Backdoor found in two healthcare patient monitors linked to IP in China
pRansomware gang encrypted network from a webcam to bypass EDRppMicrosoft North Korean hackers join Qilin ransomware gangppOver 37000 VMware ESXi servers vulnerable to ongoing attacksppMicrosoft says malvertising campaign impacted 1 million PCsppUS cities warn of wave of unpaid parking phishing textsppNew Chirp tool uses audio tones to transfer data between devicesppStudy for your CISSP certifications in this 30 course bundle dealppDeveloper guilty of using kill switch to sabotage employers systemsppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppUpdate 2425 A new report from Claroty states that they purchased the Contec CMS8000 device and after analyzing its firmware believe the behavior described by CISA and the FDA is actually an autoupdate mechanism and not a backdoorppAccording to Claroty the manual instructs admins to configure the monitors central monitoring center to a public IP address of 2021144119 the IP address seen by CISAppFurthermore the researchers say that the update routine can only be triggered when booting the system and pressing a button on the deviceppTeam82 was only able to trigger the update logic when booting the device AND clicking a button on the device press C main button To the best of our knowledge this is the only way to trigger the update logic If true this would require an attacker to be physically located near the device reads the Claroty reportppAlthough the full update process is VERY dangerous and risky to us it does not appear to have malicious intent behind it especially when considering the manual boldly refers to this IP address and whitelabel vendors ask users to configure their internal CMS with this IP addressppHowever as the IP address specified in the manual is a public address in China it could lead to inadvertent data leaks and takeover risks if an NFS server is running Currently no NFS server is configured at this IP addressppClaroty warns that the insecure design of the devices update mechanism is still a serious security concern creating a PoC allowing the researchers to achieve remote code execution on the deviceppOur original article is below and we never received a response to our questions from ContecppThe US Cybersecurity and Infrastructure Security Agency CISA is warning that Contec CMS8000 devices a widely used healthcare patient monitoring device include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the deviceppContec is a Chinabased company that specializes in healthcare technology offering a range of medical devices including patient monitoring systems diagnostic equipment and laboratory instrumentsppCISA learned of the malicious behavior from an external researcher who disclosed the vulnerability to the agency When CISA tested three Contec CMS8000 firmware packages the researchers discovered anomalous network traffic to a hardcoded external IP address which is not associated with the company but rather a universityppThis led to the discovery of a backdoor in the companys firmware that would quietly download and execute files on the device allowing for remote execution and the complete takeover of the patient monitors It was also discovered that the device would quietly send patient data to the same hardcoded address when devices were startedppNone of this activity was logged causing the malicious activity to be conducted secretly without alerting administrators of the devicesppWhile CISA did not name the university and redacted the IP address BleepingComputer has learned that it is associated with a Chinese university The IP address is also hardcoded in software for other medical equipment including a pregnancy patient monitor from another Chinese healthcare manufacturerppAn FDA advisory about the backdoor also confirmed that it was also found in Epsimed MN120 patient monitors which are relabeled Contec CMS8000 devicesppOn analyzing the firmware CISA found that one of the devices executables monitor contains a backdoor that issues a series of Linux commands that enable the devices network adapter eth0 and then attempts to mount a remote NFS share at the hardcoded IP address belonging to the universityppThe NFS share is mounted at mnt and the backdoor recursively copies the files from the mnt folder to the optbin folderppThe backdoor will continue to copy files from optbin to the opt folder and when done unmount the remote NFS shareppThough the optbin directory is not part of default Linux installations it is nonetheless a common Linux directory structure explains CISAs advisoryppGenerally Linux stores thirdparty software installations in the opt directory and thirdparty binaries in the optbin directory The ability to overwrite files within the optbin directory provides a powerful primitive for remotely taking over the device and remotely altering the device configurationppAdditionally the use of symbolic links could provide a primitive to overwrite files anywhere on the device filesystem When executed this function offers a formidable primitive allowing for a thirdparty operating at the hardcoded IP address to potentially take full control of the device remotelyppWhile CISA has not shared what these files perform on the device they said they detected no communication between devices and the hardcoded IP address only the attempts to connect to itppCISA says that after reviewing the firmware they do not believe