‘Orangeworm’ the new superworm hacking group that’s targeting healthcare

Hacking activity targeting the healthcare sector continues to rise.  New security research just released by Symantec has identified a global hacking group called ‘Orangeworm’.  Though its targeted victims accounted for a small number of organisations in 2016 and 2017 (mostly in the USA and Asia), some were identified as being based in Europe.  Analysis by industry has revealed that the healthcare sector is Orangeworm’s primary target, with 39% of hacking outcomes manifesting themselves in this data rich sector which includes hospitals and pharmacies.

Symantec said, “Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack”.

Orangeworm’s wormable trojan, named ‘Kwampirs’ is able to vet the data to determine if the computer is used for research, or contains high value data targets eg. patient information.  The Kwampirs then create a backdoor on compromised computers, enabling the hackers to remotely access equipment and steal sensitive data – and Orangeworm survives reboots.

The trojan worm has a penchant for machine software on critical hospital equipment which includes kit like x-ray machines and MRI scanners, as well as machines used to assist patients in completing consent forms.  If the ‘victim’ computer is of interest, the malware then “aggressively” spreads itself across open network shares to infect other computers within the same organisation and uses built-in commands to grab data. This includes “any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.”

The supply chain is a key part of this vulnerability funnel, with targets including manufacturers providing medical devices and technology companies offering services to clinics, plus logistics firms delivering healthcare products.

Director of Technology, Security & Governance, JP Norman advises:  “Ensure your anti-malware provider can detect Kwampirs activity and to prevent and detect an infection, ensure that:

•        A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
•        All operating systems, anti-virus and other security products are kept up-to-date.
•        All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
•        Strong password policies are in place and password reuse is discouraged.
•        Network, proxy and firewall logs should be monitored for suspicious activity.
•        User accounts accessed from affected devices should be reset on a clean computer.”

Sales Director, Les Keen added, “Where there is the option for healthcare / supply chain organisations to prioritise IT funding, updating the Operating Systems is a primary, as is ensuring a strong and regular policy on Patch Management.  Our Sales and Security teams  are always on hand to review and audit organisational IT infrastructure and offer holistic remediation advice as part of our security readiness programmes.  Just call us on +44 2380 429429”.


TalkTalk talk of recovery – hopefully no joke for their customers


TalkTalk have announced that their profits halved following the cyber attack on the company in October 2015.  Profits fell to £14m down from £32m the year before. The fall is attributed in part to the costs from the cyber attack by a number of hactivists in the UK (six arrests have been made – all individuals are under 21).

TalkTalk lost 101,000 subscribers in the quarter immediately following the attack where the  personal data of around 160,000 was compromised. This included email addresses, names and phone numbers, plus 21,000 unique 21,000 unique bank account numbers and sort codes.

TalkTalk’s immediate response was to play hardball with any customer trying to leave – quoting contract terms and penalty fees should they go.  Nowhere in their response was an identification of their responsibility for safeguarding customer data – and the onus fell to the customer to prove that any loss of future money was solely due to the hack.  So, for example, if a customer was spear-phished through social engineering as a result of the compromised personal data, that would be the customer’s fault.

If there was an Incident Response Plan (they had suffered previous breaches in the preceding year), then there’s little to show any learning outcomes to date.

Despite this, TalkTalk CEO Dido Harding maintains today that the company has recovered and that the customer churn experienced in the first quarter following the attack has since stemmed, indicating in her eyes, customer satisfaction.

Total revenues are reported to have grown 2.4% to £1.83 billion in the 12 months to 31st March 2016.  However, no matter how upbeat the CEO talks up the positives in May 2016, their PR mishandlings, lack of probity and lack of knowledge, indicates a disrespect of the customer, who (along with their data) should be and feel cared for, at all times.

So we’ll need to wait and see over the next 12 months what the figures and customer base numbers reveal.  However, one thing that is certain, the company’s failure to manage and protect their customer’s data with due diligence and probity has led to a very public sullying of the brand and ridicule in some boardroom circles.

