SANS NewsBites

Healthcare Cybersecurity: Backdoored Patient Monitors; NY Blood Center Disrupted by Ransomware; CT Health Center Data Breach

February 4, 2025  |  Volume XXVII - Issue #9

Top of the News


2025-01-31

FDA and CISA Warn of Backdoors in Contec and Epsimed Patient Monitors

The US Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published documents advising that firmware in some Contec and Epsimed internet-connected patient monitors contain a hardcoded credential backdoor that could be exploited to put patient safety at risk. The backdoor could allow attackers to alter device configurations. The publications also note that the devices collect patient data, including protected health information and personally identifiable information, allowing exfiltration of the data 'outside of the health care delivery environment.' The issue affects Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. The FDA document includes recommendations for patients and caregivers, healthcare providers, and health care facility staff, including information technology (IT) and cybersecurity staff.

Editor's Note

These devices belong to that large population of appliances that should never be visible to the Internet, where any who may have implemented such backdoors can see and exploit them. Rule 1 is "a device must be able to protect itself from all traffic on any network to which it is attached." Rule 2 is "developers cannot be relied upon to implement Rule 1."

William Hugh Murray
William Hugh Murray

Hardcoded credentials are the gift that keeps on giving. As seductive as hardcoded credentials are, just say no, make sure you're not only checking for developer use of them but also any acquisitions as well. If you have a patient monitor, ask your healthcare provider if it allows for remote monitoring. If it does, the FDA is suggesting a replacement be obtained without that functionality, with only authorized wired connections for patient monitoring, but even so there are monitors with unauthorized wireless connections which are in use.

Lee Neely
Lee Neely

This may be one of the very few times where a vendor/government has been caught red-handed. The vendor may have been operating on behalf of the government or collecting data for other business purposes ~ we don't really know. The hardcoded credential is one thing, but the hardcoded IP address, lack of logging, and use of port 515 are not explainable. Regardless, it's a violation of patient privacy and customer rights. The question becomes what you do about it. Contec is a global provider, often relabeling their products under different brand names, so there may not be sufficient competition in this market.

Curtis Dukes
Curtis Dukes

I did a BSides Orlando Keynote in 2015 on regulations and how we can expect them at some point. One of those slides included a talk on Healthcare; given my background in Healthcare IT, I thought I would mention that if someone hacked one of those machines, we wouldn't have much forensic information about it. Well, I never thought I'd see an example of a backdoor or potential backdoor in a healthcare device, but here is one. Now comes the question: what exactly can this do, what was its intended purpose, and is it even nefarious given it will be beaconing to a university? I'm not sure we have all the answers, but this is fascinating.

Moses Frost
Moses Frost

2025-01-31

Ransomware Disrupts Operations at New York Blood Center Enterprises

On Sunday, January 26, New York Blood Center Enterprises (NYBCe) detected suspicious activity on their IT systems; third-party investigators confirmed that the incident was a ransomware attack. NYBCe provides blood products to more than 400 healthcare organizations across 17 US states. The attack has caused the organization to postpone blood donor appointments and blood drive events. Over the past year, ransomware attacks have disrupted operations at several other blood donation and pathology organizations, including blood plasma provider Octapharma in April 2024, NHS pathology service Synnovis and South Africa's National Health Laboratory Service (NHLS) in June 2024, and blood donation non-profit OneBlood in July 2024.

Editor's Note

The NYBCe collects over 4000 units of blood per day, servicing over 75 million people. The attack came just after they announced a blood emergency after a 30% drop in donations, 6500 units, crippled supplies. As of February 3rd, blood collection activities have resumed, planned blood drives are underway, and cancelled activities are being rescheduled. Inbound phone services are still disrupted at three facilities and wait times for donors may be longer than usual. Expect a push in the near future for donations to make up for the loss of donations during the service disruption. No ransomware gang has taken credit for the attack, nor is it yet known if any data was exfiltrated.

Lee Neely
Lee Neely

Seeing as ransomware events continue to surge, it serves as a reminder for organizations to run tabletop exercises for loss of key services. NYBCe key services were down for 5+ days. For your organization, is that amount of downtime acceptable? If not, then testing manual processes should be part of the tabletop exercise.

