The FBI has issued an alert reminding the healthcare sector and other industries about the ongoing threat of Kwampirs malware attacks on the supply chain. Since at least 2016, the FBI says it's observed an advanced persistent threat group conducting a global network exploitation campaign using the Kwampirs remote access Trojan, or RAT. "This information, along with previously released FBI Liaison Alert System (FLASH) messages, is intended to enhance the network defense posture of public and private partners," the new alert notes.
The FBI sent similar Kwampirs alerts in January and February 2020, but the latest reminder comes during the ramping up of the battle against the COVID-19 pandemic. "The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks, with the primary purpose of gaining broad, yet targeted, access to victim companies to enable follow-on computer network exploitation activities," the FBI writes.
"Through victimology and forensic analysis, the FBI found heavily targeted industries include healthcare, software supply chain, energy and engineering across the United States, Europe, Asia and the Middle East. Secondary targeted industries include financial institutions and prominent law firms."
The Kwampirs RAT has not incorporated a wiper or destructive module components, the FBI says. Through comparative forensic analysis, however, the FBI determined that the campaign has several code-based similarities to the data destruction malware Disttrack, commonly known as Shamoon.
The FBI's warning notes that Kwampirs attacks against global healthcare entities "have been effective, gaining broad and sustained access to targeted entities." These targets range from major transnational healthcare companies to local hospital organizations, the bureau writes.
"The scope of infections has ranged from localized infected machines to enterprise infections," according to the FBI. "During these campaigns, the Kwampirs RAT performed daily command-and-control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware."
Those waging the Kwampirs campaign gained access to many hospitals around the world through the vendor software supply chain and hardware products, the FBI says. "Infected software supply chain vendors included [those that make] products used to manage industrial control system assets in hospitals," it points out.
The threat of Kwampirs malware persists at a time when many healthcare organizations are struggling with their response to the coronavirus outbreak and dealing with such issues as rapid expansion of telehealth services and the need for many workers to work from home.
In 2018, the security firm Symantec reported that large healthcare companies in the US, Europe and Asia were getting hit with a Kwampirs backdoor that came from a long-observed group, which the security firm dubbed Orangeworm. Cyber security investigators stated that some healthcare organizations that lack a CISO or CSO may not even know if they are affected by Kwampirs. These attacks have been classified by the FBI as Advances Persistent Threats (APTs) to gather information and exfiltrate it.
The FBI notes that the Kwampirs malware campaign employs a two-phased approach. The first phase establishes a broad and persistent presence on the targeted network, to include delivery and execution of secondary malware payload(s). The second phase includes the delivery of additional Kwampirs components or malicious payload(s) to further exploit the infected victim host(s). The APT group using Kwampirs has successfully sustained a persistent presence on victim networks for three to 36 months and deployed a targeted secondary module, which performs detailed reconnaissance, according to the FBI.
If an attacker chooses to leverage an existing, undiscovered compromise by loading a malicious payload rather than gathering data, the potential impact here could be devastating in these unprecedented times. Consider a large hospital in a COVID-19 hot spot and having to deal with a ransomware [or other malware] event at a time when lives are at stake.
The COVID-19 situation provides cybercriminals with new opportunities to profit from the pandemic. The targeting healthcare industries and their related companies, hospitals and organizations is an attractive option for hackers, because there is an increased probability that these organizations will be willing to pay large sums immediately to avoid disruptions. Kwampirs has used an aggressive method to propagate itself once inside a victim's network, it is possible to prevent this with an advanced endpoint detection response solution. It has been observed by cyber analysts, since the code of this backdoor is having been reused, it is important for defenders to look for hidden file shares across end points and to also monitor outgoing network traffic (exfill).
In earlier investigations, it was noticed that the Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-ray and MRI machines. Instead of analyzing these devices, cyber threat professionals suggest spending more time reviewing endpoints and anomalies in network monitoring reports. Using this method, organizations can focus on decreasing the infections in a small number of stations before it spreads to become a greater problem.
The FBI alert suggests several best practices for entities to bolster their network security and defense. This includes implementing a least-privileges policy on the Web server, deploying a demilitarized zone between the web-facing systems and corporate network, blocking external access to administration panels, and changing all default login credentials.
If an organization detects a Kwampirs RAT infection is detected, the FBI recommends it takes several information-gathering steps to help with investigations, including capturing:
- Network traffic in PCAP format from the infected host(s) for 48 hours;
- Image and memory of infected hosts;
- Web proxy logs, including cache of the Web proxy;
- DNS and firewall logs;
- Identification and description of hosts communicating with the command-and-control server;
- Identification of "patient zero" of the malware infection and attack vectors.
Please consider joining InfraGard and take advantage of their information and programs. InfraGard National is an FBI-affiliated nonprofit organization dedicated to strengthening national security, community resilience and the foundation of American life. InfraGard is one of the FBI’s longest-running outreach programs and its largest public/private partnership, with over 60,000 members representing 77 InfraGard chapters nationwide. There is no charge for the membership:
https://www.infragardnational.org/become-a-member/
Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com Interested in a RedXray demonstration or subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/redxray
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en