Story image

Orangeworm threat group targeting Asia & EU healthcare sector firms

24 Apr 18

A group dubbed ‘Orangeworm’ is targeting healthcare and related industries across Asia, the United States, and Europe as part of what looks to be a carefully targeted attack process with significant planning behind the scenes.

Researchers from Symantec say that the group has been deploying Trojan.Krampirs, a custom backdoor that gives attackers remote access to compromised computers on the network.

The Trojan then collects information about the infected network, including information about recently accessed computers, files, mapped drives, available network shares, and network adapter information.

Symantec researchers say that the Orangeworm group’s known victims include healthcare providers, pharmaceutical firms, healthcare IT providers and healthcare equipment manufacturers. 39% of the Trojan’s targets operate within the healthcare industry.

While most targets have been based in the United States (17%), 7% were based in India; 5% in the Philippines, and 2% respectively across China, Hong Kong, and Malaysia. A number of other targets are located in Europe.

“The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear,” Symantec says.

Researchers found that the Trojan is able to spread aggressively through a network by copying itself over network shares. This method is old but works well on older operating systems such as Windows XP – a good match for the healthcare industry because it often operates using older systems.

Symantec notes that the Trojan also reaches out to a long list of command and control servers.

That action, in combination with the network sharing that only makes small modifications to the Trojan itself, indicates that the Orangeworm group ‘is not overly concerned with being discovered’, Symantec says.

Although the group has been known to be active for several years, there’s no evidence to suggest it is a state-sponsored actor, but rather the work of one person or a small group of people.

“There are currently no technical or operational indicators to ascertain the origin of the group,” Symantec notes.

“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” Symantec concludes.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).