TZUTC: -0500   
   MSGID: 211.consprcy@1:2320/105 2c25bad4   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Chinese hacking group hijacks hospital computers by spoofing legitimate   
   medical software   
      
   Date:   
   Wed, 26 Feb 2025 16:49:00 +0000   
      
   Description:   
   Patients are having their data and credentials stolen after Silver Fox group   
   hijacks legitimate medical software to infect their devices.   
      
   FULL STORY   
   ======================================================================   
    - ForeScout says Silver Fox crime group is targeting hospital patients   
    - The group uses spoofed medical software to install malware   
    - Credentials, sensitive data, and crypto are then stolen   
      
   A Chinese hacking group has been spotted spoofing legitimate medical software   
   to infect patient computers with malware .    
      
   The attacks have been attributed by Forescout to a group tracked as Silver   
   Fox, Void Arachne, and The Great Thief of Valley, and use legitimate medical   
   software such as Philips DICOM medical image viewer to deploy the ValleyRAT   
   remote access tool.    
      
   ValleyRAT is then used as a backdoor to deploy infostealing malware that   
   targets sensitive data, credentials, and cryptocurrency.   
      
   Expanding horizons    
      
   As a China-based group, Silver Fox has typically targeted Chinese speakers in   
   previous attacks, but Forescout notes that malware samples they have    
   collected show filenames mimicking healthcare applications, English-language   
   executables, and file submissions from the United States and Canada,   
   suggest[ing] that the group may be expanding its targeting to new regions and   
   sectors.    
      
   How Silver Fox gets their malware onto the victims devices has not yet been   
   determined, but Forescout notes that previous attacks have seen the group use   
   phishing and SEO poisoning techniques to ship their malware.    
      
   Once installed, the malware will establish a connection with the attackers   
   command and control (C2) server using ping.exe, find.exe, cmd.exe, and   
   ipconfig.exe. The malware will also run PowerShell commands to hide its   
   communications paths from Windows Defender scans.    
      
   The malware will then retrieve additional payloads from the C2 server, such    
   as a security tool sniffing malware that will search the system for antivirus   
   and endpoint protection software that could detect it, and disables them    
   where possible. ValleyRAT is then deployed, stealing information and   
   extracting it to the C2 server.    
      
   Forescout also notes that while not directly targeting a hospital, but rather   
   the victims device, the malware still poses a significant risk for patients   
   who take infected devices into medical facilities, where the malware could   
   spread through unsecured networks and into hospital systems.    
      
   Via TheRegister   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/chinese-hacking-group-hijacks-hospital-   
   computers-by-spoofing-legitimate-medical-software   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426