Publication Date:  April 24, 2018

Update Date: April 24, 2018

 

Overview

A known cyber-attacker group known as Orangeworm is reportedly targeting US, Europe and Asia healthcare organizations with malware known as Kwampirs.  The group was identified in 2015 when it was reported to have conducted targeted attacks against organizations in related industries, such as healthcare providers, pharmaceutical, IT solutions providers for healthcare and equipment manufacturers. At the time of this advisory, 40 percent of Orangeworm's confirmed target organizations operate within the healthcare sector and 17 percent of the healthcare organizations were located in the US.

 

Technical details

Once Orangeworm has infiltrated a victim's network, they deploy Trojan.Kwampirs, a backdoor malware program that provides attackers with remote access to a compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle to the decrypted payload in an attempt to evade hash-based detections. To ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main payload is loaded into memory upon system reboot:

The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings. The Kwampirs backdoor Trojan then attempts to aggressively copy itself across open network shares to infect other computers.

 

What you can do

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips products are implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.  If a product does require updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.

 

Industry best practice for network security and defense (Please ensure these are in accordance with your product documentation):

 

  • Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities. 
  • Implement a least-privileges policy on the Web server to: 

       o Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts. 

       o Control creation and execution of files in particular directories. 

  • If not already present, consider deploying a demilitarized zone (DMZ) between the Web-facing systems and corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity. 
  • Ensure a secure configuration of Web servers. All unnecessary services and ports should be disabled or blocked. All necessary services and ports should be restricted where feasible. This can include whitelisting or blocking external access to administration panels and not using default login credentials. 
  • Utilize a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones. 
  • Establish, and backup offline, a “known good” version of the relevant server and a regular change-management policy to enable monitoring for alterations to servable content with a file integrity system. 
  • Employ user input validation to restrict local and remote file inclusion vulnerabilities. 
  • Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero day attacks, it will highlight possible areas of concern

Customers entitled by service-contract to use Philips InCenter are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter. All customers with and without service contracts are encouraged to contact their local service support team or regional product service support as needed for current information specific to their products or Philips deployed installations as information becomes available.