this is an automatic update feature but rather than a backdoor planted in the devices firmwareppBy reviewing the firmware code the team determined that the functionality is very unlikely to be an alternative update mechanism exhibiting highly unusual characteristics that do not support the implementation of a traditional update feature For example the function provides neither an integritychecking mechanism nor version tracking of updates When the function is executed files on the device are forcibly overwritten preventing the end customersuch as a hospitalfrom maintaining awareness of what software is running on the device These types of actions and the lack of critical logauditing data go against generally accepted practices and ignore essential components for properly managed system updates especially for medical devicesppFurther lending to this being a backdoor by design CISA found that the devices also began sending patient data to the remote IP address when the devices startedppCISA says that patient data is typically transmitted across a network using the Health Level 7 HL7 protocol However these devices sent the data to the remote IP over port 515 which is usually associated with the Line Printer Daemon LPD protocolppThe transmitted data includes the doctors name patient ID patients name patients date of birth and other informationppAfter contacting Contec about the backdoor CISA was sent multiple firmware images that were supposed to have mitigated the backdoorppHowever each one continued to contain the malicious code with the company simply disabling the eth0 network adapter to mitigate the backdoor However this mitigation does not help as the script specifically enables it using the ifconfig eth0 up command before mounting the remote NFS share or sending patient datappCurrently there is no available patch for devices that removes the backdoor and CISA recommends that all healthcare organizations disconnect these devices from the network if possibleppFurthermore the cybersecurity agency recommends organizations check their Contec CMS8000 patient monitors for any signs of tampering such as displaying information different from a patients physical stateppBleepingComputer contacted Contec with questions about the firmware and will update the story if we receive a responseppDiscover the Top 10 MITRE ATTCK techniques behind 93 of attacks and learn how to defend against themppEthereum private key stealer on PyPI downloaded over 1000 timesppHunters International ransomware claims attack on Tata TechnologiesppQilin ransomware claims attack at Lee Enterprises leaks stolen datappPrivacy tech firms warn Frances encryption and VPN laws threaten privacyppSuspected Desorden hacker arrested for breaching 90 organizationsppWhy are these devices connected to the Internet If for some reason Internet is a must just blacklist the hardcoded IP in the firewallppThese kind of devices or any IOTOT devices for that matter should not have any 0000 accessppGiven these from 2022 these devices should have been retired a long time ago
CVE202236385 IMPROPER ACCESS CONTROLS CWE284
CVE202238100 UNCONTROLLED RESOURCE CONSUMPTION CWE400
CVE202238069 USE OF HARDCODED CREDENTIALS CWE798
CVE202238453 ACTIVE DEBUG CODE CWE489
CVE20223027 IMPROPER ACCESS CONTROL CWE284
But then again theyre 25 off right now so you never know ppIs there also a backdoor in the software of the other devices from that company
For example for the 24h blood pressure monitor
This pagehttpscontechealthcomproductsambulatorybloodpressuremonitornibpholterabpm50usbsoftware24hourrecord
links to
Software download link
wwwdlsoftwcom
Index code05RK1069
download code for older version 05wq7041
File ABPMFV534Setupexe
CRC32 987dfa68
MD5 bfc1376253abfb05d5de48b987be65b8
SHA1 99412cc4fb08c0e27bc59c7f3ff09a085d244f7a
SHA256 641bd924b7c88bde73dc4c8fea1aeeeeff60dabc87de8bd727bed7a6e1ee699d
SHA512 88cf9bca47215611b8775a248d77b4173a0ad724b96b186434145fed5f78f5bd4f7e4505365f46c7e1be5627d033d1e6c9d0287d7e737c218e44145ecf1e9973
File ABPMFV533Setupexe
CRC32 b45eab17
MD5 491d86f636717c56e1295a6a8386af45
SHA1 375bd2c23afb25802ef2c2562b4ee69fbd281792
SHA256 ab04f2d80c9e3961e58e39c96abf36b9863bd4d6d75fa531db0d19a8b3564549
SHA512 3bbb6d6bdcd36bf5f693f7789082f23175017aae76117a702af2a9872ee5df5fa9d48cc12654a8dab24188dd820877330bb425c2978e095cd8225c4770b95286
Its an InnoSetup which can easily be extract with innounpppThe headline and grammar in the article reference two healthcare patient monitors yet I can only find information in the article regarding a Comtec CMS8000 perhaps Ive overlooked something I am thinking that you intended to also address the recent FDA announcement httpswwwfdagovmedicaldevicessafetycommunicationscybersecurityvulnerabilitiescertainpatientmonitorscontecandepsimedfdasafetycommunication regarding the Epsimed MN120ppYes I had it in original draft and it was removed by mistake Adding it back Thanks ppI cant be the only one who believes we dont have a monopoly on lazy programmers
Lets use our critical thinking skills here
A university IP What do they do at universities Is it a healthcare university Arent universities are typically involved in RD and have commercialization programs In RD isnt there a need to collect and analyze lots of data especially in healthcare preferably automatically Dont they also typically employ students within the university Developers especially good ones are typically the laziest humans Lazy equals efficient But theyre humans nonetheless Forgetful novice oversights Universities on the other hand are bureaucratic institutions run by academics not DevOps or SecOps veterans And companies are profitdriven by nontech business people who make stupid decisions Look recently at SONOS Cheap labor Ignore the engineers Ship it What could go wrong
