April 27, 2018
Jacobian Engineering received a FLASH bulletin from the FBI regarding a new trojan named Kwampirs used by a hacker group referred to by security analysts as Orangeworm. According to sources within Infragard, the hacker group is targeting IT solution providers, manufacturers and other supply chain vendors to reach healthcare entities using the backdoor trojan. According to data released by Symantec and other agencies, nearly 40 percent of all targets are in healthcare.
Analysts have determined that the Kwampirs worm quietly collects data about its intended target before launching an attack. These attacks are slow and deliberate and result in effective penetration of weaker networks. Once the trojan is activated, it adds a randomly generated string to itself in order to generate new variants and avoid pattern based detection methods. Infected systems may also contain boot code to load the malware into memory after each reboot. The worm then copies itself across the enterprise using network shares in order to infect additional systems.
Legacy systems such as those found commonly in biomedical devices are particularly vulnerable. For those who may still be running Windows XP or other older or unpatched operating systems, Jacobian recommends reaching out to biomedical vendors and IT support to see how these systems may be patched, isolated or even decommissioned before a beachhead can be established.
Once the worm has infiltrated a network, it begins collecting as much information as possible to send back to the hacker group. Areas of interest include system information such as processes, registry data, installed programs, databases, files and other information stored locally. This is a potential HIPAA breach event and could result in the loss of highly sensitive medical information such as protected health information about individuals.
If your organization is concerned about this threat, Jacobian recommends reaching out to a qualified cyber security professional, your internal information security or CISO or your IT department. Qualified individuals may detect Kwampirs through a behavioral analysis including file detection, process anomaly detection and pattern based anomaly detection. Application control is one way of capturing threats such as these before they spread.