Kwampirs APT Group Continues to Attack Healthcare Organizations via the Supply Chain

An Advanced Persistent Threat (APT) group known as Kwampirs, aka OrangeWorm, is continuing to attack healthcare organizations and infect their networks with the Kwampirs Remote Access Trojan (RAT) and other malware payloads.

The threat group has been active since at least 2016, but activity has increased recently with the FBI now having issued three alerts about the APT group so far in 2020. Symantec was first to report attacks on healthcare organizations via the supply chain in a report published in April 2019.

A variety of industries are being targeted by the APT group, including healthcare, energy, engineering, and software supply chain. The attacks on the healthcare sector are believed to have occurred through vendor software supply chain and hardware products.

The FBI reports that the attacks have been very effective. The APT group has compromised a large number of hospitals throughout the United States, Europe, and Asia, ranging from local hospital associations to major transnational healthcare companies. The campaigns have included locally infected machines and enterprise malware infections.

The APT group first gains access to victim companies’ devices and establishes a broad and persistent presence using the Kwampirs RAT in order to conduct computer network exploitation (CNE) activities. The attacks consist of two phases. The first phase involves the use of the Kwampirs RAT to gain broad and persistent access to hospital networks which often includes delivery of several secondary malware payloads. The second phase sees additional modules added to the Kwampirs RAT to allow further exploitation of victims’ networks. The additional modules are tailored based on the organization that has been attacked. The FBI reports that the threat actors have managed to maintain persistence on victims’ networks for long periods of time, ranging from around 3 months to 36 months during which time they performed detailed reconnaissance.

The threat group has targeted primary and secondary domain controllers, engineer servers, software development servers that contain source code for software development, and file servers that are used as repositories for R&D data. Once deployed, the Kwampirs RAT performs daily command and control communications with IP addresses and domains hard coded in the malware and exfiltrates data.

The main aim of the APT group appears to be cyber espionage, but the FBI warns that an analysis of the RAT revealed several code similarities with the Shamoon (Disttrack) wiper, which was used in the attack on Saudi Aramco in 2012.  However, the FBI reports that it has not seen the incorporation of any wiper modules in Kwampirs to date.

“Due to the modular nature of the Kwampirs RAT, secondary module(s) are capable of being downloaded to the victim network, which would provide access to enable further CNE activities,” explained the FBI in its recent alert. “Secondary module(s) downloaded would be separate and different from the Kwampirs RAT IOCs, and may not have been remediated by anti-virus end point protection.”

The FBI has offered several recommendations and best practices to adopt to improve security and reduce the risk of infection. These measures include:

  • Keeping software and operating systems up to date and patched
  • Employ user input validation to restrict local and remote file inclusion vulnerabilities
  • Use a least-privileges policy on the Web server to reduce the potential for escalation of privileges and pivoting laterally to other hosts, and to control the creation and execution of files in particular directories.
  • Establishing a demilitarized zone (DMZ) between internet-facing systems and the corporate network
  • Ensure all Web servers have a secure configuration and all unnecessary and unused ports are disabled or blocked
  • Use a reverse proxy to restrict accessible URL paths to known legitimate ones
  • Deploy a Web application firewall
  • Conduct regular virus checks and code reviews, application fuzzing, and server network analyses
  • Conduct regular system and application vulnerability scans to establish areas of risk.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.