Healthcare cybersecurity experts from Cynerio and Rubicon Labs commented below on Orangeworm, a cyber crime group that is targeting the health sector and related industries in the US, Europe and Asia in a suspected corporate espionage campaign. Orangeworm has been observed deploying a custom backdoor known as Trojan.Kwampirs within large international organizations, researchers at Symantec have discovered. The targeted organizations include healthcare providers, pharmaceutical firms, IT service providers for healthcare, and equipment manufacturers that serve the healthcare industry.
Leon Lerman, CEO at Cynerio:
“We’re seeing the unfolding of one of the most dangerous scenarios for connected healthcare. A persistent and polymorphic worm that is specifically adapted to exploiting unprotected network shares in old Windows networks – which are very common in medical devices. This threat is attacking mission-critical devices such as MRI machines and is able lurk inside these devices, perform lateral movement within the network and download additional malicious functionality as per the attacker’s choice.
The fact that this threat was most successful in healthcare systems brings to light some of the biggest pain points in the security posture of this industry today: unpatched devices, permissive network configurations and a complete lack of visibility and control over medical devices, their servers and their network peers.”
Rod Schultz, Chief Product officer at Rubicon Labs:
“Legacy operating systems will always be a rich attack surface for well-constructed viruses like Orangeworm. These older systems have well-understood and, many times, documented flaws that are exploited by these viruses. The verticals being attacked seem to be a direct indicator of who is using this outdated technology. As long as there is something to be stolen from these devices, older operating systems executing in a modern environment will continue to encounter this type of profiteering and attacks.”