Exotic Attacks MRI - CT Images Malware in Diagnosis - Forescout

11/15/2019 Exotic attacks are blurring the boundary between MRI/CT images, malware and life-threatening cancer research
esearch and diagnosis - Foresc…
Forescout

Home (https://www.forescout.com/) ≫ Company (/company/) ≫ Blog (/blog/) ≫ Incident Response
sU tcatnoC
(https://www.forescout.com/company/blog/category/incident-response/) ≫ Exotic attacks are blurring the boundary between MRI/CT
images, malware and life-threatening cancer research and diagnosis
omeD a tseuqeR
EXOTIC ATTACKS ARE BLURRING THE
BOUNDARY BETWEEN MRI/CT IMAGES,
MALWARE AND LIFE-THREATENING
CANCER RESEARCH AND DIAGNOSIS
May 6, 2019
By Aveek Das (https://www.forescout.com/company/blog/author/aveek-das/) (Staff Security Researcher
at Forescout), Arun Raghuramu (https://www.forescout.com/company/blog/author/arun-raghuramu/) (Sr.
Staff Security Researcher), Mario Dagrada (https://www.forescout.com/company/blog/author/mario-
dagrada/) (Researcher), Oren Nechushtan (https://www.forescout.com/company/blog/author/oren-
nechushtan/) (Sr. Director of Research ), and Alex Eisen
(https://www.forescout.com/company/blog/author/alex-eisen/) (Sr. Director of Security Research)
Digital
We useImaging andtoCommunications
cookies help improve thisin Medicine
website and(DICOM) is a 30 year
further enhance your old standard for medical
browsing
imaging experience,
exchange as further
and storage described
that here in modern inpatient and acute trauma centers like
is prevalent
(https://www.forescout.com/privacy-policy/). If you choose not to disable the
hospitals, where expensive imaging equipment is common. Think of DICOM format like JPEG—it’s how
cookies, you have expressly agreed to our use of cookies. Cookie Settings
medical images like x-rays are stored digitally. DICOM is at the center of two novel attack methods 
https://www.forescout.com/company/blog/exotic-dicom-malware-blurs-line-research-and-diagnosis/ 1/8
11/15/2019 Exotic attacks are blurring the boundary between MRI/CT images, malware and life-threatening cancer research and diagnosis - Foresc…
related to Forescout
medical imaging that were exposed in April. The first method was uncovered by a team of

researchers from Ben-Gurion University (https://arxiv.org/pdf/1901.03597.pdf) who demonstrated how
their deep learning code (CT-GAN) could alter MRI and CT scan machines by erasing real cancerous
sU tcatnoC
nodes or adding fake evidence of such. The video of the simulated scenario
(http://tinyurl.com/cancerdemovid) shows the red team deploying a rogue device in a hospital data
closet (Raspberry Pi) that compromised the wireless network using a two year old KRACK vulnerability.
The team then moved laterally to the server storing images and maliciously altered life-critical patient
data stored in DICOM format. The second method was recently published by another research team at

Cylera Labs (https://labs.cylera.com/2019/04/16/pe-dicom-medical-malware/) and allows an attacker to
easily hide malware inside MRI and CT scan images. The potential impact of these two new findings on
omeD a tseuqeR
healthcare delivery organizations (HDOs) also extends to the Picture Archiving and Communication
System (PACS) that stores the images.
Suddenly, protected medical records might come with malware attached, in a mind-boggling recipe
where malware can’t simply be uploaded and checked against forensics and threat intel resources in
the cloud like VirusTotal, because that would be a breach of the associated HIPAA ()-protected personal
health information (PHI ()). Deepfaked cancer images have fooled professional doctors and can force
unnecessary, expensive and life-threatening operations or as the researchers state: “An attacker may
perform this act in order to stop a political candidate, sabotage research, commit insurance fraud,
perform an act of terrorism or even commit murder.”
When our researchers threat modeled the above attack vectors and complex “kill chain” paths of the
attack scenarios, we even envisioned the possibility of merging several distinct attacks, where the
malware Portable Executable (PE) embedded in the DICOM image could propagate as a network worm
with a payload of the CT-GAN malware necessary to carry out the cancer deep fake attack. Such a
complex attack might seem improbable, but attackers are getting increasingly creative and attacks are
getting more physical (/2019-predictions/).
How do these DICOM medical imaging attacks work?

