April 24, 2018
|
4 mins

Orangeworm Threat Intelligence Briefing

This attack has gained a good amount of momentum in the past weeks. Given the tactics employed by the attackers we believe they are performing advanced staging for additional attacks and compromise. This could be part of a criminal organization who intends to utilize this vector as a espionage-as-a-service program or a terrorist organization who may employ cyber-munitions at a later date.

Orangeworm is a group of attackers who are purposefully targeting organizations in select industries.  The healthcare industry has accounted for 39.8% of the total attacks launched by this group, with 17% of those attacks targeted U.S based healthcare organizations.  This group is also targeting suppliers of hospitals such as consultancies, device manufacturers and IT organizations.   

The motivation of this attack and the allegiance of this group is currently unknown.  Attempts to identify the group are underway but little progress has been made.  It is premature to speculate if the group is part of a nation-state, organized criminal element or terrorist group.  What is known is that the group is selectively targeting organizations in healthcare and specific medical devices within the organization.  

Orangeworm is based on the Kwampris malware which was first introduced in 2015.  The group has evolved this trojan adding polymorphic capabilities to how it establishes command and control.  Currently the attack is launched against a medical device and the payload performs reconnaissance of the medical device as well as the network.  Information related to the network and the devices then appears to be sent to a variety of command and control servers.  To date there is no indication that the attack exfiltrates patient data or images, but it does appear that intelligence is sent to the attackers.  Further there is no indication that this attack alters the state of the device.  

ITEMS TO CONSIDER 

This attack has gained a good amount of momentum in the past weeks.  Given the tactics employed by the attackers we believe they are performing advanced staging for additional attacks and compromise.  This could be part of a criminal organization who intends to utilize this vector as a espionage-as-a-service program or a terrorist organization who may employ cyber-munitions at a later date.   

THINGS TO DO   

1. Medical Device Exposure Assessment – It is critical to determine what devices are external facing and validate who they are communicating with.  It is also important to understand the operating system running the device as this attack seems to target Windows based systems.  

2. Monitor Device Operations – It is important that you educate clinical engineering teams in regard to this threat.  Any reported anomaly (rebooting, slowness, change in behavior) should be reported to your IT Security team.   

3. Supply Chain Considerations – You should reach out to your supply chain partners in order to understand their awareness of this threat.  In many cases the payload is being delivered through a supply chain interaction.  Medical device manufacturers are not the only ones being targeted by this group.  This attack is compromising IT vendors who commonly work with hospitals.  

4. Network SMB Shares – You must review your SMB shares and assure that you are minimizing exposure.  Assure that any required shares are correctly patched, and you have appropriate security controls in place.   

5. Windows XP – If you have any Windows XP (HIM, RIS, Lab, RCM, Faxing, etc.) in your environment, you should take extreme note of this attack.  This attack is extremely friendly to Windows XP environments.   

6. Log Analysis – You should examine logs for communication to C&C servers.  If you would like a list of those servers, please contact Sensato at info@sensato.co   As with any briefing, it is important that you validate this information as things change quickly and your environment, resources and challenges cannot be considered when information of this nature is presented. 

   

THINGS TO KNOW   

What should we tell executives?

 Executives should be advised that Orangeworm may create a resource challenge as you attempt to validate the right strategy.  That this attack does create challenges for the organization overall but it is a targeted and selective attack at this point.      

We would also recommend advising executives that there is a heightened sense of risk due to the number of devices affected and challenges regarding the right strategy.

 

How prevalent is the threat?    

The attack is selective with the majority of attacks being against U.S based healthcare providers.  This creates heightened risk for U.S hospitals and suppliers.   

What is the real risk to healthcare?   

Healthcare organizations are especially vulnerable due to the focused nature of this attack.  We believe this attack will expand to include VOIP, HVAC, O2 Systems and other IOT devices.  You should take this attack seriously.   

What if we become a victim?   

1. Determine the attackers point of entry as quickly as possible and close that access point. 

2. Activate IR Team 

3. Consider isolation of the affected system or segment. 

4. Remove patients from affected devices. 

5. Notify FBI, DHS, FDA and Sensato immediately.  

6. Preserve evidence.   

What is the impact to humans and operations?   

If you are attacked there is currently no known impact to the device.  That stated, we would highly urge you to remove the device from you network and isolate the device from patient care and other devices. 

    

Where can we get further details?

  The Sensato-CTOC can provide further details as they become available.  Please contact your Sensato primary point of contact if you require any assistance or email us at info@sensato.co  

 

Knock Knock: Quantum Computing
The moment a computer is invented that is fast enough to break current cryptography, we, as cybersecurity professionals will have a whole new reality to deal with. Guess what? Quantum computing is here.
SOC Myths & Fallacies: Why Do Most Security Operations Centers Fail?
Over the course of a year long investigation, we interviewed CIO, CISO, managers, security analysts, security engineers and compliance officers. Find out what we learned.
Self-Defense & Cyberwar
As someone who may be responsible for protecting a network, facilities or people, the evolution of cyberweapons and your rights to defend yourself will become a rather critical aspect of your strategies in the coming years.