Curtis Dukes
Curtis Dukes

2025-01-31

Connecticut Community Health Center Discloses Breach

On January 30, 2025, Connecticut's Community Health Center (CHC) published a notice disclosing a data breach. Cybersecurity experts brought to investigate "unusual activity" found evidence of unauthorized network access and possible theft of patient health record data, which may include "name, date of birth, address, phone number, email, diagnoses, treatment details, test results, Social Security Number (SSN), and health insurance information," as well as "gender, race, [and] ethnicity," and "[vaccine] guarantor name and vaccine type, dose and date administered," depending on treatment history. Data were not deleted nor encrypted for extortion, and daily operations were not impacted. While the notice states that the cybersecurity contractor "stopped the criminal hacker's access within hours," a concurrent filing with the Maine attorney general clarifies that the breach began October, 2024, but was not discovered and remediated until January 2, 2025. CHC has tightened security and implemented software to detect future threats, also offering 24 months of credit monitoring, "a $1,000,000 insurance reimbursement policy," and assistance recovering from identity theft.

Editor's Note

Hackers are fond of the "I didn't know the gun was loaded" defense. In truth it is very difficult for them to appreciate the potential and extent of the consequences of their actions. While this might make a prudent person cautious, it clearly is not doing so. Healthcare continues to be a preferred target. It should be obvious to anyone that attacks against healthcare put patients at risk of life and limb. The ignorance defense clearly does not apply here.

William Hugh Murray
William Hugh Murray

Kudos to CHC's CEO for an honest and transparent message, as well as offering 24 months of protection instead of the more common 12. Of note, there appears to be a new move by ransomware groups where instead of encrypting the target's systems, they are stealing data and extorting the owners, which can be particularly effective when PHI/PII is involved. You may want to update your response plan accordingly.

Lee Neely
Lee Neely

Looks like an opportunity for the company to work on its incident response messaging or be a bit more precise about when it stopped access to company systems.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2025-02-03

UK Government Proposes Code of Practice for AI Security

The UK government has published a policy paper, Code of Practice for the Cyber Security of AI, which was created with the intent to 'give businesses and public services the confidence they need to harness AI's transformative potential safely.' The Code of Practice comprises 13 principles, which are grouped into categories of secure design, secure development, secure deployment, secure maintenance, and secure end-of-life. The paper states, 'We believe a Code focused specifically on the cyber security of AI is needed because AI has distinct differences to software. These include security risks from data poisoning, model obfuscation, indirect prompt injection and operational differences associated with data management.'

Editor's Note

Tools are tools and software is software. Software is notorious for poor quality, and that is a problem that has resisted many initiatives to solve it. While one may well appreciate this initiative, one suspects that it will end up in the same dustbin as those that have gone before it.

William Hugh Murray
William Hugh Murray

The intent is to create a voluntary code of practice which will be used to create a global standard in the ESTI, which sets baseline security requirements for AI. In the UK guidance, each of the 13 principals includes relevant standards and publications at the start to help connect that guidance to this code, making it more relevant to other guidance we're already incorporating into our system lifecycle.

Lee Neely
Lee Neely

2025-02-03

Italy and Texas Ban DeepSeek over Privacy Concerns

On January 30, 2025, the Garante, Italy's data privacy regulator, blocked the country's access to DeepSeek. The Garante had insisted on disclosure of the company's data policies: the purpose and legal basis of the data collection, what data are collected and from where, whether users are notified about their data being used, whether data are scraped from the internet, and where the data are stored. Answers from Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence were characterized as "completely insufficient," including a declaration that the companies do not operate in Italy and that European laws do not apply to them. In 2023 the Garante temporarily banned ChatGPT and fined the company ~15 million over violations of the EU's General Data Protection Regulation (GDPR). Groups in Ireland and Belgium are also launching investigations of DeepSeek's collection and use of EU citizens' data. Additionally, DeepSeek is one of six "social media applications that pose a security risk to the State of Texas," banned on all the state's governmental devices after a January 31 proclamation by Governor Greg Abbott. Among other precedents and explanations for the ban, the proclamation cites China-based social media companies' obligations to render user data to the government upon request under PRC law.

Editor's Note

You don't want to be in the middle of a data sovereignty battle. That, coupled with data leaks and attacks on the service, means it'd be smart to take a pause from DeepSeek. Make sure that you understand where your data is both processed and stored for service offerings, and make sure that they are following relevant data privacy laws. These should be independently verified, not self-reported.