Each DICOM .dcm image file has a header for describing the file contents. Unfortunately, the original
DICOM spec allows a header that’s too open—the header format is simply not strict enough and it has
enough padding to add unintended Windows PE code that escapes from the data context of the
image. Thecookies
We use resulting
to mutant is a hybrid
help improve file—it’sand
this website both a functioning
further DICOM image and a functioning
enhance your
browsing
Windows PE.experience, as further
The underlying issuedescribed hereversions of Microsoft Windows allow non-executable
is that some
files to be run from the command prompt if the file header looks like a Windows executable.
cookies, you have expressly agreed to our use of cookies. Cookie Settings 
Thi t ti i ’t tl F l it’ id l d t d th t i h li
This tactic isn’t exactly new. For example, it’s widely understood that images can even have live
Forescout

scripting code (e.g., PHP) that can be executed on a web server that’s parsing and processing the
image data stream—escaping from this data context is what injection is all about. The underlying issue
is that writing parsers is hard and there have been major issues in parsers of all image types including
sU tcatnoC
PNG, JPG, GIF and TIFF across many languages and vendor products. Related, the fascinating field of
steganography—hiding data in images, not seen to the human eye—has been around since the
beginning of the digital file format age.

Malware that lives in HIPAA ()-protected neighborhoods
What’s particularly interesting is that this DICOM malware resides in the protected garden of HIPAA ()-
omeD a tseuqeR
regulated data stores. That makes discussion of this malware even more entangling than discussion of
zero-day PDF exploits or advanced industrial AutoCAD malware.
Researching DICOM in Forescout Device Cloud

The Forescout platform provides device visibility and automated control to effectively manage cyber,
operational and compliance risks while increasing security operations productivity. To better
understand the context and kinds of devices impacted, Forescout researchers referenced the
Forescout Device Cloud to determine the kinds of top DICOM-enabled devices and better understand
the nature of Windows versus non-Windows in DICOM and PACS environments. We researched more
than 2,000 DICOM-related devices to draw our conclusions.
What we found was that nearly three quarters of the devices were categorized as imaging devices, and
the majority of the remainder consisted of PACS systems and imaging workstations. Unsurprisingly, we
also found that that most of the devices were running a Windows Operating System (OS ()).
We use cookies to help improve this website and further enhance your
browsing experience, as further described here
Forescout
sU tcatnoC
Mitigations and best practices for securing DICOM devices
Any connected medical devices, especially DICOM, must be segmented and monitored, updated with
Antivirus (A/V) and Endpoint Detection and Response (EDR ()) and eventually upgraded as the DICOM

protocol is redesigned or hardened. Encrypting DICOM using TLS is the current best practice but may
prove difficult and disruptive to deploy and manage. Encryption of DICOM in transit is not enough to
omeD a tseuqeR
prevent the attack if the malware can be delivered through other means such as email or a USB () drive.
One common issue is that most Human Machine Interfaces (HMIs) are Windows workstations that are
monitoring and controlling medical devices. These workstations are often behind in updates and are
shared by many users that potentially abuse corporate policies (e.g., checking personal email, browsing
social media), opening the doors to the inadvertent introduction of malware to the internal network.
In the case of the CT-GAN scenario, prior to the image manipulation attack there may be warning signs
from the rogue devices introduced to the network. Forescout Rogue Device Detection can alert
administrators to take action on spoofed MAC () attempts. Wireless network hygiene can prevent
attackers from passively snooping from a nearby location. To help mitigate the wireless KRACK
vulnerability, we released a custom detection last year (/platform/announcements/bad-rabbit-
ransomware-infestation/), SPT VR KRACK.
Those responsible for securing connected medical devices and HDO networks should carefully
consider lateral movement attacker opportunities, especially for Windows devices, and leverage the
MITRE ATT&CK framework (https://mitre-attack.github.io/attack-navigator/enterprise/) to discuss
Exploitation of Remote Services (e.g., remote desktop protocol (RDP)) and Windows Admin Shares (e.g.,
SMB). In particular, SMB has been in the spotlight with WannaCry attacks and the Orangeworm Group
targeting Healthcare.
Forescout customers can create custom technical policies to detect devices that communicate with the
DICOM protocol. The following are classification checks for the presence of DICOM Application Entity
fields or DICOM Implementation Class UID fields:
In theory, it may be technically possible to parse
cookies,
DICOM youextract
traffic, have expressly agreedinfected
the potentially to our use of cookies. Cookie Settings
image 
d th ith tt tt it i db d
and then either attempt to run it in a sandboxed

