An Advanced Persistent Threat (APT) group identified as Kwampirs, also called OrangeWorm, still attacks healthcare companies and compromise their systems with the Kwampirs Remote Access Trojan (RAT) as well as other malware payloads.
The threat gang is busy since about 2016, although activity has heightened lately with the FBI lately having passed three notifications concerning the APT group all this time in 2020. Symantec’s report in April 2019 was the earliest to document attacks on healthcare companies by way of the supply chain.
The APT group is targeting several different industries, which include healthcare, engineering, energy, and software vendor. The attacks on the healthcare community are thought to have taken place by way of the vendor software supply store and hardware goods.
According to the FBI, the attacks were really effective. The APT gang has attacked numerous hospitals across Asia, the United States and Europe, which include local hospital groups and leading transnational healthcare firms. The campaigns have involved locally contaminated appliances and enterprise malware attacks.
The APT group begins with the acquisition of access to the gadgets of victim organizations and creates an extensive and continual presence making use of the Kwampirs RAT to be able to perform computer network exploitation (CNE) campaigns. The attacks include two levels. The first includes the usage of the Kwampirs RAT to acquire broad and continual access to hospital systems which usually involves the delivery of various secondary malware payloads. The second entails adding more modules to the Kwampirs RAT to enable farther exploitation of the attacked systems. The extra modules are personalized based upon the organization which was attacked. The reports of FBI say that the attackers had the ability to sustain persistence on the attacked systems for a long time, from approximately 3 months to 3 years when they did comprehensive reconnaissance.
The APT group has targeted principal and alternative domain controllers, software development servers, engineer servers that comprise source code for software program creation, and file servers which are employed as databases for R&D information. When deployed, the Kwampirs RAT carries out day-to-day command and manipulate communications with Domains and IP addresses encoded in the malware and downloads information.
The principal goal of the APT group looks like cyber surveillance, nevertheless the FBI says that a review of the RAT pointed out various code commonalities with the Shamoon (Disttrack) wiper that was employed in the Saudi Aramco attack in 2012. Nonetheless, the FBI says that it hasn’t found the inclusion of any wiper modules in Kwampirs so far.
The FBI has given various advice and guidelines to follow to strengthen security and lessen the danger of infection. These best practices include:
- Update software programs and operating systems and use patches
- Use user input confirmation to minimize local and distant file inclusion vulnerabilities
- Make use of a least-privileges guideline on the Web server to minimize the risk for escalation of privileges and pivoting sideways to other hosts, and to manage file creation and execution in certain directories.
- Developing a demilitarized zone (DMZ) among internet-facing systems and the business network
- Make certain all Web servers possess a protected setting and all unwanted and unused ports are deactivated or obstructed
- Make use of a reverse proxy to minimize accessible URL paths to recognized legit ones
- Set up a Web application firewall
- Perform consistent virus inspections and code assessments, app fuzzing, and server network reviews
- Perform routine system and app vulnerability verification to prepare areas of danger.