Lee Neely
Lee Neely

2025-01-30

DeepSeek Database Left Unsecured

Wiz Research has published a blog post describing their discovery of a "publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations," potentially allowing unauthenticated privilege escalation, and including the completely unsecured exposure of "over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information." The researchers note that while they avoided intrusive inquiries in the interest of ethical practices, it is possible an attacker could steal plaintext passwords and proprietary information directly from the server using SQL queries. According to WIRED, the researchers had no better luck receiving replies from DeepSeek than the press or other organizations, but within a half hour of "[sending] information about the discovery ... to every DeepSeek email address and LinkedIn profile they could find or guess," the database had ostensibly been secured. Wiz concludes by emphasizing that AI is vulnerable to fundamental security risks that may be overlooked due to "futuristic" conceptions and the unprecedented rapidity with which the technology is being adopted.

Editor's Note

The flaw allows an unauthenticated attacker to directly execute arbitrary SQL queries via the HTTP interface, to include privilege escalation. As our developers are under extreme pressure to deliver, particularly anything even remotely AI-related, make sure that you've got their back to ensure the security basics aren't overlooked/skipped. Don't enable "unforgivable flaws." If you're a DeepSeek user, you need to change your credentials, both login and API keys. Give a thought to updating any saved payment methods.

Lee Neely
Lee Neely

Even AI needs the practical application of cybersecurity best practices. As the new 'AI kid' on the block they will continue to be poked and prodded by security researchers. Best to follow established cybersecurity guidance as published by NIST, ISO, and the Center for Internet Security for securing their digital assets.

Curtis Dukes
Curtis Dukes

2025-02-03

PyPI Project Archival Aims to Improve Supply Chain Security

The Python Package Index (PyPI) has introduced support for project archival, which allows maintainers to indicate that there are unlikely to be future updates for the identified project. Archived projects will continue to be hosted on PyPI, but the designation 'allows users to make better decisions about which packages they depend on, especially regarding supply-chain security, since archived projects clearly signal that no future security fixes or maintenance should be expected.' Facunda Tuesco, Senior Engineer at Tail of Bits, writes, 'Project archival is just the beginning: we're also looking into additional maintainer-controlled project statuses, as well as additional PyPI features to improve both upstream and downstream experiences when handling project 'lifecycles.'

Editor's Note

Identifying end-of-life/development for projects is important not only for dependency on the functions provided, but also for knowing if any issues will be resolved. This will require developers to check for that archived status as well as to raise the important question of what to do when that functionality is required, e.g., finding a replacement package, taking over the development of that package, or creating a replacement. You may want to have that strategy, or at least an approach in place, before you find out you need it.

Lee Neely
Lee Neely

By default, open-source software comes with few warranties or commitments. This initiative simply makes that explicit.

William Hugh Murray
William Hugh Murray

2025-01-31

Mirai Variant Exploits Known Flaw in Mitel Phones

Researchers from the Akamai Security Intelligence and Response Team (SIRT) have identified a Mirai variant, Aquabotv3, that exploits a known command injection vulnerability in certain Mitel phones in an attempt to corral the devices into a botnet capable of launching distributed denial-of-service (DDoS) attacks. The researchers note that the malware variant includes a feature they have not previously observed in Mirai: 'a function (report_kill) to report back to the command and control (C2) when a kill signal was caught on the infected device.' The Mitel vulnerability, CVE-2024-41710, was disclosed last summer.

Editor's Note

This is a clever use of harnessing a pivot point in an environment. We often forget that many of these devices are running many of the *nix tools we run on many of our machines. Phone systems are usually overlooked because the phones still ring. Patch these, and ask yourself, should these be on my standard Data Network? Should I have a separate phone Network?

Moses Frost
Moses Frost

CVE-2024-41710, command injection flaw, CVSS score 6.8, impacts the Mitel 6800, 6900 and 6900w series IP phones through R6.4.0.136. There are no mitigations or workarounds, the fix is to update to 4.6 HF2 or later (R6.4.0.137), which was released last July. Make sure that your Mitel devices have completed the update process.

Lee Neely
Lee Neely

2025-01-29

UK National Audit Office Finds Cybersecurity Issues with Government IT Systems

A report from the UK's National Audit Office (NAO) 'examines whether the government's efforts to improve its cyber resilience are keeping pace with the cyber threat it faces.' In a 2022 Cyber Security Strategy, the UK government said its 'central aim [was] for government's critical functions to be significantly hardened to cyber attack by 2025.' The audit report published last week suggests that the government will not meet that goal, due in large part to dependence on legacy systems, and noted that 'departments have no fully funded remediation plans for half of these vulnerable systems.' NAO examined 58 critical UK government IT systems and found 'significant gaps in their system controls that are fundamental to their cyber resilience.'

