Full Report
Following last month’s research on a new campaign by the Chinese threat actor Silver Fox, which exploited Philips... The post Forescout widens research on Silver Fox hackers, reveals malware clusters targeting healthcare through DICOM, HL7 exploits appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Silver Fox (Attribution based on preceding research context)
## Attribution & Identity
Attributed as a **Chinese threat actor** based on association with historically Chinese malware (Panda Burning Incense) and IP address flagging by CISA linked to China (for the Mindray CMS connection). The current analysis is an extension of previous research on the Silver Fox campaign.
Associated groups/malware clusters detected:
1. Cluster associated with **Floxif/Pioneer** infection of Siemens software.
2. Cluster associated with **Panda Burning Incense** (also known as Fujacks) infecting Mindray CMS.
3. Botnet samples abusing credentials for **GE Healthcare MUSE CIS**.
## Activity Summary
The research identified malware targeting healthcare systems through examining submissions to VirusTotal, specifically looking for known medical software names, default credentials abuse, and protocol interaction (like DICOM). Three significant malware clusters were detected:
1. **19 instances** of **Siemens syngo fastView DICOM viewers** infected with **Floxif/Pioneer**. These infections were mostly submitted between November and December 2024 from the US or Canada, likely on patients' personal computers.
2. One instance of **Mindray Central Monitoring Station (CMS)** infected with **Panda Burning Incense/Fujacks**. This CMS sample exhibited command and control behavior matching a 2019 variant.
3. **Two botnet samples** abusing credentials for **GE Healthcare MUSE Cardiology Information Systems (CIS)**.
The overall activity highlights exploitation of legitimate but often unmaintained software (e.g., old Siemens DICOM viewers) and leveraging default credentials in connected medical systems.
## Tactics, Techniques & Procedures
- **Masquerading:** Abusing known software names (Siemens DICOM viewer, Mindray CMS) to appear legitimate within the environment.
- **Initial Access/Persistence:** Exploiting known default credentials to gain a foothold.
- **Code Injection/Infection:** Utilizing **Portable Executable (PE) infectors** (like Floxif/Pioneer) to attach harmful code to legitimate Windows executable files.
- **Lateral Movement/Execution:** Downloading and executing further malware payloads.
- **Protocol Interaction (Indirect):** While no samples were found *directly* abusing DICOM or HL7, the malware resides on systems interacting with these protocols.
- **C2 Communication:** Panda Burning Incense sample communicated with known domains.
## Targeting
- **Sectors:** Primarily **Healthcare** (HDOs, clinical environments, patient-facing systems).
- **Geography:** Infected samples reviewed were submitted from the **US or Canada**.
- **Victims:**
* Users of **Siemens syngo fastView DICOM viewers** (likely patients using personal workstations).
* Organizations utilizing **Mindray Central Monitoring Station (CMS)**.
* Organizations utilizing **GE Healthcare MUSE Cardiology Information Systems (CIS)**.
## Tools & Infrastructure
- **Malware families used:**
* **Floxif/Pioneer:** A backdoor trojan discovered in 2012, known for infecting executables/DLLs and used previously to distribute trojanized CCleaner.
* **Panda Burning Incense (Fujacks):** A Chinese worm/malware variant, last seen in 2019, capable of downloading additional malware.
* **PE Infectors:** General term for the method used to compromise the Siemens viewers.
* **Botnet Malware:** Mentioned in relation to GE MUSE CIS infections.
- **Infrastructure (C2, domains, IPs - defang URLs):**
* Panda Burning Incense C2 domains: `9z9t[.]com` (no longer resolves) and `daohang08[.]com`.
* Hosting IP: `154.85.233[.]136` (Hong Kong-based, hosting `daohang08[.]com`).
* Default/Flagged CMS IP: `202.114.4[.]119` (Flagged by CISA as a potential Chinese backdoor connection point used by Mindray CMS by default).
## Implications
These findings highlight that legacy software (like unmaintained DICOM viewers) and the lax security posture around interconnected medical devices (IoMT) create significant entry points for commodity malware and established threat actors. The presence of Floxif/Pioneer, a long-lived PE infector, suggests a consistent threat of file-based contamination in vulnerable endpoints. The CISA-flagged IP associated with Mindray CMS indicates a known potential backdoor vector stemming from default configurations in critical infrastructure.
## Mitigations
- **Device Identification and Classification:** Identify and classify *all* connected devices, paying special attention to systems running legacy operating systems.
- **Network Segmentation:** Implement effective segmentation to separate IT, IoT, OT, and IoMT devices. Map network flows to ensure segmentation zones are properly defined and limit unintended external communication.
- **Endpoint Security:** Monitor network traffic and endpoint telemetry correlatedly for faster threat detection and response.
- **Software Management:** Review use cases for specialized software (e.g., ensure Siemens syngo fastView used by patients is not running on critical medical workstations, especially as it is unmaintained).