- A new cyber group called Orangeworm is undermining healthcare data security at large firms using malware known as Trojan.Kwampirs to gain remote access to compromised computers, warned security firm Symantec in a new report released April 23.
Orangeworm is targeting healthcare providers, pharmaceutical firms, IT solution providers for healthcare, and healthcare equipment manufacturers. However, the group is also targeting other firms in manufacturing, information technology, agriculture, and logistics.
“We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare,” researchers from Symantec’s Security Response Attack Investigation Team wrote.
“While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products,” the team noted.
Around 40 percent of the group’s victims are in the healthcare industry, and the largest percentage (17 percent) of infections are in the United States.
The Symantec researchers believe that the motive is corporate espionage. They noted that the group conducts a substantial amount of research and planning before attacking the intended target, such that the victims are not randomly attacked.
Symantec found the Kwampirs malware on machines that had software installed for the use and control of medical imaging machines, such as x-rays and MRIs, and machines used to assist patients in completing procedure consent forms.
Once the malware is deployed, it collects information about the compromised computer, such as basic network adapter information, system version information, and language settings, to determine whether the victim is a high-value target.
Should the group decide the victim is high value, it copies the malware across open network shares to infect other computers. It continues to harvest information about the victim’s network, including any information pertaining to recently accessed computers, network adapters, available network shares, mapped drives, and computer files.
Kwampirs spreads by copying itself over network shares. This method depends on computers running legacy operating systems, like Windows XP.
“This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry,” the researchers noted.
In addition, the malware cycles through an extensive list of command and control servers used for communication. The list of servers dates back to 2016, when the malware was first discovered, and not all of them currently work.
“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” the research team opined.
While Symantec judged that a state-sponsored actor was not behind Orangeworm, it could not be sure what the origin of the group was.
To prevent a Kwampirs malware infection, Symantec recommended that healthcare organization follow basic security best practices, including:
• Use a firewall to block all incoming connections from the internet to services that should not be publicly available
• Enforce a complex password policy
• Ensure users have the lowest level of privileged needed to do their job
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives
• Turn off file sharing if not needed and turn off and remove unnecessary services
• Ensure software patches are up to date
• Configure email server to block suspicious file attachments
• Isolate infected computers quickly to prevent the malware’s spread
• Train employees on email security, including how to deal with phishing emails
• Turn off Bluetooth if not required for mobile devices
• Do not accept applications that are unsigned or sent from unknown sources
Symantec’s recommendations to combat the Kwampirs malware apply also for healthcare companies to stop other types of cyberattacks, including ransomware and PHI data theft.