Fresh from the “oops” department, a security researcher has made news by demonstrating that the DICOM imaging file format in which both CT and MRI scans are stored can be hijacked to hide potentially dangerous executables.
According to an article in Bleeping Computer, Markel Picado Ortiz of Cylera Labs took advantage of a vulnerability within the DICOM format. DICOM files include a 128-byte section at the beginning of each file, known as the Preamble, which exists to allow users with non-DICOM image viewers to access the files.
Using the Preamble, Ortiz was able to embed a malicious component within a DICOM imaging file (which takes the .dcm file format FWIW) integrates executable malware with patient information. The end result, which Cylera calls a PEDICOM file, ends up including a Windows .exe binary.
Ortiz believed — correctly, as it turns out – that DICOM files were a great place to hide malicious executables, for reasons that included that they look inconspicuous to medical staff and that they are the default CT and MRI imaging file format used for roughly 30 years, Bleeping Computer reported.
It’s important to note that PEDICOM files aren’t dangerous in and of themselves, as they can’t be executed directly simply by being injected into a healthcare systems network. The only ways they can work is as part of a multi-stage malware attack whose capabilities include executing these files, or when adversaries with access to the files using them to infect patient data, the researcher said.
However, PEDICOM polyglot files can be launched from the command line using a custom-made batch script with the help of another program or tool which uses the CreateProcess API function. Using malicious PEDICOM files adds a tool to the attacker’s toolkit tailored for systems where the key and MRI imaging files are available.
Things can get weird at that point. A Twitter user noted that when they launched a polyglot pedicom-cylera.dcm they might have exposed a Windows vulnerability:
Confirming that launching Cylera’s polyglot pedicom-cylera.dcm file from cmd.exe actually runs it as an executable (!), although it’s unrecognized format on the machine. This is a really weird behavior and could indicate something worse in the way Windows are “launching” files. https://t.co/HXSeFhmglA
— Mitja Kolsek (@mkolsek) April 19, 2019
Regardless, these corrupted files could pose a once attackers find a way to execute the malicious binaries. There are at least four things they could do to interfere with hospital operations:
- They could intrude into hospital infrastructure by having malware in DICOM files, then using social engineering to slip them into emails to hospital staff
- They could upload images to the hospital PACS system using DICOM network protocols
- Entering the devices of hospital patients having malware in the DICOM images, then using social engineering to get the images out to patients using email
- Keeping malware hidden uninfected devices, which is possible because some antivirus programs will interpret these images as executable
This not be headline news even within the health IT community, as this isn’t the first time someone has tried to tamper with DICOM files, but it is a reminder that as the complexity of digital health solutions grows, the range of opportunities for exploiting that complexity grow too.