Forescout

environment or check its hash against known threat
intelligence sources, but the attacks Cylera describes
actually do not mention malicious DICOM data in
sU tcatnoC
transit. Only proof of concept #3 propagates, but it does so using a common Windows weakness: SMB.
In the case of CT-GAN, the malware can be delivered via many network avenues that should be
monitored by intrusion prevention.

This approach is valuable for post-incident forensics analysis but not viable for securing a real network
with large image throughput. Protection from this kind of attack can still be achieved using traditional
omeD a tseuqeR
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS ()) for detecting typical malware
patterns such as C2C communications and exploitations of known vulnerabilities for beaconing. These
patterns are likely to be leveraged especially in the healthcare domain where the main attacker goal is
often data exfiltration (e.g., C2C) and the IT () infrastructure is known to have unpatched vulnerabilities.
Some of these capabilities are available within the Forescout platform thanks to its recent acquisition
and integration of the powerful SilentDefense OT () monitoring solution.
Company Information (https://www.forescout.com/company/)

About Us (https://www.forescout.com/company/)
Leadership (https://www.forescout.com/company/leadership/)
Board of Directors (https://www.forescout.com/company/board-of-directors/)
Contact Us (https://www.forescout.com/contact-us/)
Media Contacts (https://www.forescout.com/company/press-kit/)
Legal (https://www.forescout.com/company/legal/)
Investor Relations (https://investors.forescout.com)

Investor
browsing Relations (https://investors.forescout.com)
experience, as further described here
News andyou
cookies, Press (https://www.forescout.com/company/news/)
have expressly agreed to our use of cookies. Cookie Settings 
News (https://www.forescout.com/company/news/)
Forescout

Press Releases (https://www.forescout.com/company/news/press-releases/)
Blog (https://www.forescout.com/company/blog/)
sU tcatnoC
Events (https://www.forescout.com/company/events/)
Events Calendar (https://www.forescout.com/company/events/)
Visit Executive Briefing Center (https://www.forescout.com/ebc/)
Webinars (https://www.forescout.com/company/events/webinars/)

Careers (https://www.forescout.com/company/careers/)
omeD a tseuqeR
Career Overview (https://www.forescout.com/company/careers/)
Career Search (https://www.forescout.com/company/careers/open-positions/)
Contact Us (/contact-us/)
Toll-Free (US): 1-866-377-8771

Tel (Intl): +1-408-213-3191
Support: +1-708-237-6591
Headquarters
190 W Tasman Dr.
San Jose, CA, USA 95134
 (https://www.linkedin.com/company/forescout-technologies)
 (https://twitter.com/Forescout)
 (https://www.facebook.com/ForescoutTechnologies)
 (/company/blog/)
 (https://www.youtube.com/user/forescout1)
Products (https://www.forescout.com/platform/)
Platform (https://www.forescout.com/platform/)
eyeSight (https://www.forescout.com/platform/eyesight/)
eyeControl (https://www.forescout.com/platform/eyecontrol/)
eyeExtend (https://www.forescout.com/platform/eyeextend/)
eyeManage (https://www.forescout.com/platform/eyemanage/)
SilentDefense ™ (https://www.forescout.com/platform/silentdefense/)
CounterACT (https://www.forescout.com/platform/counteract/)
Solutions By Places in Network (https://www.forescout.com/places-in-network/)

Forescout

Campus IT (https://www.forescout.com/platform/campus-cybersecurity/)
Campus IoT (https://www.forescout.com/platform/iot/)
Data Center and Cloud (https://www.forescout.com/platform/data-center-cloud/)
sU tcatnoC
Operational Technology (https://www.forescout.com/platform/operational-technology/)
Business Value (https://forescout.valuestoryapp.com/ForeScout/)

ROI Calculator (https://forescout.valuestoryapp.com/ForeScout/)