Everyone jumps on the USgood CCPbad bandwagon without using common sense The narrative the US pushes that the CCP wants to track every movement of their citizens and ours often overshadows their practical ability to do so No different than our own government minimizing its desire to do the same and its ineptitude to do so 500B data center to create 48h mRNA vaccines Do they expect us to buy that BS Especially from Larry and Sam Larry would surveil his own mother in the bathroom And Sam is a snake OpenAI is open for the world good Oh please go f yourself
Tech bros are dicks Governments are lie Politicians are stupid Democracy is theater And Americans privacy is a longdead fallacy Section 702 the Bank Secrecy Act Snowden TikTok come on Lawmakers took your privacy rights 50 years ago And CEOs sold your data back to them and others shortly thereafter Who reads EULAs anyway And dead code in a heart monitor is news
This was likely just field testing code left over and missed during code review by an underpaid undergrad Not some nefarious plot to steal your heart rate datathat mind you is already freely available legally thanks to our own governmentHIPAA HITECH and the 22 million BAA entities with their tens of millions of employees look up limited datasets and reverse identification God forbid you go to China for business of pleasure get sick and cant access your own health records And lets not forget our our own governmentmandated backdoors in our telecommunications the CCP has been loitering in for years that they told you was to protect you from foreign adversaries Ben F was right And this is just what we know about SMFH
Are there bad actors in the world Yes You elected them Immoral selfenriching superstitionfollowing warmongering idiot puppets Watch CSPAN once in a while Hackers The good ones dont leave a trace and thats a low bar and most are just trying to expose the government aka The idiots and corporations aka The crooks whose EULA you agreed to but wouldnt agree with ppThis is the kind of story that highlights the importance of egress control that can be managed with an approach of Zero Trust connectivity which basically uses DNS as the root of trust and therefore disallows any connection that didnt start with an authorized query from a Protective Resolver It is simpler than it sounds as it is basically Default Deny All that is actually practical What is needed and verified good no problem Anything else notppSo true Control your own network ingress and egress Which hospitals with good IT should be doing already The part that gets me in this article is the implied intent If it was a known APT group IP then I would raise both eyebrows But a university Meh 20 years in the industry and I still get surprised by the quality of code released into the wild by US coders the hacks workarounds and just plain laziness Im not proud I cringe when I look at code I wrote a decade ago Who wrote this crap oh LMAOppWe wont have fewer of these stories coming out in the future Even with public policy changes we will have years and decades of legacy equipment that will never be discovered to be breached but actual outgoing unauthorized and unintended connections can reliably be blocked in 2025ppNot a member yet Register NowppUndocumented commands found in Bluetooth chip used by a billion devicesppDeveloper guilty of using kill switch to sabotage employers systemsppData breach at Japanese telecom giant NTT hits 18000 companiesppSharpRhino resurfaces How this malware evades detection See how it worksppThe vCISO Academy Transforming MSPs and MSSPs into Cybersecurity Powerhousespp5 Browser Security Threats Overlooked by Security Tools Get the Free ReportppIntegrating LLMs into security operations using Wazuh Learn how to get startedppOverdue a password healthcheck Audit your Active Directory for freeppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
CVE202236385 IMPROPER ACCESS CONTROLS CWE284
CVE202238100 UNCONTROLLED RESOURCE CONSUMPTION CWE400
CVE202238069 USE OF HARDCODED CREDENTIALS CWE798
CVE202238453 ACTIVE DEBUG CODE CWE489
CVE20223027 IMPROPER ACCESS CONTROL CWE284
But then again theyre 25 off right now so you never know ppIs there also a backdoor in the software of the other devices from that company
For example for the 24h blood pressure monitor
This pagehttpscontechealthcomproductsambulatorybloodpressuremonitornibpholterabpm50usbsoftware24hourrecord
links to
Software download link
wwwdlsoftwcom
Index code05RK1069
download code for older version 05wq7041
File ABPMFV534Setupexe
CRC32 987dfa68
MD5 bfc1376253abfb05d5de48b987be65b8
SHA1 99412cc4fb08c0e27bc59c7f3ff09a085d244f7a
SHA256 641bd924b7c88bde73dc4c8fea1aeeeeff60dabc87de8bd727bed7a6e1ee699d
SHA512 88cf9bca47215611b8775a248d77b4173a0ad724b96b186434145fed5f78f5bd4f7e4505365f46c7e1be5627d033d1e6c9d0287d7e737c218e44145ecf1e9973
File ABPMFV533Setupexe
CRC32 b45eab17
MD5 491d86f636717c56e1295a6a8386af45
SHA1 375bd2c23afb25802ef2c2562b4ee69fbd281792
SHA256 ab04f2d80c9e3961e58e39c96abf36b9863bd4d6d75fa531db0d19a8b3564549
