FBI Warns of 'Kwampirs' Malware Supply Chain AttacksSeveral Sectors, Including Healthcare, Are Still Being Targeted
The FBI has issued an alert reminding the healthcare sector and other industries about the ongoing threat of Kwampirs malware attacks on the supply chain.
Since at least 2016, the FBI says it’s observed an advanced persistent threat group conducting a global network exploitation campaign using the Kwampirs remote access Trojan, or RAT. ”This information, along with previously released FBI Liaison Alert System (FLASH) messages, is intended to enhance the network defense posture of public and private partners,” the new alert notes.
The FBI sent similar Kwampirs alerts in January and February, but the latest reminder comes during the ramping up of the battle against the COVID-19 pandemic (see Managing Supply Chain Challenges During the COVID-19 Crisis).
”The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks, with the primary purpose of gaining broad, yet targeted, access to victim companies to enable follow-on computer network exploitation activities,” the FBI writes.
“Through victimology and forensic analysis, the FBI found heavily targeted industries include healthcare, software supply chain, energy and engineering across the United States, Europe, Asia and the Middle East. Secondary targeted industries include financial institutions and prominent law firms.”
The Kwampirs RAT has not incorporated a wiper or destructive module components, the FBI says. Through comparative forensic analysis, however, the FBI determined that the campaign has several code-based similarities to the data destruction malware Disttrack, commonly known as Shamoon.
Targeting the Healthcare Sector
The FBI’s warning notes that Kwampirs attacks against global healthcare entities “have been effective, gaining broad and sustained access to targeted entities.” These targets range from major transnational healthcare companies to local hospital organizations, the bureau writes.
“The scope of infections has ranged from localized infected machines to enterprise infections,” according to the FBI. “During these campaigns, the Kwampirs RAT performed daily command-and-control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware.”
Those waging the Kwampirs campaign gained access to a large number of hospitals around the world through the vendor software supply chain and hardware products, the FBI says. “Infected software supply chain vendors included [those that make] products used to manage industrial control system assets in hospitals,” it points out.
The threat of Kwampirs malware persists at a time when many healthcare organizations are struggling with their response to the coronavirus outbreak and dealing with such issues as rapid expansion of telehealth services and the need for many workers to work from home.
Back in 2018, the security firm Symantec reported that large healthcare companies in the U.S., Europe and Asia were getting hit with a Kwampirs backdoor that came from a long-observed group, which the security firm dubbed Orangeworm.
Former healthcare CISO Mark Johnson, who leads the healthcare practice at consulting firm LBMC Information Security, says healthcare organizations that lack a SOC may not even know if they are affected by Kwampirs. “This attack has been classified by the FBI as an APT. For the most part, the purpose of APTs is to gather information and exfiltrate it,” he adds.
The FBI notes that the Kwampirs malware campaign employs a two-phased approach.
“The first phase establishes a broad and persistent presence on the targeted network, to include delivery and execution of secondary malware payload(s). The second phase includes the delivery of additional Kwampirs components or malicious payload(s) to further exploit the infected victim host(s).”
The APT group using Kwampirs has successfully sustained a persistent presence on victim networks for three to 36 months and deployed a targeted secondary module, which performs detailed reconnaissance, according to the FBI.
If an attacker chooses to leverage an existing, undiscovered compromise by loading a malicious payload rather than gathering data, “the potential impact here could be devastating in these unprecedented times,” Johnson warns. “Imagine a hospital on the front lines, say in a hot spot, suddenly dealing with a ransomware [or other malware] event. You can only imagine the cost in human and monetary terms.”
Elad Shapira, head of research at security vendor Panorays, notes that the COVID-19 situation provides cybercriminals with new opportunities to profit.
“From the attackers’ perspective, targeting healthcare industries and their related companies, hospitals and organizations is an attractive option specifically because there's an increased chance that these organizations will be willing to pay large sums to avoid disruptions,” he says.
Shapira notes that while Kwampirs usually uses a fairly aggressive means to propagate itself once inside a victim's network, it’s possible to prevent this with an advanced endpoint detection response solution. “Since the code of this backdoor is usually reused, it’s important to look for hidden file shares across end points and to also monitor outgoing network traffic,” he says.
”In the past the Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-ray and MRI machines. However, it’s not practical to win the fight by detecting it on these kinds of end devices,” he says.
”Instead, it’s better to pick the low-hanging fruits from regular end points and network monitoring. This way, companies can focus on decreasing the infections in a small number of stations before it spreads to become a greater problem.”
The FBI alert suggests a number of best practices for entities to bolster their network security and defense.
That includes implementing a least-privileges policy on the Web server; deploying a demilitarized zone between the web-facing systems and corporate network; blocking external access to administration panels; and not using default login credentials.
If an organization detects a Kwampirs RAT infection is detected, the FBI recommends it takes several information-gathering steps to help with investigations, including capturing:
- Network traffic in PCAP format from the infected host(s) for 48 hours;
- Image and memory of infected hosts;
- Web proxy logs, including cache of the Web proxy;
- DNS and firewall logs;
- Identification and description of hosts communicating with the command-and-control server;
- Identification of “patient zero” of the malware infection and attack vectors.