Hackers Can Use DICOM Bug to Hide Malware in Medical Images

 DICOM bug enables hackers to insert fully functioning executable code into medical images

A newly discovered design flaw in DICOM, a three-decade-old medical imaging standard, could be used to deliver malware inside what appears to be an innocuous image file, a researcher from Cylera has discovered. Because the malware would not alter the protected health information (PHI) contained in the image file, it would bypass automated malware detection systems.

What is DICOM?

Originally developed by the National Electrical Manufacturers Association (NEMA) and the American College of Radiology (ACR), DICOM is an international standard protocol for the management and transmission of medical images and related data, such as MRIs and CT scans. It was created to enable healthcare providers to store and easily share medical images and related patient data digitally, eliminating both hardware incompatibility issues and the need for physical films.

Today, DICOM has become the de facto standard for CT and MRI images throughout the healthcare industry. Most medical imaging equipment supports DICOM standards, along with specialized workstations that analyze scan results, and phones and tablets that can be used to view diagnostic information.

The DICOM bug

The DICOM bug is found in the Preamble, a 128-byte section at the beginning of a file that facilitates access to the images and metadata within a DICOM image. The Preamble is used to enable compatibility with image viewers that do not support DICOM but do support common web image formats, such as JPG or TIFF.

It’s important to note that this is not a design flaw per se but an inherent feature of the DICOM file format, meant to facilitate compatibility. By modifying the Preamble, third parties can “trick” these image viewers into thinking a DICOM file is actually one of their supported formats, so that a healthcare provider could view an MRI file using their phone or tablet’s image viewer. Problem is, there are no structural requirements for the data that can be inserted into a DICOM file’s Preamble; any sequence, so long as it is 128 or fewer bytes, can be used while still maintaining compliance with the DICOM standard.

This allows hackers to do two things:

1. Insert headers that make the DICOM image appear to be an executable, or some other file format.
2. Write an executable file that is 128 bytes or less and hide it within a DICOM preamble; therefore, instead of having a DICOM file “pretend” to be another image format, an executable “pretends” to be a DICOM file.

In either case, the original PHI contained in the image’s metadata is preserved, and a hidden executable will not give itself away with an “.exe” extension. If an unsuspecting provider were to be sent an executable file disguised as a DICOM, they would see the correct file extension, and upon opening it, the correct metadata. They would have no reason at all to suspect that anything was wrong.

DICOM bug takes advantage of HIPAA regulations

The scenario gets even worse when considering that in healthcare settings, most anti-virus/anti-malware solutions are configured to ignore files that contain PHI – because of HIPAA regulations. Even if the malware were discovered, security response teams would face a quandary, again because of HIPAA. The malware and the file’s PHI would be welded together. The file couldn’t be knowingly deleted because it contains PHI. If it is accidentally deleted, the PHI could be destroyed.

This makes the DICOM bug, which the researcher who discovered it has dubbed PE/DICOM, “the first vulnerability whose technical potency is derived from a regulatory environment in addition to a software design flaw.”

DICOM bug discovered amidst increasingly sophisticated attacks on healthcare IT systems

Unfortunately, it’s not possible for any single vendor to issue a patch for this, nor are there any remedial actions that can be applied to all systems that support DICOM. The only way to fix the DICOM bug will be for the standard to be rewritten to impose standards on the content of the Preamble. Doing so while maintaining the standard’s purpose – to facilitate compatibility – is going to be a challenge, to say the least.

The DICOM bug has emerged amidst increasingly sophisticated and destructive attacks on healthcare IT systems. While it is the first vulnerability that takes advantage not just of a technical design flaw, but the regulatory environment governing an industry, it probably won’t be the last. This is why it’s crucial for healthcare organizations to practice proactive cybersecurity and actively defend themselves against not just today’s attacks but also tomorrow’s.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Poor cybersecurity practices complicated recovery from the Arizona Beverages ransomware attack.

What appears to have been a targeted ransomware attack knocked over 200 networked computers and servers offline at Arizona Beverages, one of the largest beverage suppliers in the U.S., TechCrunch reports. The attack, which the company was still struggling to recover from two weeks later, halted sales operations for days, allegedly costing the company millions of dollars.

Arizona Beverages ransomware attack yet another lesson in what not to do

The ransomware that hit Arizona Beverages is believed to be iEncrypt, a form of ransomware that is used in targeted attacks. A few weeks before the iEncrypt attack hit, the FBI contacted Arizona Beverages to warn them that they had been compromised by another form of malware called Dridex, which leverages Microsoft Office macros and is usually delivered through phishing emailsphishing emails. The Dridex infection may very well have opened the door to the iEncrypt attack, possibly by stealing login credentials.

An anonymous source told TechCrunch that the Dridex infection had been ongoing for “at least a couple of months” at the time the FBI contacted Arizona Beverages. The same source remarked to TechCrunch that they were surprised something like this hadn’t happened sooner, given the company’s poor cybersecurity posture. This included servers that relied on on legacy versions of Windows that are so old, they’re no longer supported. These installations hadn’t been updated with security patches for “years.”

