMS connects to patient monitors using the IP address 202.114.4[.]119 which was previously cited by CISA as a possible Chinese backdoor. While this behavior is not inherently malicious – the same IP address is used across multiple patient monitors and CMSs by default – CISA has warned that this configuration could expose patient monitors to remote code execution (RCE) risks.

As observed in a similar hunt in OT environments, we cannot confirm whether these infections were specifically targeted at healthcare environments. This type of malware is relatively old and can spread through multiple vectors, including other infected files downloaded from the internet, infected USB drives used for file transfers, or via networks compromised due to poor segmentation between IT and medical systems.

The infections through the DICOM viewer samples mostly likely occurred on patients‘ personal computers, as that is the intended use case for the software. In contrast, the infection observed in the CMS is more likely to have originated within a healthcare facility where the software is actively used to monitor patient data.

To understand the full context of today’s IoMT risks in healthcare, watch this webinar:

Watch the Full Webinar

---

 

Botnets Targeting GE Healthcare MUSE

Our second key finding involves botnet samples that exploit the default password for the GE Healthcare MUSE Cardiology Information System.

However, these botnet samples are ELF binaries, meaning they cannot execute on the Windows-based systems that host the MUSE application. Instead, these samples likely function as “vulnerability collectors”, scanning for exposed or misconfigured systems and reporting findings to a command and control (C2) server or human operator. Once identified, and attacker could then deploy additional tools to compromise the vulnerable system further.

MUSE is widely used in healthcare organizations to streamline cardiac data management by facilitating the delivery, distribution and analysis of critical electrocardiogram (ECG) data. It aggregates cardiac measurements, diagnostic text interpretations and digitized ECG.

Given its role in storing and analyzing patient cardiac data, unauthorized access to MUSE systems could pose significant security and privacy risks for healthcare organizations.

The two samples found exploiting credentials for this system are listed below:

The two botnet samples identified in our analysis are classified on VT as Mirai/Gafgyt variants. However, the second sample exhibits characteristics consistent with  AirDropBot (also known as CloudBot), based on its original filename (“sh4.cloudbot”) and strings present in the sample, such as “airdropmalware” and “cloudbot storing your data in the clouds”.

Beyond the IP addresses hosting these samples (previously reported on the table above) the second sample also contained an embedded domain name stresser[.]pw, and two embedded IP addresses 185.244.25[.]200 and 185.244.25[.]202.

These indicators suggest that the second botnet sample may be linked to DDoS-for-hire services (a.k.a. booters/stressers) commonly associated with AirDropBot-based malware campaigns.

 

Mitigation Recommendations

Our previous and current threat hunts have identified multiple threat types relevant to healthcare organizations, including:

• Infected DICOM viewers are likely targeting patients rather than hospitals directly.
  Beyond our findings in this blog and the previous threat hunt, DICOM viewers have been abused in at least one campaign in 2024. These applications are either compromised by common IT malware or used as lures for sophisticated APT attacks. While an infected DICOM viewer may seem like a greater risk to patients, real-world scenarios – such as patients bringing their own devices into hospitals for diagnosis, or emerging hospital-at-home programs – demonstrate how these infections could spread beyond a personal workstation and serve as an initial access vector for healthcare organizations.

• Malware targeting hospital systems, such as CMS and CIS.
  The infected CMS sample  and botnets targeting CIS highlight that healthcare-specific systems are also vulnerable, not just patient devices. The infected CMS sample was likely from a real hospital and contained a decades-old worm, suggesting it probably runs a decades-old operating system, is connected to the internet, and is highly susceptible to many other more modern attacks – a major risk considering it controls multiple patient monitors.

Beyond these individual findings, our research reinforces key healthcare cybersecurity challenges. Threats originate both inside and outside HDOs. DICOM remains a high-risk protocol, as discussed in our recent report, due to its extensive use across interconnected hospital systems within hospitals, including regular workstations and medical devices.

To minimize cybersecurity risks and enhance resilience, we recommend the following risk mitigation actions for HDOs:

• Identify and classify every asset
  HDOs must often contend with medical devices running legacy operating systems, making them inherently vulnerable to attacks. HDOs must first identify and classify all connected devices to assess their risk exposure. Devices that cannot be retired or patched should be segmented appropriately to restrict access to only critical information and services.
• Limit external communications and implement effective segmentation
  Network flow mapping is essential for designing effective segmentation zones separating IT, IoT, OT and IoMT devices. Mapping communications not only helps create segmentation zones but also provides insight into external and internet-facing connections. This approach can identify unintended external communications, helping to prevent unauthorized access and lateral movement within the network.
• Monitor all network traffic and endpoint telemetry for threat detection
  Network packets may contain malicious payloads, including attempts to exploit vulnerabilities or drop malware on healthcare systems. Endpoint telemetry can reveal the presence of malicious files or anomalous system behavior. Correlating network and endpoint signals allows defenders to detect and respond to threats faster and more effectively.

 

IoCs