This article explores the risks associated with medical system viruses and hacker group Orangeworm. It covers how this ‘Kwampir’ operates and who/what is most targeted. The article also details how to best protect yourself.
The most heinous hacker groups target major systems like power grids. They can wreak havoc with simple malware and medical imaging devices are the latest targets.
Cybercriminal group Orangeworm installs custom malware onto healthcare systems. They then execute targeted attacks against specific organizations. They can even target supply chains that serve those organizations.
What is a kwampir, how does it work, and how can we protect ourselves from its ravages?
What Does This Cyber Worm do?
Think about getting x-rays or an MRI and the vulnerability you experience.
You might be wearing a hospital gown or strapped into something. Your head might literally be in a giant circle of magnets and gizmos.
One of the worst things that could happen is a criminal hacking group hijacks the device you’re attached to. Good news: Orangeworm targets x-rays and MRI machines over others.
Symantec researchers discovered the group now known as Orangeworm using “Kwampirs”. These custom malware trojans infiltrated international corporations in Europe, the U.S., and Asia.
As you can see above, almost 40% of the victims include the healthcare sector.
The malware also appeared in machines designed to help patients fill out things like consent forms. But the main focus was not information theft — Orangeworm wants to learn about devices.
Symantec Information on how it Operates
Though Orangeworm first appeared in 2015, the Trojan kwampirs malware seems new.
Since the worm operates in a reconnaissance manner, some suggest that the purpose is corporate espionage. This theory gains more traction when you examine Orangeworm’s victim list.
The U.S. hosts Orangeworm’s largest concentration of victims at 17% of all of those affected. Symantec theorizes that the information collected from these imaging devices can be used to determine the purpose of its use: research or for a high-value target.
The Kwampir trojans don’t just scoop information once. They ensure persistence using the devices own resources. Every time the system boots up, so does the Kwampir, collecting new information.
This chart shows how Orangeworm injects the payload into the system memory on each reboot. You also might find copies of the trojan in these hidden file shares:
From there, the trojan gathers information about the network and potential victims. The hacker group gains all kinds of information and insights from the trojan. You can see the full list on Symentac’s website, but here is a small preview:
- List of currently running processes
- List of local group accounts and users
- A detailed configuration of the system, the OS, and owner details
- List of any network mappings available
Again, this is not a comprehensive list, but just a preview. What’s worse is that Kwampirs are both aggressive and not overly sneaky.
This suggests that Orangeworm may not care about getting noticed.
How to Protect Yourself
The worm works better with older operating systems, so that’s one less thing to worry about. Symantec also assures its clients that they are protected on their website.
They list WebFilter-enabled or Intelligent Services products that provide protection. Think Advanced Secure Gateway (ASG), Web Sercurity Service (WSS), and SSL Visibility.
You can also find a downloadable PDF of compromise indicators on Symantec’s website.