In addition to servers and computers, the iEncrypt ransomware locked down Arizona Beverages’ email server, leaving the company unable to process customer orders. The fun didn’t stop there. When internal IT staff attempted to restore the company’s network from backups, they discovered that they couldn’t – because the backups hadn’t been configured properly. Staff members scrambled for days to get the backups to work before, TechCrunch’s source said, “they started throwing money at the problem” and brought in a third-party vendor.

In addition to millions of dollars in lost sales, Arizona Beverages has allegedly spent “hundreds of thousands” more on new hardware, new software, paying the vendor to clean up the problem, and rebuilding its entire network. As of the publication of the TechCrunch article, the company was reportedly 60% restored.

Targeted ransomware attacks on the rise

Although there has been a drop in the overall number of ransomware attacks over the past year, attacks are becoming more sophisticated and targeted. Meanwhile, the bar for launching a complex attack has been significantly lowered by the proliferation of ransomware-as-a-service, which allows just about anyone to launch an attack regardless of technical ability.

The iEncrypt malware that hit Arizona Beverages uses the victimized company’s name as a file extension and also mentions it in the ransom note. It’s a very new strain of ransomware, discovered in November 2018, and its behavior is unpredictable. One thing is certain; once an infection hits, it is especially difficult to remove because the malware impersonates legitimate files.

What would happen if sales at your company halted for a week?

This is the question every company needs to be asking itself right now. Arizona Beverages lost millions of dollars because it literally couldn’t process customer orders for several days; this was on top of cleanup costs. As a very large company, Arizona Beverages could take this sort of financial hit. Many small companies aren’t so fortunate. Around the same time the Arizona Beverages ransomware attack hit the news, a small Michigan medical practice permanently closed after a ransomware attack destroyed their electronic health records system.

The Arizona Beverages ransomware attack may not have happened in the first place if the company had not been relying on old, unpatched, unsupported versions of Windows. When it did occur, the company should have been able to restore from a backup. Not having properly configured network backups is inexcusable. In addition to being able to restore systems after a cyberattack, backups allow companies to recover from events such as vandalism and natural disasters.

Arizona Beverages’ poor handling of the basics beg the question of what else was wrong with their internal cybersecurity. Was the Dridex infection properly mitigated? Why didn’t the company find out about it until they were contacted by the FBI? Whatever happened, it would have been far less expensive and disruptive for Arizona Beverages to have implemented proactive cybersecurity measures instead of throwing money at a problem after it happened.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

NIST SP 800-177 Rev. 1 was written with federal email security in mind, but SMBs can also use the guidance to secure their email systems.

Email breaches can be just as destructive to organizations as customer data breaches; just ask Sony Pictures and the Democratic National Committee. A breach of a federal government agency’s email system may not just be embarrassing or scandalous to the agency; it could put national security at risk. To help agencies protect sensitive and classified information from being stolen in an email hack, the National Institute of Standards and Technology (NIST) has released a finalized revision of SP 800-177 (Revision 1).

Titled Trustworthy Email, the framework outlines best practices for federal email security and updates the minimum standards for FISMA compliance. SP 800-177 complements SP 800-45, which was published in 2007, by providing more up-to-date email security recommendations and guidance, including guidelines regarding digital signatures and encryption (via S/MIME), minimizing unwanted email (spam), and other aspects of email system deployment and configuration. It also includes an appendix with an overlay of the NIST SP 800-53 Rev. 4 controls and a detailed description of how email systems can comply with the applicable controls.

While SP 800-177 was designed specifically for federal agencies, NIST notes that small and medium-sized business in the private sector can benefit from using the same email security best practices to protect confidential business information.

Federal Email Security: Beyond SMTP

The internet’s underlying core email protocol, Simple Mail Transport Protocol (SMTP), was first developed in 1982, when email security was not a consideration. SP 800-177 recommends the continued use of SMTP, along with the existing Domain Name System (DNS), but notes that the protocols are increasingly vulnerable to a wide range of cyber threats, including man-in-the-middle content modification and cyber spying. Federal agencies must implement proactive safeguards such as spoofing protection, integrity protection, encryption, and authentication to ensure that their email systems are sufficiently secure for use in government, financial, and medical communications.

The publication describes best practices for authenticating a sending domain and ensuring email transmission and content security using the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), the Domain based Message Authentication Reporting and Conformance (DMARC) protocol, and the Transport Layer Protocol (TLS). It also recommends using Secure Multipurpose Internet Mail Extensions (S/MIME) for email communications that require end-to-end authentication and confidentiality.

SP 800-177 also outlines best practices for protecting against common email security threats impacting the integrity, availability, and confidentiality of email systems, including email spoofing and forging, phishing and spear phishing, eavesdropping and traffic analysis attacks, content modification of emails in transit, email bombing attacks, and spam.

NIST points out in SP 800-177 that securing an email system is far more complex than securing a website, and there is no magic bullet for email security. Different federal agencies will have different needs, data environments, and risk levels. However, with nation-state hackers funded by foreign governments increasingly targeting federal agencies and government contractors, it is crucial to national security to ensure that sensitive and classified government email communications remain confidential.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.