Cyber Incident Victim: Health Tech Innovations
Date:
Oct 2019
Location:
United States of America
Summary
A medical technology company experienced a widespread malware infection where malicious code was concealed within WAV audio files using steganography, leading to system crashes (BSOD) across its network. The malware exploited EternalBlue vulnerabilities in unpatched Windows 7 systems, compromising over 800 machines and enabling lateral movement to over half the network. The payload included a cryptocurrency miner targeting Monero via the CryptonightR algorithm and leveraged PowerShell scripts hidden in registry keys, while evasion techniques involved compiling C# code from memory-loaded DLLs. Incident responders identified the attack through residual artifacts due to insufficient forensic data from disabled kernel memory dumps, highlighting the organization's inadequate patch management and post-incident analysis capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 14, 2019, a medical technology company experienced a malware infection that compromised over 800 computers, representing more than half of its network. The attack was initially detected when multiple Windows 7 machines displayed Blue Screen of Death (BSOD) errors. Security researchers from Guardicore, engaged for incident response, determined the malware propagated through the EternalBlue exploit targeting SMBv1 vulnerabilities, the same method leveraged in the 2017 WannaCry and NotPetya attacks. The malicious payload utilized steganography to conceal components within WAV audio files, which appeared normal and could be played without noticeable quality degradation. These files contained hidden modules extracted and executed on infected hosts. One module deployed a cryptocurrency miner targeting Monero via the CryptonightR algorithm, while another facilitated network scanning and lateral movement using EternalBlue to infect additional vulnerable systems.
The company’s installation of an endpoint detection and response (EDR) platform during containment efforts revealed technical details of the attack chain. Malicious processes named cscdll.dll and cscomp.dll were observed compiling and executing C# code from memory, linked to a base64-encoded PowerShell script. Investigators traced registry key modifications (HKLM\Software\Microsoft\Windows\CurrentVersion\Shell) and command execution patterns but faced forensic limitations due to missing kernel memory dumps, which could have clarified BSOD triggers. Guardicore confirmed the malware’s resemblance to techniques documented by BlackBerry Cylance researchers on October 16, 2019, though this incident demonstrated a full attack lifecycle. The widespread compromise was attributed to the organization’s reliance on unpatched Windows 7 systems, which had remained vulnerable to EternalBlue for nearly three years prior. No kernel dump configurations hindered root-cause analysis, but residual attack data provided sufficient evidence of the intrusion scope and methodology.