INFRA
INFRA
INFRA
Orangeworm targets X-ray machines and MRIs in latest healthcare hacking attack
Just when you thought hacking attacks against healthcare facilities couldn’t get any worse, a new group dubbed “Orangeworm” is targeting X-ray machines and magnetic resonance imaging machines for data theft.
According to Symantec, Orangeworm is planting the Kwampirs “backdoor” remote-access software on medical computers in order to steal information from healthcare providers in the U.S., Europe and Asia. Unlike ransomware, the attacks are highly targeted. As Symantec puts it, “The group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”
The supply chain attacks on healthcare providers, pharma companies and information technology solution providers and equipment makers for the medical sector first emerged in January 2015. Recently they’ve escalated, with secondary targets including manufacturing, information technology, agriculture and logistics.
“Due to the fact that the attacks attempted to keep infections active for long periods of time on these devices, it’s more likely the group are interested in learning how these devices operate,” Symantec researcher Alan Neville explained. “We have not collected any evidence to suggest the attackers have planned to perform any sabotage type activities at this time.”
Kwampirs, which provides the attackers with remote access to the compromised computer, decrypts and extracts a copy of its Dynamic Link Library, a type of file that contains instructions other programs can use to do certain things, from the computer’s resource section. Before writing this payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.
Once in the door, Kwampirs then gathers data to send back to a command-and-control server, including information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives and files present on the compromised computer.
The motivation for the attack is interesting in the context of the ongoing Russian and Chinese hacking mania. Symantec doesn’t believe a nation-state actor is behind the attack, noting that it believes the attacks are likely conducted by an individual or a small group of people.
Photo: U.S. Airforce
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
