Orangeworm Mounting an Espionage Campaign Against the Healthcare Sector

A hacking group, dubbed “Orangeworm,” is conducting highly coordinated and deliberate cyberattacks against healthcare facilities in the U.S., Europe, and Asia. According to many reports, Orangeworm is compromising healthcare systems like network shares and servers, but most notably, MRI and X-Ray machines. With the recent uptick in compromised IoT devices, it should come to no surprise that network-connected medical machines are being hacked.

In order to compromise these medical machines, Orangeworm is using Trojan.Kwampirs, a piece of Windows malware discovered back in August 2016, which possesses the ability to open backdoors for remote access and additional downloads of malicious files. Since most of the healthcare sector still has legacy operating systems on their network (like Windows XP) and unpatched medical devices that don’t have much security to begin with, many healthcare facilities are being compromised.

When Kwampirs infects a machine, it creates a set of malicious files and registers itself as a service, “WmiApSrvEx,” which is set to automatically run during the boot process. It then opens a backdoor and connects to a long list of URLs that can send shellcode back to Kwampirs by executing in its address space. Not all of these C2 servers are active though. Kwampirs then quickly copies itself across the network.

This slideshow requires JavaScript.

Kwampirs’ payload allows it to sidestep signature-based detection and maintains a pesky persistence by collecting specific information on compromised systems. Commands can also be executed for data exfiltration. As shown below, the commands can certainly steal a great degree of information.

This slideshow requires JavaScript.

The U.S. is Orangeworm’s biggest victim, but interestingly, the hacking group appears to be targeting the large supply chains that serve the healthcare sector, such as pharmaceutical companies, IT solution providers for healthcare, and healthcare equipment manufacturers. Thus, what Orangeworm appears to be interested in is how healthcare facilities and their interconnected systems operate, rather than some sort of financial or malicious objective.

That is not to say Orangeworm won’t turn malicious. It is very possible that malware, such as Ransomware, can be installed onto compromised systems (Recall when WannaCry infected healthcare organizations last year). Likewise, storage media could even be remotely wiped.

Since Kwampirs has a high affinity for legacy operating systems, legacy equipment should be isolated onto their own network. Any compromised systems should be quickly quarantined to contain the infection. Since Kwampirs has been around since 2016, there is a signature for it. Even though, Kwampirs can evade signature detection, healthcare facilities should still scan their network. Kwampirs can also be detected since there will be a large number of pings (or beacons) to C2 servers.

 

References

Balaji, N. (2018). APT Group Cyber Attack Against Medical Sectors to Hack X-Ray & MRI Scan Machines. GBHackers on Security. Retrieved from https://gbhackers.com/orangeworm-apt/

Bisson, D. (2018). New Orangeworm Threat Group Targets Healthcare Organizations With Custom Backdoor. IBM. Retrieved

E-Hacking News. (2018). Hackers Infect X-Ray and MRI Machines. E Hacking News. http://www.ehackingnews.com/2018/04/hackers-infect-x-ray-and-mri-machines.html

Seals, T. (2018). Organgeworm Mounts Espionage Campaign Against HealthcareThreatpost. Retrieved from https://threatpost.com/orangeworm-mounts-espionage-campaign-against-healthcare/131381/

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: