First Case of X-Ray Malware Revealed?

Read Time: 2 min.

Security nightmare as new attack campaign targets healthcare providers - and even high-end medical scanning machines...

Researchers have uncovered an unusual campaign seemingly targeted at healthcare providers in the West, but with some intriguing elements.

The attack group have been dubbed Orangeworm, and are clearly targeting the healthcare sector - more than 40 per cent of their confirmed victims are in the healthcare industry. The modus operandi of the group isn’t that unusual in itself, with an initial infiltration of the target, followed by deployment of a Trojan backdoor, Trojan.Kwampirs, which evades hash-based detection by inserting a randomly generated string into the middle of the decrypted payload before writing it to disk.

The Trojan has been found deeply embedded in compromised healthcare networks, including on high-tech imaging devices such as X-ray and MRI machines. According to the researchers though, the aim is not to attack these machines or steal their data, but to gather corporate espionage on the devices themselves. Worryingly, the malware is also interested in machines used to assist patients in completing consent forms for required procedures.



The biggest number of Orangeworm’s victims are located in the U.S.

The group has also been operating a broader supply-chain attack upstream of their intended victims, infiltrating pharmaceutical companies, healthcare IT solution providers and specialist equipment manufacturers in the healthcare industry, according to the security researchers from Symantec.

However, in spite of the careful targeting and infiltration, the the Orangeworm group made no efforts to update the malware since its first attacks, exposing the C&C list to researchers, as well as revealing their MO. In addition, once the relatively stealthy intrusion has been successful, the malware then spreads to any available machine by copying itself across network shares. This relatively old-school technique (ideal for legacy systems such as Windows XP) generates a significant amount of network noise however, which makes detection by security teams more likely.

However, it’s an effective technique in Windows XP environments, which is still in widespread use in niche verticals such as healthcare - indeed, a FOI request way back in 2016 revealed that 90 per cent of the UK’s NHS was still running XP.

A full list of Orangeworm IOCs can be found here.

Meanwhile, the wider state of the cybercrime industry has been revealed in a study that claims the global cyber-crime-based economy is now worth £1.07 trillion - equivalent to the GDP of Russia or the 13th highest GDP in the world.

According to the study by security firm Bromium, around £612 million comes from illegal online markets, £356 million from the theft of trade secrets, £114 million from data trading, £1.14 billion from crimeware-as-a-service sales, and just over £700 million from ransomware sales.

Ilia Kolochenko, CEO, High-Tech Bridge commented on the findings: “ Nothing is less certain than global cybercrime size and volume. The most serious cybercrimes, such as nation-state attacks or offensive operations of large conglomerates against competitors - are rarely detected or exposed in any manner. Publicly accessible platforms in the Dark Web have a lot of scam and fake ads intertwined with law enforcement honeypots. Professional Black Hats usually have inconspicuous, private platforms, lawfully hosted in AWS or Azure, with full encryption of any data. You cannot get there unless you are a long-standing and verified partner. Nonetheless, the report is perfectly correct that the cybercrime has undoubtedly became a very profitable and sustainable business that no government can control now. ”

There’s certainly no end in sight for cybercrime, or indeed exotic malware, two of the topics that will undoubtedly inform some of the debate at the upcoming GISD spring edition 2018 in Geneva. Board level security professionals from UBS, GlaxoSmithKline and International Labour Organization will round out an expert panel delivering and debating key industry insights. Registration for security professionals is free, and attendees are vetted to ensure a sales-free environment.