Targeted attacks identified also affected related industries including healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry. This backdoor targets the aforementioned groups for the sake of corporate espionage. These machines include X-Ray and MRI machines among tools that assist patients in completing consent forms. The attack group known as Orangeworm has been observed installing a custom backdoor - a Trojan called Kwampirs - on machines that had software installed for the use and control of high-tech imaging devices used in x-ray and MRI. In fact, according to a recent Deloitte & Touche poll, identifying and mitigating the risks of fielded and legacy connected devices represents healthcare's biggest cybersecurity challenge (30.1 percent). They noted that the group conducts a substantial amount of research and planning before attacking the intended target, such that the victims are not randomly attacked. Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. To ensure persistence, a service is created to ensure that the main payload is loaded into memory when the system is rebooted. It may also ask for a list of local accounts with administrative access. "While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP". That kind of propagation is still effective against older operating systems, such as XP. Apparently the gang behind the attack have made no effort to change the C&C communication protocol since its first inception.
Orangeworm has used the same command-and-control protocol since it kicked off, which Symantec says is an indication the group isn't too concerned about being discovered.
"We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare". Since the discovery in 2016 Symantec has been working with customers and investigating who might be behind the trojan, while led to yesterday's report. "We started looking into that malware, trying to determine what its functionality was, what it did, anything unique about it, and we found it was a backdoor we had not seen before", DiMaggio told Healthcare Dive.
As for what CISOs should be doing, DiMaggio pointed out the way this malware spreads is by taking advantage of organizations running PCs and servers running older operating systems.
"Healthcare devices are an enticing target for hackers, as they are not upgraded and monitored as aggressively as other components (such as desktops and laptops)". Finally, consider if these machines need to touch the public-facing Internet. All the user needs to do is use security software and keeping anti-virus software up to date.
In November previous year, a survey by Infoblox revealed that despite security risks, healthcare organisations in the United Kingdom were purchasing thousands of IoT devices and connected medical equipment, thereby placing both enterprise data as well as sensitive patient records at risk of breach.