The cybercriminal group known as Orangeworm is once again targeting healthcare organizations, often acting through connected medical devices. The FBI released a Private Industry Notification (PIN) stating that the group was using Kwampirs Remote Access Trojan (RAT) to access healthcare networks. As the industry faces this threat, it’s imperative that healthcare leadership enact strong data loss prevention strategies.
Understanding the Data Threat
Orangeworm was first discovered in 2015. The group primarily targets organizations in the healthcare industry, including medical equipment manufacturers, pharmaceutical companies, healthcare providers, and associated IT companies. The largest portion of the cybercriminal group’s targets have been in the United States, making up 17% of victims. The identity of the Orangeworm group is currently unknown.
As the FBI’s PIN states, the malicious actors are often accessing healthcare networks through connected medical devices. The group uses software typically found on x-ray and MRI machines as an entry point. Vendor software and hardware supply chains are a common vector for cyberattacks, and these products can be vulnerable when not monitored closely.
Cyber criminals execute this type of attack in two stages. They will typically install or update an application in the software, using it as a way to drop a dynamic link library (DLL) into the network. This process is called DLL hijacking, and it essentially allows the attacker to run script freely within the victim’s system. Through the first phase, the hacker enumerates 200 C2 server URLs, searching for one that’s active. Once that active survey is detected, they can place the malicious scripts and payloads onto the target network. That is the second phase.
And the second phase doesn’t happen quickly.
Orangeworm is known for timing their attacks and moving slowly, and the second phase of this process can take between 3 and 36 months. The particular cybercriminal group tends to use certain events, like acquisitions and mergers, to time their attack. So, organizations who are undergoing these types of transitions might be extra vulnerable.
Recommendations to Engineers
Engineers working for manufacturing companies and healthcare providers need to take extra precautions to safeguard systems against this cybersecurity attack. Here are our main recommendations, which are in line with the recommendations in the FBI notification:
- Set Backups: Engineers need to have “offline” backups of the server. This backup should show the “known good” version of the relevant server.
- Update: Frequently update software applications and host operating systems.
- Create Restrictions: Engineers should disable every unnecessary service and port, limiting the number of network access points. This process can include whitelisting or blocking any external access to admin panels. You should also enable country blocking on all perimeter firewalls.
- Tighten Credentials: If you haven’t already, engineers should stop using default credentials within the system. Implement a user input validation process, which will restrict remote and local file inclusion.
- Employ Safeguards: There are several systems that can add protection to the network. Engineers should deploy a demilitarized zone (DMZ) between the corporate network and web-facing systems. This limits all interaction between the two networks and makes it easier to identify potential malicious activity. A reverse-proxy, or similar service, can also be useful in restricting all URL paths to known paths exclusively.
While engineers implement the above recommendations, it’s important to review anti-virus policies with your teams. Update these policies regularly to keep up with present threats, such as new variants of Kwampirs. These types of threats can evolve quickly, so be sure to stay updated on cybersecurity news and updated FBI notifications.
Recommendations to Leadership
Leaders in healthcare organizations should work with their IT departments to strengthen program security. Our primary recommendations include:
- Check for Vulnerabilities: Leadership needs to prioritize threat and vulnerability management at all times, but especially when facing a specific threat like Orangeworm. IT teams should conduct regular vulnerability scans to spot risk areas. It’s also important to perform frequent risk assessments and document your risk management plan in detail.
- Develop Strong Policies: Organizations should implement the principle of least-privilege within their network, meaning all users have the minimum amount of access possible. It’s also important to have a change management policy that allows you to monitor for alterations in software and networks. Your organization should have a strong business associate security and lifecycle management program.
- Manage Software: Updating and backing up connected medical devices at risk can boost security within your organization. A strong disaster recovery policy will require critical system backups to prevent widespread data loss. Organizations should also consider running security applications on connected medical devices. An Endpoint Detection and Response program can be helpful as well.
Even if your organization hasn’t experienced IoT device hackers firsthand, it’s important to take the threat seriously. Orangeworm is targeting the healthcare industry, so now is the time to prepare. Strengthen policies, scan for vulnerabilities, and implement necessary security software to prevent these attacks. Work with IT leadership to know the signs of the Kwampirs attack, so you can act quickly if it does occur.
The potential of a network attack can be frightening which is why it’s crucial to stay a step ahead of the cybercriminals by partnering with a security service provider who is tuned in to industry threats and best practices.