April 24, 2018
|
4 mins

Orangeworm Threat Intelligence Briefing

This attack has gained a good amount of momentum in the past weeks. Given the tactics employed by the attackers we believe they are performing advanced staging for additional attacks and compromise.

This could be part of a criminal organization who intends to utilize this vector as a espionage-as-a-service program or a terrorist organization who may employ cyber-munitions at a later date.

Orangeworm is a group of attackers who are purposefully targeting
organizations in select industries.  The healthcare industry has accounted
for 39.8% of the total attacks launched by this group, with 17% of those
attacks targeted U.S based healthcare organizations.  This group is also
targeting suppliers of hospitals such as consultancies, device manufacturers
and IT organizations.
  

The motivation of this attack and the allegiance of this group is currently
unknown.  Attempts to identify the group are underway but little progress
has been made.  It is premature to speculate if the group is part of a
nation-state, organized criminal element or terrorist group.  What is
known is that the group is selectively targeting organizations in healthcare
and specific medical devices within the organization.
 

Orangeworm is based on the Kwampris malware which was first introduced in
2015.  The group has evolved this trojan adding polymorphic capabilities
to how it establishes command and control.  Currently the attack is
launched against a medical device and the payload performs reconnaissance of
the medical device as well as the network.  Information related to the
network and the devices then appears to be sent to a variety of command and
control servers.  To date there is no indication that the attack
exfiltrates patient data or images, but it does appear that intelligence is
sent to the attackers.  Further there is no indication that this attack
alters the state of the device.
 

ITEMS TO CONSIDER 

This attack has gained a good amount of momentum in the past weeks.  Given
the tactics employed by the attackers we believe they are performing advanced
staging for additional attacks and compromise.  This could be part of a
criminal organization who intends to utilize this vector as a
espionage-as-a-service program or a terrorist organization who may employ cyber-munitions
at a later date.
  


  

1. Medical Device Exposure Assessment – It is critical to determine what
devices are external facing and validate who they are communicating with. 
It is also important to understand the operating system running the device as
this attack seems to target Windows based systems.
 

2. Monitor Device Operations – It is important that you educate clinical
engineering teams in regard to this threat.  Any reported anomaly
(rebooting, slowness, change in behavior) should be reported to your IT
Security team.
  

3. Supply Chain Considerations – You should reach out to your supply chain
partners in order to understand their awareness of this threat.  In many
cases the payload is being delivered through a supply chain interaction. 
Medical device manufacturers are not the only ones being targeted by this
group.  This attack is compromising IT vendors who commonly work with
hospitals.
 

4. Network SMB Shares – You must review your SMB shares and assure that you are
minimizing exposure.  Assure that any required shares are correctly
patched, and you have appropriate security controls in place.
  

5. Windows XP – If you have any Windows XP (HIM, RIS, Lab, RCM, Faxing, etc.)
in your environment, you should take extreme note of this attack.  This
attack is extremely friendly to Windows XP environments.
  

6. Log Analysis – You should examine logs for communication to C&C
servers.  If you would like a list of those servers, please contact
Sensato at info@sensato.co
 
As with any briefing, it is important that you validate this information as
things change quickly and your environment, resources and challenges cannot be
considered when information of this nature is presented. 

   


  

What should we tell executives?

 Executives should be advised that Orangeworm may create a
resource challenge as you attempt to validate the right strategy.  That
this attack does create challenges for the organization overall but it is a
targeted and selective attack at this point.      

We would also recommend advising executives that there is a heightened sense of
risk due to the number of devices affected and challenges regarding the right
strategy.

 

How prevalent is the threat?    

The attack is selective with the majority of attacks being against U.S based
healthcare providers.  This creates heightened risk for U.S hospitals and
suppliers.
  

What is the real risk to healthcare?
  

Healthcare organizations are especially vulnerable due to the focused nature of
this attack.  We believe this attack will expand to include VOIP, HVAC, O2
Systems and other IOT devices.  You should take this attack seriously.
  

What if we become a victim?

  

1. Determine the attackers point of entry as quickly as possible and close that
access point. 

2. Activate IR Team 

3. Consider isolation of the affected system
or segment. 

4. Remove patients from affected devices. 

5. Notify FBI, DHS, FDA
and Sensato immediately.  

6. Preserve evidence.
  

What is the impact to humans and operations?
  

If you are attacked there is currently no known impact to the device. 
That stated, we would highly urge you to remove the device from you network and
isolate the device from patient care and other devices. 

    

Where can we get further details?

 
The Sensato-CTOC can provide further details as they become available. 
Please contact your Sensato primary point of contact if you require any
assistance or email us at

 

 

Sensato
Sensato is a cybersecurity solutions provider with expertise in risk assessments, penetration testing, strategic guidance and software. A recognized innovator, Sensato developed the first Security Operations Center specifically for healthcare in 2016 as well as founded the Medical Device Cybersecurity Task Force which is helping to foster new approaches to keep medical devices secure and protect patient lives. Recognized twice as one of the top-500 Most Innovative Cybersecurity Companies in the World, Sensato is also the 2016 Frost and Sullivan Visionary Leader in Healthcare Cybersecurity.
More from sensato:
Cybersecurity Awareness Month Recap - Resources and Tips
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
Four New Phishing Tactics to Watch Out For
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Real-time Review of Oklahoma State University Cybersecurity Breach
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.
No items found.
Contact Us
Blog
Press
Privacy Policy
© CLOUDWAVE Sensato Cybersecurity