Medical monitoring machines spotted stealing patient data, users warned to pull the plug ASAP

Infosec in brief The United States Food and Drug Administration has told medical facilities and caregivers that monitor patients using Contec equipment to disconnect the devices from the internet ASAP.

The Contec CMS8000, also sold as the Epsimed MN-120, contains a trio of vulnerabilities (CVE-2024-12248, CVSS 9.3; CVE-2025-0626, CVSS 7.5; and CVE-2025-0683, CVSS 5.9) that the Cybersecurity and Infrastructure Security Agency (CISA) last week warned could allow an attacker to remotely execute code, crash the device and, most alarmingly, exfiltrate information about patients.

"Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information and protected health information, and exfiltrating the data outside of the health care delivery environment," the FDA said of the hardcoded hole.

The FDA recommends that anyone with a CMS8000 unplug it from the internet and disable its Wi-Fi immediately, and stop using it to remotely monitor patients.

While neither the FDA nor CISA believe there have been any cybersecurity incidents related to the devices, it's possible any left online could be compromised, and used by an attacker to move laterally to further compromise a connected network.

To make matters worse, CISA said in a factsheet about the vulnerability that it doesn't believe the backdoor is related to remote software updates - this appears to be all about harvesting data.

"The [back door] provides neither an integrity-checking mechanism nor version tracking of updates," CISA said. "When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device."

In other words, not only does it exfiltrate data, but it also actively hides its presence from hospitals and their infosec teams.

The FDA nor CISA said the Chinese-made devices send data to “a third-party university" but did not offer additional info. Other reports, however, allege the university is in China.

MGM agrees to settle breach cases for $45M

After having more than 10 million customers' data exposed in 2019, and then another 37 million affected, the MGM casino and hotel chain has agreed to create a $45 million fund from which it will pay litigants in over a dozen class-action lawsuits.

The incidents saw info leak about staff from the Department of Homeland Security and the Transportation Security Administration, Twitter co-founder Jack Dorsey, and pop icon Justin Bieber. Millions of others were also impacted.

According to court documents [PDF], victims who can prove financial losses can claim payments of up to $15,000. Others will receive payouts of $75, $50, or $20, depending on the type of data exposed.

The 2023 MGM Resorts cyberattack was attributed to the Scattered Spider group. Last year, one 17-year-old suspected member was apprehended in the UK. A case investigating the breach is ongoing.

Another week, another healthcare breach notification

Connecticut-based healthcare nonprofit Community Health Center (CHC) has become the latest healthcare network to admit a breach, after it wrote to over a million people to let them know cybercriminals made off with their personal data.

CHC didn't go into details about the incident in a form letter [PDF], only saying that "a skilled criminal hacker got into our systems and took some data" without deleting files, locking systems, or disrupting its daily operations.

CHC said names, birth dates, addresses, phone numbers, SSNs, email addresses, and health insurance information were all exposed.

CHC said there's no indication the information has been misused - yet - and that it had "strengthened our security and added special software to watch for suspicious activity" following the incident.

Amazon tweaks Redshift defaults because it doesn't trust you to do it

Amazon Web Services has decided that you can't be trusted to change your own default settings to protect data warehoused on its Redshift service, so it's saving you the trouble and changing some default settings for you.

AWS last week advised that it was making three major changes to "strengthen the default security posture of our customers' data warehouses," including disabling public access by default, getting rid of the ability for customers to create unencrypted clusters and enforcing secure connections by default.

"These security enhancements could impact existing workflows that rely on public access, unencrypted clusters, or non-SSL connections," Redshift senior product manager Yanzhu Ji wrote. "We recommend that you review and update your configurations, scripts, and tools to align with these new defaults."

Talos discovers phishing campaign using new .NET backdoor

Windows users in Germany and Poland, beware: a phishing campaign is targeting you and exploiting a previously undocumented .NET backdoor, according to threat hunters from Cisco Talos.

Talos has dubbed the backdoor TorNet, and says it's being dropped by PureCrypter malware that runs when a user unzips a .tgz file that arrives as an email attachment. Executing the attachment’s contents sees TorNet run and connect the infected system to the Tor network, which it uses to communicate with its C2 server and evade detection.

Persistence is maintained via a Windows scheduled task and, sneakily enough, the malware also temporarily disconnects its victim from the internet before dropping its payload to avoid detection by cloud-based security scanners.

Talos didn't indicate who the attacker might be, but said it believes the miscreant is financially motivated. IoCs are included, so be sure you're tracking this one. ®