By Rita Jiselle
Earlier this year, the FBI flagged warnings about chronic Kwampirs malware attacks, although news surrounding this first came to light in April 2018. This was based on reports by US cybersecurity firm Symantec, who suspected that a certain ‘Orangeworm’ utilized Kwampirs malware on companies in the supply chain industry who were providing services to the healthcare sector. An estimated 40% of this collective’s victims were from the healthcare industry. This campaign allegedly began as early as 2015.
Expanding the attacks
Symantec speculated that Orangeworm also targeted the logistics, agriculture, manufacturing, and information technology sectors, whose ties to healthcare lie in their existence as large manufacturing firms, and also in the services or machines they provide. The news resurfaced this year, as the malware appears to have expanded to attacking the Industrial Control Systems (ICS), and the energy sector specifically. The FBI alerted the United States’ private sector regarding this persistent operation that is infiltrating providers of supply chain software. Hackers are looking into organizations using this Kwampirs malware, which is a remote access trojan (RAT).
Finding entry points
These companies are falling victim to the malware as software supply chains are an entry point to information on their customers and partners, which is why the ICS has become collateral damage in facing the attacks. They are credited for energy generation, transmission, and distribution globally. New evidence has illustrated that the Kwampirs malware is vastly similar to the well-known Shamoon malware that was created by the APT33. This malware executed numerous attacks on the energy, oil, and gas sectors.
The Kwampirs RAT has already found its way into several hospitals around the globe, even during the pandemic, with the United States, Asia, Middle East, and Europe all experiencing attacks. The healthcare industry has become particularly vulnerable at this time due to the adoption of telehealth services to attend to more patients. This is why heightened awareness is extremely necessary at this time, given the catastrophic losses that can arise from a hospital that has become a site of the attack. Attacks are done through vendor healthcare software supply chains as well as hardware products. Software supply chain vendors that have been infected may also encompass machinery for managing ICS in the hospitals themselves.
They have also detected the Kwampirs malware on software used on devices for patient imagery, from MRIs to x-ray machines. Given the intricacy of our current devices and their hardware, there are concerns about the number of layers for printed circuit boards (PCBs). For designers, this may pose some tough calls as additional layers may result in higher costs. Today’s modern multifaceted semiconductor devices naturally have more layers, and this implies that there are added layers of security integrated into their hardware. However, malicious entities are aware of these sensitive PCB areas and know what it takes to target them. We can see this similar phenomenon being done in small local hospitals to transnational companies in healthcare. In fact, reports have identified that ransomware is significantly capitalizing on the pandemic through local healthcare institutions.
Considering its tactics
As targeted devices do not undergo stringent security measures, they can fall victim to attacks. Once the malware infects a device, it is difficult to remove it. For the Kwampirs malware specifically, infections begin with a constant presence of the malware on a network before deploying and executing extra payloads. The malware can be hidden in a network for three to thirty-six months before the specific attack occurs. The host network is then subject to having data gathered or developing a secondary infection on other vulnerable areas.
Experts in IT security are able to track these occurrences as malicious endpoints are hard-coded into the malware itself. However, having supply chains as the site of attacks means that curbing infections and their spread is more complicated. To protect against Kwampirs malware, focusing on the previously mentioned endpoints is the best possible solution. Organizations must be proactive about monitoring their networks religiously. ReversingLabs conducted an analysis of Kwampirs RAT in order to list indicators of compromise (IOC) for companies to note. These IOCs may then be used to generate “new blocking firewall and intrusion detection rules and to search SIEM logs for infected endpoints.”
Since Kwampirs is more effective on operating systems that are older, it is also imperative that you keep all your infrastructure as up to date as possible. Additionally, the FBI recommends that you implement least-privileges policies on web servers, and to block access used for external connections on administration panels. They also advise demilitarized zones among internet-facing systems and an organization’s networks. You must report any suspicious behavior or difficulties you find in these areas to a FBI field office in your area.
Although the Kwampirs malware may not be a new threat, vigilance is of utmost importance at this time due to the pandemic. Given the number of people, stakeholders, and supply chains involved, mitigating an attack could be a matter of saving numerous lives and livelihoods.
Rita Jiselle has a background in cybersecurity and writes about the latest trends and news in the field. In her spare time, she works on her golf swing and attends to her pet Chewy.