Story image

Orangeworm threat group targeting Asia & EU healthcare sector firms

24 Apr 2018

A group dubbed ‘Orangeworm’ is targeting healthcare and related industries across Asia, the United States, and Europe as part of what looks to be a carefully targeted attack process with significant planning behind the scenes.

Researchers from Symantec say that the group has been deploying Trojan.Krampirs, a custom backdoor that gives attackers remote access to compromised computers on the network.

The Trojan then collects information about the infected network, including information about recently accessed computers, files, mapped drives, available network shares, and network adapter information.

Symantec researchers say that the Orangeworm group’s known victims include healthcare providers, pharmaceutical firms, healthcare IT providers and healthcare equipment manufacturers. 39% of the Trojan’s targets operate within the healthcare industry.

While most targets have been based in the United States (17%), 7% were based in India; 5% in the Philippines, and 2% respectively across China, Hong Kong, and Malaysia. A number of other targets are located in Europe.

“The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear,” Symantec says.

Researchers found that the Trojan is able to spread aggressively through a network by copying itself over network shares. This method is old but works well on older operating systems such as Windows XP – a good match for the healthcare industry because it often operates using older systems.

Symantec notes that the Trojan also reaches out to a long list of command and control servers.

That action, in combination with the network sharing that only makes small modifications to the Trojan itself, indicates that the Orangeworm group ‘is not overly concerned with being discovered’, Symantec says.

Although the group has been known to be active for several years, there’s no evidence to suggest it is a state-sponsored actor, but rather the work of one person or a small group of people.

“There are currently no technical or operational indicators to ascertain the origin of the group,” Symantec notes.

“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” Symantec concludes.

Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.