A recent report from Symantec’s Security Response Attack Investigation Team has zeroed-in on a hacking collective that is harassing the health-care industry. The group’s name has been found to be Orangeworm and they have been responsible for hacking various health-care-related targets in the United States, Europe, and Asia. The group was previously unidentified when they first popped-up on researchers’ radars in 2015, but now their methodology and identity is well-documented.
Symantec noted the following about Orangeworm’s targets:
Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.
The main attack method for Orangeworm is installing a backdoor via the Trojan.Kwampirs. Kwampirs has been discovered on the software for X-Ray and MRI machines, on systems connected to networks with highly sensitive data, and anything else remotely related to powerful healthcare corporations.
Once the backdoor has been installed, and the target has been confirmed to be of interest, the first thing Kwampirs does (after decrypting and extracting the DLL payload) is “aggressively copy the backdoor across open network shares to infect other computers.”
Symantec notes the following hidden file shares as common places for the backdoor to dig into the network:
The main purpose of all of this is an aggressive form of reconnaissance, which is thought to possibly be linked to corporate espionage. The amount of internal data recovered from these attacks can prove very useful as they encompass not only data from the company but also any business partner the company may deal with.
Symantec notes that the Orangeworm hackers aren’t particularly concerned with stealth. The attacks they carry out are what we in the security field call “loud” and are prone to set off any alert mode that IT departments respond to (for example, their IDS or IPS). A big reason why such a reckless approach works is that many health-care industry leaders still run Windows XP, which is much easier to penetrate and stay on due to primitive security protections.
This last point is so crucial as cybersecurity professionals have warned against the dangers of running obsolete OS variants like XP for years. I have been one of those people, and I constantly warned that the issues would reach critical mass, and once they did with WannaCry, I thought there might be a change. Obviously, the change wasn’t enough as Orangeworm is proving that XP is still widely in use in such a sensitive industry.
Health-care executives: Update your OS or continue to suffer the consequences of your inaction.
Photo credit: Wikimedia