What can the healthcare industry do about Orangeworm?

Orangeworm, if you haven't heard in the recent months, is a group focused on targeting the healthcare industry. Your information, PII and EHR need to have the most secure systems protecting your information, and that's not always what happens. IT departments don't get the staff they need, hardware/software resources they need, or even assistance they need from outside vendors due to lack of budget, or possibly other factors. EMR and PII information can be worth 1000$ or more per record for hackers.

How does Orangeworm get into the system?

Orangeworm uses a Trojan called Trojan.Kwampirs that creates and allows backdoor remote access to the systems it was able to exploit. If a high value target is found (some specific EHR or PII they are looking for) they will proceed with infecting the rest of the network. Trojan.Kwampirs creates it's own service in Windows to ensure it is loaded when the machine starts.

Once Trojan.Kwampirs is able to deploy the payload, it gathers as much information as possible about the network, such as:

Display recently contacted addresses per available network interface
Display detailed configuration information for the system and its operating system (e g. OS version i nformation, registered ownerdetails, manufacture details, processor type, available storage, list of installed patches, etc.)
Display system's configured hostname
Display system version i nformation
Display routing table for available network interfaces
Display the systems configured MAC address
Display IPaddress configuration informationfor any available network interfaces
Display a 1 ist of active and 1 istening connections (TCP a nd UDP)
Display list of running system processes
Display list of running system services
Display list of available network shares
Display list of available user groups
Display list of configured environment variables
Display account policy information (e.g. maximum password age, length of password, lockout duration, etc.)
Display system network configuration information (e g. computer name, current username, version information, domain configuration, etc.)
Display list of 1 ocal a ccounts with administrative access
Display list of local group useraccounts
Display domain local groups
Display list of available network mappings
Display list of available servers on the network
Listfiles and directories in C:\

How can we protect ourselves?

Set aside an IT security budgetMake sure Firewalls are getting continuous updates from the manufacturerEnsure Content Filtering, Malware protection, IPS and IDS are enabled and working properlyAlways have an up-to-date Anti-Virus and Anti-Malware solutionGive end users least amount of access permissions that require them to do their job effectively and efficientlyMake sure you have a patch management system in place and functioning

Sources:

Symantec Blog

SpamTitan

Forbes

Forbes EMR Worth

Orangeworm, if you haven't heard in the recent months, is a group focused on targeting the healthcare industry. Your information, PII and EHR need to have the most secure systems protecting your information, and that's not always what happens. IT departments don't get the staff they need, hardware/software resources they need, or even assistance they need from outside vendors due to lack of budget, or possibly other factors. EMR and PII information can be worth 1000$ or more per record for hackers.


You'll only receive email when they publish something new.

More from potablefog
All posts