On April 23, Symantec published a report on the Orangeworm cyberattack. Operating since January 2015, Orangeworm infected more than 100 organizations of which 40 percent are confirmed to be at the healthcare sector, mostly located in the United States, Europe and Asia. Other affected organizations are supply chain, IT, pharmaceutical and manufacturing companies working with healthcare providers.
Considering that the attack has been in operation for three years, 100 infected companies is a very small number. This is some evidence that Orangeworm is a fairly targeted attack which intends to remain persistent.
Orangeworm’s Use of Kwampirs
Orangeworm leverages the Kwampirs malware, a remote access trojan, that provides full access to compromised computers. Kwampirs is a sophisticated malware with multiple persistence techniques; though it lacks some basic capabilities to avoid detection, as it uses a fixed set of C&C servers.
In the Orangeworm attack, the Kwampirs malware was found on computers that use and control high-tech imaging devices, including X-ray and MRI machines (hence making the attack very specific for the healthcare sector).
While the motivation behind the attack is still unclear, the malware seems to be used to gather information in order to determine if the victim is a researcher or a high-value target. If the victim is of interest, it gathers more information about the network, local files and recently accessed computers.
The Orangeworm propogation method is via shared network devices. Considered to be an old-school technique, in the healthcare sector wrought with legacy technology it appears to work just fine.
Protecting Against Orangeworm
IoT devices should be properly patched and configured, including the computers that control them — even if they are not directly connected to the internet (such as in the case of an MRI machine). Using network modeling can provide the needed visibility to understand connectivity and accessibility as well as help plan remediation and mitigation options.
Abbott’s Firmware Update for Cardiac Devices
Medical device manufacturer Abbott is releasing firmware upgrades to some of its cardiac devices due to vulnerabilities that could allow remote access to the devices without user interaction. The affected products include radio frequency (RF)-enabled devices such as implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators. Accessing an RF-enabled device requires physical proximity (it isn’t explicitly mentioned in the Abbott advisory, but the range is probably matter of a few meters). Due to the vulnerabilities, though, this is not the case.
The firmware issue affects some 350,000 devices. Thankfully, the update does not require a trip to the OR, but will require a doctor’s visit.
For an industry prized on its innovation and advancements, healthcare is still greatly behind in terms of cybersecurity. The volume and disparity of devices healthcare organizations need to manage, poor security awareness of employees in this sector and the high value of personal health information (PHI) on the black market provide enough challenges to defenders and incentives to threat actors to make healthcare “low-hanging fruit” for cyberattacks.
While the value of PHI isn’t going down anytime soon, the challenges to protecting it can be overcome. Healthcare organizations and their related vendors need to gain better visibility into their unique attack surface, including the risks facing their unique devices and the systems that oversee them.
Why Hackers Pick on Healthcare: Data breaches abound. The healthcare industry has been the go-to choice for hackers due to poor security practices, vulnerable medical devices, and the lucrative credentials in patient records.