The FBI has issued an alert over a persistent Kwampirs malware attack targeting the healthcare sector. The healthcare sector supply chain attacks deploy Kwampirs Remote Access Trojan (RAT) that exploits network vulnerabilities of the targeted organization. This is the third time the FBI is warning of the attack after the agency released similar warnings in January and February this year. FBI has been monitoring an advanced persistent threat actor using the Kwampirs RAT to exploit a global network since 2016. The FBI alert warns that Kwampirs malware has already gained access to a large number of global hospitals. Attacks involving the Kwampirs malware have intensified during the ongoing COVID-19 crisis.
Kwampirs malware targets the health sector
The healthcare sector has become an easy target of the Kwampirs malware attacks due to the COVID-19 pandemic. At this moment, the health sector is rushing to expand telehealth services to cater to more patients. Similarly, many workers have been forced to work from home, hence increasing the Kwampirs malware attack landscape. Additionally, health organizations are more likely to pay to avoid loss of life caused by disruptions during the COVID-19 pandemic.
By conducting victimology and forensic analysis, the FBI also discovered that the Kwampirs malware targeted industries such as healthcare, software supply chain, energy, and engineering. The attacks spread across the United States, Europe, Asia, and the Middle East. Other industries that the Kwampirs malware targets include financial institutions and prominent law firms.
Targeting the healthcare sector at such a moment could lead to massive loss of lives. Infecting a hospital at the center of a major COVID-19 response could delay the response rate hence leading to many deaths.
The warning coincided with the assurance from some malware operators to avoid targeting the healthcare sector until the crisis is over. Experts had warned that despite the assurances by the few malware operators, other groups would not honor such promises.
Healthcare sector supply chain attacks are the most persistent
According to the FBI, Kwampirs malware attack targets the healthcare sector through vendor healthcare software supply chain and hardware products. The FBI says that “Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.” Kwampirs malware infections have been detected on devices running software used for controlling high-tech imaging devices such as X-ray and MRI machines.
The organizations affected by the supply chain attacks range from major transnational healthcare companies to local hospital organizations.
Supply chain attacks are more effective because they aid in the faster redistribution of the virus.
Carrying out supply chain attacks is also an ingenious method of infiltrating the healthcare sector. This is because most of the devices targeted are not always subject to rigorous security measures. Similarly, it becomes hard to dislodge the malware from such devices once the infection has taken place.
Operation of the Kwampirs malware
Kwampirs Malware infection takes place in two phases. The first phase involves introducing persistence presence on the targeted network. In the second phase, the Kwampirs malware delivers additional malicious payload ready for execution. Kwampirs malware could reside in the target network between 3 to 36 months before any attack takes place. During this phase, the malware conducts detailed reconnaissance on the host network. The attacker could either gather data or exploit a known vulnerability discovered by the secondary infection.
During Kwampirs malware attacks, the RAT module performs regular command-and-control communications with malicious IP addresses and domains. These malicious endpoints are hard-coded in the malware, making it easy for IT security experts to track them.
The FBI notes that Kwampirs have not incorporated the destructive module in the Kwampirs RAT. However, the bureau indicated that the Kwampirs malware has code-based similarities with the data destruction malware Disttrack, also known as Shamoon.
Apart from supply chain attacks, the threat could also be transferred through the software co-development process. The FBI has also discovered virus transfer through mergers where malware from one company was transferred to the other.
Mitigating the threats
By deploying supply chain attacks, it becomes harder to control the spread of the infection. This is because it is difficult to eliminate the threat by targeting the machines running the ICS. Elad Shapira, the head of research at security vendor Panorays, says that targeting the threats from regular endpoints is the best method to stop the spread of the malware. He also recommends conducting regular network monitoring as an effective method of addressing the threat.
The FBI advices healthcare organizations to implement a least-privilege policy on their web servers as well as introducing a demilitarized zone (DMZ) between the corporate systems and the web-facing applications. Additionally, the bureau suggests disabling remote access to administration panels as well as avoiding the use of default authentication credentials. The use of a reverse proxy to restrict accessible URLs to only trusted sources is also recommended by the bureau. Organizations can also coordinate their threat mitigation activities with their local FBI field office.