Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FBI Warns of Ongoing Kwampirs Attacks Targeting Global Industries

A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns.

A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns.

Initially detailed in 2018, the malware is a custom backdoor associated with a threat actor tracked as Orangeworm, which has been active since at least 2015, mainly targeting organizations in the healthcare sector, but also launching attacks on industries somewhat related to healthcare, including IT, manufacturing, and logistics.

Attacks involving the Kwampirs Remote Access Trojan (RAT), the FBI says, have been ongoing since 2016, targeting healthcare, software supply chain, energy, and engineering organizations in the United States, Europe, Asia, and the Middle East. Financial institutions and prominent law firms were also targeted.

According to the FBI’s alert, while the backdoor does not include a wiper or destructive module components, there are code-based similarities with the data destruction malware Disttrack, which is better known as Shamoon.

The malware has been successfully employed in assaults on healthcare entities worldwide, including major transnational healthcare companies and local hospital organizations. In some cases, the infections spread across the enterprise networks, the FBI’s alert reads (PDF).

“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals,” the agency says.

The two-phased attacks start with the threat actor establishing broad and persistent access to the target network to ensure secondary payloads can be deployed and executed. Next, the attackers deliver additional Kwampirs components or payloads to further exploit the infected hosts.

Stealth has allowed the threat actor to maintain access to the infected networks for a long period of time, in some cases of up to 3 years. The attackers were also observed deploying a targeted module for detailed reconnaissance.

Advertisement. Scroll to continue reading.

From the compromised networks, the attackers harvested information on primary and secondary domain controllers, engineer servers used to develop and test ICS products and instruments, software development servers storing source code, and file servers used as shared repositories for research and development (R&D).

Targeted supply-chain vendors provide multi-industry imaging business products and services, co-develop products with worldwide software companies and organizations in the enterprise resource planning (ERP) industry, and provide products and services supporting ICS maintenance functions.

Infections occur during mergers and acquisitions (spreading from one company to the other); during co-development processes, via shared resources; and via infected devices from supply-chain vendors that are installed on the customer LAN or cloud infrastructure.

“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI says.

The alert also underlines the fact that the Kwampirs RAT’s modular design allows the attackers to engage in additional network exploitation activities through secondary modules. Moreover, these modules might not be remediated by endpoint protection solutions, the FBI also says.

Organizations that might have been infected are advised to contact their cybersecurity vendor and coordinate mitigation efforts with the FBI. In order to assist the agency, victims have been instructed to capture network traffic, create images of the infected hosts, capture web proxy logs and DNS and firewall logs, identify hosts communicating with C&C servers, and identify patient zero and attack vectors.

Related: ‘Orangeworm’ Cyberspies Target Healthcare Sector in US, Europe, Asia

Related: IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.