SHA512 3bbb6d6bdcd36bf5f693f7789082f23175017aae76117a702af2a9872ee5df5fa9d48cc12654a8dab24188dd820877330bb425c2978e095cd8225c4770b95286
Its an InnoSetup which can easily be extract with innounpppThe headline and grammar in the article reference two healthcare patient monitors yet I can only find information in the article regarding a Comtec CMS8000 perhaps Ive overlooked something I am thinking that you intended to also address the recent FDA announcement httpswwwfdagovmedicaldevicessafetycommunicationscybersecurityvulnerabilitiescertainpatientmonitorscontecandepsimedfdasafetycommunication regarding the Epsimed MN120ppYes I had it in original draft and it was removed by mistake Adding it back Thanks ppI cant be the only one who believes we dont have a monopoly on lazy programmers
Lets use our critical thinking skills here
A university IP What do they do at universities Is it a healthcare university Arent universities are typically involved in RD and have commercialization programs In RD isnt there a need to collect and analyze lots of data especially in healthcare preferably automatically Dont they also typically employ students within the university Developers especially good ones are typically the laziest humans Lazy equals efficient But theyre humans nonetheless Forgetful novice oversights Universities on the other hand are bureaucratic institutions run by academics not DevOps or SecOps veterans And companies are profitdriven by nontech business people who make stupid decisions Look recently at SONOS Cheap labor Ignore the engineers Ship it What could go wrong
Everyone jumps on the USgood CCPbad bandwagon without using common sense The narrative the US pushes that the CCP wants to track every movement of their citizens and ours often overshadows their practical ability to do so No different than our own government minimizing its desire to do the same and its ineptitude to do so 500B data center to create 48h mRNA vaccines Do they expect us to buy that BS Especially from Larry and Sam Larry would surveil his own mother in the bathroom And Sam is a snake OpenAI is open for the world good Oh please go f yourself
Tech bros are dicks Governments are lie Politicians are stupid Democracy is theater And Americans privacy is a longdead fallacy Section 702 the Bank Secrecy Act Snowden TikTok come on Lawmakers took your privacy rights 50 years ago And CEOs sold your data back to them and others shortly thereafter Who reads EULAs anyway And dead code in a heart monitor is news
This was likely just field testing code left over and missed during code review by an underpaid undergrad Not some nefarious plot to steal your heart rate datathat mind you is already freely available legally thanks to our own governmentHIPAA HITECH and the 22 million BAA entities with their tens of millions of employees look up limited datasets and reverse identification God forbid you go to China for business of pleasure get sick and cant access your own health records And lets not forget our our own governmentmandated backdoors in our telecommunications the CCP has been loitering in for years that they told you was to protect you from foreign adversaries Ben F was right And this is just what we know about SMFH
Are there bad actors in the world Yes You elected them Immoral selfenriching superstitionfollowing warmongering idiot puppets Watch CSPAN once in a while Hackers The good ones dont leave a trace and thats a low bar and most are just trying to expose the government aka The idiots and corporations aka The crooks whose EULA you agreed to but wouldnt agree with ppThis is the kind of story that highlights the importance of egress control that can be managed with an approach of Zero Trust connectivity which basically uses DNS as the root of trust and therefore disallows any connection that didnt start with an authorized query from a Protective Resolver It is simpler than it sounds as it is basically Default Deny All that is actually practical What is needed and verified good no problem Anything else notppSo true Control your own network ingress and egress Which hospitals with good IT should be doing already The part that gets me in this article is the implied intent If it was a known APT group IP then I would raise both eyebrows But a university Meh 20 years in the industry and I still get surprised by the quality of code released into the wild by US coders the hacks workarounds and just plain laziness Im not proud I cringe when I look at code I wrote a decade ago Who wrote this crap oh LMAOppWe wont have fewer of these stories coming out in the future Even with public policy changes we will have years and decades of legacy equipment that will never be discovered to be breached but actual outgoing unauthorized and unintended connections can reliably be blocked in 2025ppNot a member yet Register NowppUndocumented commands found in Bluetooth chip used by a billion devicesppDeveloper guilty of using kill switch to sabotage employers systemsppData breach at Japanese telecom giant NTT hits 18000 companiesppSharpRhino resurfaces How this malware evades detection See how it worksppThe vCISO Academy Transforming MSPs and MSSPs into Cybersecurity Powerhousespp5 Browser Security Threats Overlooked by Security Tools Get the Free ReportppIntegrating LLMs into security operations using Wazuh Learn how to get startedppOverdue a password healthcheck Audit your Active Directory for freeppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
