Publication Date: April 24, 2018
Update Date: April 24, 2018
A known cyber-attacker group known as Orangeworm is reportedly targeting US, Europe and Asia healthcare organizations with malware known as Kwampirs. The group was identified in 2015 when it was reported to have conducted targeted attacks against organizations in related industries, such as healthcare providers, pharmaceutical, IT solutions providers for healthcare and equipment manufacturers. At the time of this advisory, 40 percent of Orangeworm's confirmed target organizations operate within the healthcare sector and 17 percent of the healthcare organizations were located in the US.
Once Orangeworm has infiltrated a victim's network, they deploy Trojan.Kwampirs, a backdoor malware program that provides attackers with remote access to a compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle to the decrypted payload in an attempt to evade hash-based detections. To ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main payload is loaded into memory upon system reboot:
In the second quarter of 2016, Philips was contacted by security researchers regarding potential security vulnerabilities with the Philips Xper-IM Connect system. As part of our Responsible Disclosure policy and processes, Philips has been in collaboration with the security researchers investigating this issue to promptly and transparently address the identified vulnerabilities in the Xper-IM Connect system.
The joint analysis by Philips and the researchers determined that Xper-IM Connect systems running on unsupported Windows XP operating systems and outdated product software were vulnerable to a number of potential exploits, which if implemented, could result in a remote attacker gaining access to an affected system.
The Philips product security team was able to confirm that all of the reported vulnerabilities in the Xper-IM Connect system are remediated by upgrading to the minimum specification of Windows 2008 Server or the recommended specification of Windows 2008 Server R2 and then applying a new product software version (Xper-IM Connect Version 1.5 Service Pack 13). We are providing recommendations and contact information in order to help any affected customers using a potentially affected Xper-IM Connect System address the issue and correct any affected systems as rapidly as possible.
Both Philips and the security researchers contributed to a joint disclosure to the U.S. Department of Homeland Security’s NCCIC/ICS-CERT organization, and was the source for that body’s Medical Device Advisory concerning this issue.
Philips is committed to ensuring the security and integrity of our products. Philips takes this matter very seriously. While any potential or identified security vulnerabilities are a concern, at this time we are not aware of any customers or patients that have been directly affected by this issue.
Philips Healthcare is aware of the SSLv3 POODLE security vulnerability. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. This site will be updated once a solution is available for any affected product(s).
Philips manufactures, and helps customers maintain, highly complex medical devices and systems. Per policy, only Philips-authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips’ explicit published direction.
Philips Healthcare is aware of the OpenSSL ‘heartbleed’ security vulnerability. The vulnerability (assigned CVE-2014-0160) impacts OpenSSL versions 1.0.1 – 1.0.1f. The effect of this vulnerability on Philips healthcare products and services is being investigated by the Philips engineering and product security teams. Customers will be notified once a solution is available for any affected product(s).
For our Remote Service solution (PRS) we have reviewed all of our customer facing interfaces and VPN connections to our customer facilities, and can confirm that these are not affected by the Heartbleed issue.
As part of our continued attention to your security needs, Philips Healthcare wishes to bring to your attention that Microsoft has discontinued support for the Microsoft Windows XP Operating System, following
April 8, 2014.
Where feasible, Philips Healthcare has been developing solutions for products running Windows XP to address continuity of protection against known and emerging security threats and vulnerabilities.
To this end, Philips Healthcare will provide product-specific Statements to assist customers. Where applicable, these Product Statements may provide upgrade or field change order information.