Editor's Note

The goal of the efforts to secure systems was to have their entire public sector IT portfolio resistant to known vulnerabilities and attack methods no later than 2030. Instead, auditors found nearly half the IT budget was being spent on supporting legacy systems. While it's difficult and expensive to migrate legacy systems to more modern implementation, at some point they are not supportable, nor sufficiently robust to co-exist with the current threat environment. Public or private sector, lifecycle planning has to be included from inception, with support from the top. It requires discipline and retooling, from IT to developers to end-users. Start with the first critical controls, know what you have (hardware), and what it does (software), and how it's protecting (what) data; from there you can start looking to improve it.

Lee Neely
Lee Neely

The report isn't surprising. Every government, not just the UK, must deal with protecting legacy systems. Couple that with lack of funding, and the cybersecurity strategy always falls apart. I suppose the NAO report, as with GAO reports here in the US, will be filed away and a couple years from now we'll talk about lack of cyber resilience in government with release of a new audit report. Bottom line, it isn't a priority of UK government leadership, and their jobs don't appear to be at risk.

Curtis Dukes
Curtis Dukes

The auditors are doing their job and finding what we all expect. Indeed it was a UK auditor that coined the mantra "I found it, they fixed it."

William Hugh Murray
William Hugh Murray

2025-01-31

Tata Technologies Suffers Ransomware Attack

On Friday, January 31, Tata Technologies reported a cybersecurity incident to the National Stock Exchange of India. According to the letter, a ransomware incident prompted the multinational company to temporarily suspend some of their IT services. Those services have since been restored. Tata Technologies is a subsidiary of Tata Motors; they focus on automotive design, aerospace, and industrial engineering, and have operations in 27 countries.

Editor's Note

While the strain and identity of the ransomware gang remain closely held, security researchers at Hudson Rock detected information from 107 Tata Technologies employees and 699 of their customers. In January, Tata Communication, another Tata Group subsidiary, listed ransomware attacks as a top cyber threat in their Quarterly Executive Threat Report 2024, and back in October 2022, the now defunct Hive ransomware gang took credit for an attack against Tata Power, yet another subsidiary of the Tata Group, leaking IP, financial and banking records as well as personal client information. The point is, if your subsidiaries are seeing ransomware as a top threat, you need to take action across the board to prevent it from succumbing.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

SANS ISC StormCast Tuesday, February 4, 2025

Crypto Scam; Mediatek and D-Link Patches; Microsoft ends VPN Service

https://isc.sans.edu/podcastdetail/9308

Crypto Wallet Scam

YouTube spam messages leak private keys to crypto wallets. However, these keys can not be used to withdraw funds. Victims are scammed into depositing "gas fees" which are then collected by the scammer.

https://isc.sans.edu/diary/Crypto+Wallet+Scam/31646

Mediatek Patches

Mediatek patched numerous vulnerabilities in its WLAN products. Some allow for unauthenticated arbitrary code execution

https://corp.mediatek.com/product-security-bulletin/February-2025

D-Link Vulnerability

D-Link disclosed a vulnerability in older routers that as of May no longer receive any updates. Your only option is to upgrade hardare.

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415

Microsoft Discontinues VPN Service

Microsoft is shutting down the VPN service that was included as part of Microsoft Defender

https://support.microsoft.com/en-au/topic/end-of-support-privacy-protection-vpn-in-microsoft-defender-for-individuals-8b503da5-732a-4472-833a-e2ddca53036a

SANS ISC StormCast Monday, February 3, 2025

Automating Cyber Ranges; Deepseek Scams; PyPi Archived State; Medical Backdoors

https://isc.sans.edu/podcastdetail/9306

To Simulate or Replicate: Crafting Cyber Ranges

Automating the creation of cyber ranges. This will be a multi part series and this part covers creating the DNS configuration in Windows

https://isc.sans.edu/diary/To+Simulate+or+Replicate+Crafting+Cyber+Ranges/31642

Scammers Exploiting DeepSeek Hype

Scammers are using the hype around DeepSeek, and some of the confusion caused by its site not being reachable, to scam users into installing malware. I am also including a link to a "jailbreak" of DeepSeek (this part was not covered in the podcast).

https://www.welivesecurity.com/en/cybersecurity/scammers-exploiting-deepseek-hype/

https://lab.wallarm.com/jailbreaking-generative-ai/

PyPi Archived Status

PyPi introduced a new feature to mark repositories as archived. This implies that the author is no longer maintaining the particular package

https://blog.pypi.org/posts/2025-01-30-archival/

ICS Medical Advisory: Comtec Patient Monitor Backdoor

An interested backdoor was found in a Comtech Patient Monitor.

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01