Solutions By Industry (https://www.forescout.com/industries/)
omeD a tseuqeR
Financial Services (https://www.forescout.com/industries/financial-services/)
Government (https://www.forescout.com/industries/government/)
Healthcare (https://www.forescout.com/industries/healthcare/)
Education (https://www.forescout.com/industries/education/)
I Need To Solve For (https://www.forescout.com/solutions/)

Device Visibility (https://www.forescout.com/solutions/device-visibility/)
Network Access Control (https://www.forescout.com/solutions/network-access-control/)
Device Compliance (https://www.forescout.com/solutions/device-compliance/)
Asset Management (https://www.forescout.com/solutions/asset-management/)
Network Segmentation (https://www.forescout.com/solutions/network-segmentation/)
Incident Response (https://www.forescout.com/solutions/incident-response/)
Compliance (https://www.forescout.com/solutions/compliance/)
EU NIS (https://www.forescout.com/solutions/compliance/eu-nis-compliance-solution/)
NIST 800-171 (https://www.forescout.com/solutions/compliance/compliance-for-federal-contractors/)
Compliance Center (https://www.forescout.com/solutions/compliance/)
Customers (https://www.forescout.com/company/customers/)
Success Stories (https://www.forescout.com/company/customers/)
Find a Partner (https://www.forescout.com/partners/)

Partner
We useProgram
cookies(https://www.forescout.com/partners/)
to help improve this website and further enhance your
Resellers (https://www.forescout.com/partners/resellers/)
Distributors (https://www.forescout.com/partners/distributors/)
cookies, you have expressly agreed to our use of cookies. Cookie Settings
Technology Partners (https://www.forescout.com/partners/technology-partners/) 
System Integator
ForescoutPartners (https://www.forescout.com/partners/system-integrators/)

Become a Partner (https://www.forescout.com/partners/)
Become a Distributor (https://www.forescout.com/partners/become-a-distributor/)
sU tcatnoC
Become a Reseller (https://www.forescout.com/partners/become-reseller-partner/)
Become a Technology Partner (https://www.forescout.com/partners/become-technology-partner/)
Get Support (https://www.forescout.com/support/get-support/)

Support Program Overview (https://www.forescout.com/support/support-programs/)
ActiveCare (https://www.forescout.com/company/legal/activecare-maintenance-and-support-policy/)
omeD a tseuqeR
Online Support Login (https://www.forescout.com/support/login/)
Report a Vulnerability (https://www.forescout.com/security-disclosure/)
Professional Services (https://www.forescout.com/support/services/)

Delivery Partners (/support/services/#delivery-partners)
Training (https://www.forescout.com/support/training/)
Training (https://www.forescout.com/support/training/)
Calendar (https://www.forescout.com/support/training/calendar/)
Resources (https://www.forescout.com/company/resources/)
Product Documentation (/company/resources/#resource_filter_group)
Technical Documentation (/company/resources/?resource_type=technical-documentation#resource_filter_group)
Resource Library (https://www.forescout.com/company/resources/)
RSS Feed (/products/announcements/feed/)
© 2019 Forescout Technologies Inc. All rights reserved. Terms of Use (/terms-of-use/) and Privacy Policy (/privacy-policy/), and Cookie
Settings

Exotic Attacks MRI - CT Images Malware in Diagnosis - Forescout

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exotic Attacks MRI - CT Images Malware in Diagnosis - Forescout

Uploaded by

Copyright:

Available Formats

11/15/2019 Exotic attacks are blurring the boundary between MRI/CT images, malware and life-threatening cancer research

esearch and diagnosis - Foresc…

How do these DICOM medical imaging attacks work?

Researching DICOM in Forescout Device Cloud

and then either attempt to run it in a sandboxed

Company Information (https://www.forescout.com/company/)

Investor Relations (https://investors.forescout.com)

Toll-Free (US): 1-866-377-8771

Solutions By Places in Network (https://www.forescout.com/places-in-network/)

Business Value (https://forescout.valuestoryapp.com/ForeScout/)

I Need To Solve For (https://www.forescout.com/solutions/)

Find a Partner (https://www.forescout.com/partners/)

Get Support (https://www.forescout.com/support/get-support/)

Professional Services (https://www.forescout.com/support/services/)

You might also like