FBI Again Alerts to Kwampirs Malware Supply Chain Cyberattacks
An Advanced Persistent Threat actor is leveraging the Kwampirs Remote Access Trojan malware in targeted cyberattacks, including a significant amount in the healthcare sector, the FBI warns.
The FBI released a Private Industry Notification, which again warns organizations that Kwampirs malware is being leveraged in ongoing supply chain cyberattacks targeting global industries, including the healthcare sector.
This is the third Kwampirs-related FBI alert in recent months. The FBI warned hackers have been targeting the private sector with supply-chain cyberattacks in February. In April 2019, Symantec reported the hacking group known as OrangeWorm was targeting large healthcare firms with Kwampirs to gain access to their networks.
First observed in 2016, the Advanced Persistent Threat (APT) actor is using the Kwampirs Remote Access Trojan to gain access to victims’ network. The key purpose is to gain broad, targeted access to organizations and enable follow-on computer exploitation (CNE) activities.
The FBI used victimology and forensic analysis, which found the heavily targeted sectors included healthcare and software supply chain, as well as the energy and engineering sectors across the US, Europe, Asia, and the Middle East. The financial sector and prominent law firms are also targets.
“The FBI has not seen the Kwampirs RAT incorporating a wiper or destructive module components,” officials wrote. “However, through comparative forensic analysis, several code-based similarities exist with the data destruction malware Disttrack (commonly known as Shamoon).”
For the healthcare sector, the Kwampirs operations have been highly effective. The threat actors have gained broad and sustained access to those targeted entities, ranging from “major transnational healthcare companies to local hospital organizations.”
Hackers have managed to locally infect machines, as well as enterprise malware infections.
“During these campaigns, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware,” officials wrote.
“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products,” they added. “Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”
The attacks use a two-phased approach. First, the hacker will establish a broad and persistent presence on the targeted network, which includes the delivery and execution of secondary malware payloads. Next, the threat actors deliver additional Kwampirs components or malicious payloads for further exploitation of the victims’ network.
The FBI warns that hackers have managed to successfully fain and sustain persistent presence on victim networks between three to 36 months, then deployed a targeted secondary module to perform detailed reconnaissance.
Some provided examples of targeted network assets of this secondary module include, “primary domain controllers; secondary domain controllers; engineer servers which are used to develop and test ICS products and instruments; software development servers which maintain source code for software applications; and file servers which are used as shared repositories for research and development.
The FBI has seen significant intrusion vectors during mergers and acquisition(s), where an infection from one company was brought into the acquiring company once the network was connected. Kwampirs has also been observed during the software co-development process, where the malware was passed between multiple entities through shared resources.
The threat has also been seen during the software co-development process, where shared internet facing resources have infected co-development participants.
“The FBI emphasizes, due to the modular nature of the Kwampirs RAT, secondary module(s) are capable of being downloaded to the victim network, which would provide access to enable further CNE activities,” officials explained.
“Secondary module(s) downloaded would be separate and different from the Kwampirs RAT IOCs, and may not have been remediated by anti-virus end point protection,” they added. “Residual Kwampirs RAT host artifacts may still reside on victim networks and be valuable in assisting a company to determine if they were a victim of the Kwampirs RAT.”
Defense Recommendations
To defend against these attacks, organizations need to employ regular updates to applications and host operating systems. Established, offline backups are crucial and should include a “known good” version of the relevant server, while establishing a regular change management policy to monitor for alterations.
Further, the IT team should employ user input validation to restrict local and remote file inclusion vulnerabilities and implement a least-privileges policy on the web server. The FBI also recommended organizations consider “deploying a demilitarized zone (DMZ) between the Webfacing systems and corporate network.”
“Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity,” officials explained. “Ensure a secure configuration of Web servers. All unnecessary services and ports should be disabled or blocked. All necessary services and ports should be restricted where feasible.”
“This can include whitelisting or blocking external access to administration panels and not using default login credentials,” they added.
Lastly, organizations should use a reverse proxy or another service able to restrict accessible URL paths to known legitimate ones, along with conducting regular system and application vulnerability scans to establish areas of risk. The method does not protect against zero-day attacks but can shed light on risk.
Organizations that detect a Kwampirs RAT infection should contact their IT mitigation and remediation team to coordinate mitigation efforts with the local FBI field office.