Kwampirs APT Group Continues to Attack Healthcare Firms via the Supply Chain

An Advanced Persistent Threat (APT) group called Kwampirs, otherwise known as OrangeWorm, is still attacking healthcare providers and infect their websites with the Kwampirs Remote Access Trojan (RAT) along with other malware payloads.

The threat group continues to be active since around 2016, however activity has gone up recently with the FBI currently having given three warnings regarding the APT group to date in 2020. Symantec’s report in April 2019 was the first to file a report of attacks on healthcare providers through the supply chain.

The APT group is targeting various industries, including healthcare, energy, engineering, and software supply store. The attacks on the healthcare industry are considered to have happened via the vendor software supply chain and hardware merchandise.

According to the FBI, the attacks were very successful. The APT group has compromised a lot of hospitals all over the United States, Asia and Europe, including local hospital associations and big transnational healthcare organizations. The campaigns typically infect local equipment and enterprise with malware.

The APT group to start with gets access to the devices of victim companies and makes a wide and consistent presence utilizing the Kwampirs RAT so as to carry out computer network exploitation (CNE) activities. The attacks comprise of two stages. The first entails using the Kwampirs RAT to obtain broad and prolonged access to hospital networks which frequently includes delivery of a number of secondary malware payloads. The second involves adding extra modules to the Kwampirs RAT to permit further exploitation of the victims’ networks. The added modules are customized according to the organization that has been attacked. The reports of the FBI states that the threat actors maintain control on a victims’ networks for long time periods, from 3 months to 3 years and carry out detailed reconnaissance.

The threat group has targeted major and secondary domain controllers,  software development servers, engineer servers, and file servers that are utilized as repositories for R&D data. As soon as deployed, the Kwampirs RAT executes an everyday command and regulates communications with IP addresses and domains hard-coded in the malware and exfiltrates data.

The primary purpose of the APT group seems like cyber espionage, however the FBI states that an analysis of the RAT showed a number of code similarities with the Shamoon (Disttrack) wiper that was utilized in the attack on Saudi Aramco in 2012. Nevertheless, the FBI states that it has not noticed the integration of any wiper modules in Kwampirs up to now.

The FBI has provided a number of recommendations and best practices to do to enhance security and minimize the threat of infection. These guidelines include:

  • Update software and operating systems and apply patches
  • Utilize user input validation to limit local and remote file inclusion vulnerabilities
  • Utilize a least-privileges scheme on the Web server to decrease the possibilities for escalation of privileges and pivoting side to side to other hosts, and to regulate file creation and execution in specific directories.
  • Setting up a demilitarized zone (DMZ) from the internet-facing systems to the company network
  • Make sure all Web servers have got a safe configuration and all unneeded and unused ports are deactivated or blocked
  • Utilize a reverse proxy to limit accessible URL paths to identified legitimate ones
  • Use a Web application firewall
  • Carry out frequent virus monitoring and code reviews, application fuzzing, and server network examinations
  • Do frequent system and application vulnerability checks to avoid areas of threat.