A 200-bed hospital in Ohio fell victim to the Baget exploit via an unpatched Microsoft IIS server running a legacy patient portal application. The attacker used a SQL injection vulnerability (CVE-2021-44228, though misconfigured) to gain initial access, then deployed the Baget payload. Over 72 hours, the attacker exfiltrated 80,000 patient records including Social Security numbers and treatment histories. A ransom note demanded $1.2 million. The hospital declined to pay, but recovery costs exceeded $4 million, and operations were crippled for 11 days.
rule Baget_Backdoor
meta:
description = "Detects Baget backdoor executable"
author = "Threat Intel"
date = "2024-01-01"
strings:
$s1 = "BAGET_MUTEX" wide ascii
$s2 = "cmd.exe /c" fullword
$s3 = "2556" ascii
condition:
$s1 and $s2 and $s3
After achieving RCE, the attacker injects a stager—a tiny piece of shellcode or a PowerShell one-liner that fetches the main Baget payload. To avoid detection, the stager often uses: baget exploit
The full Baget payload is a DLL file (Windows) or an ELF binary (Linux) with the following capabilities: A 200-bed hospital in Ohio fell victim to
The Baget payload then establishes a persistent backdoor by reaching out to its C2 server. Communication is often hidden within seemingly benign traffic: After achieving RCE, the attacker injects a stager
In cybersecurity and hacking, an exploit is a tool or technique used to take advantage of a vulnerability or weakness in a computer system, software, or protocol. This can allow hackers to gain unauthorized access, elevate privileges, or perform actions that would not normally be permitted.