The TalkTalk debacle should go into the lexicon for all future Board directors as a lesson in how not to do Disaster.  For any Board today, at least one member must understand and be accountable for cyber so that the appropriate reviews, decisions, IT investments and staff education are undertaken. This means:

1. Understanding cyber and identifying what your data crown jewels are
2. Ensuring your company has up to date security policies and practised procedures following ISO27001 compliance procedures
3. Interrogating your company’s infrastructure interrogated regularly for vulnerabilities and plugging any gaps
4. Working with data security specialists to monitor any devices, any infrastructure, any locations where your business or staff operate to ensure you maintain end point security at all times.

Amicus ITS has a Security as a Service offering, called Foxcatcher.   If you wish to speak to one of our team to discuss your organisation’s security.  Call us on 02380 429429.


Why SMEs really should care about hacking

There may have been a mistaken belief amongst SMEs that they are NOT a principle target for cyber attack.  This has been firmly refuted by security firm Symantec following their research of the trends which evolved during 2015 and which has just been published in their latest report.

UK, US and Indian SMEs in particular are being targeted, specifically with the goal of stealing money from businesses.

Hackers are using two types of Trojans (a common cyber threat method through which the victim is conned into launching malware believing it to be harmless) and social engineering (a confidence trick – essentially to get people to perform an action or divulge confidential information).

The newer, more sophisticated threats target, “employees responsible for accounts and fund transfers”.

Scammers will send emails from stolen or compromised accounts often related to finance and lure the employee to open them.  The email contains a .zip attachment, which once clicked on, opens a Pandora’s Box for the cyber attackers to log key strokes, steal files, passwords, access the camera and microphone.  The logging of key strokes is more sinister in that it tracks the keyboard use and pathway thereby tracking different websites etc. and passwords not even held on the computer as part of the data heist.

The email subject line might have a heading  such as the following:
• Re:Invoice
• PO
• Remittance Advice
• Payment Advise
• Quotation Required
• Transfer Copy
• TT Payment
• Qoutation
• Request for Quotation

Hackers use two publicly available remote access Trojans (RAT):  Backdoor.Breut and Trojan.Nancrat.  Nancrat being the one most commonly used in the UK.

And it doesn’t have to be a swift in/out attack.  Hackers, once in, are happy to mooch around the computer to find out how to steal money.  “In some cases, attackers have been known to even download manuals to figure out how to use certain financial software,” the Symantec report says.

The recommendation of course is not to open suspicious attachments and to exercise caution when using email. All too often, a too-speedy key stroke can lead to an accidental but high impact outcome for the firm.  The solution is to get educated about cyber attacks and what they look like and treat email communications with cautious respect. That way, you get smart and your company and customers stay safe.

US med students in cyber security class given licence to kill in University exercise

It’s bad enough to have to consider the threat of our mainstream data being hacked, but what if the threat was to successfully target and kill someone?

This is the finding of some students at the University of South Alabama who sought to hack a medical grade human simulation called iStan.   Described as “the most advanced wireless patient simulator on the market, with internal robotics that mimic human cardiovascular, respiratory, and neurological systems,” iStan costs about $100,000 and is regularly used by hospitals to teach medical school students how to perform procedures without murdering people.

The medical target here might be someone with a pacemaker which are apparently quite susceptible to hacking. Director of Simulations at the university, Mike Jacobs commented:  “The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient.   It’s not just a pacemaker, we could do it with an insulin pump, a number of things that would cause life-threatening injuries or death.”

The students were able to access iStan’s functions within a few hours and the technology was found to be vulnerable to denial of service attacks, brute force attacks, and security control attacks.

This exercise published in ‘arXiv’ was aimed at increasing awareness of the vulnerabilities of patients for the students and will reinforce the use of alternate or traditional techniques that do not rely on technology.  Nonetheless, it was lucky it was just iStan.  Whilst Jacobs advises it would be possible to encrypt wirelessly transmitted data sent between medical devices, it does mark a dark and cynical moment to consider this kind of threat being targeted at a senior business figure say in a FTSE 500 company with a discovered medical condition.  Reminder to self:  “Arrange BUPA check up and call in those connections at MIT”.

Transport infrastructure cyber threats loom

The UK’s next generation of signalling system using digital technology will be rolled out on intercity routes in the 2020s, but could be at risk from hacking causing a serious crash, according to Prof David Stupples, a scientific Government advisor.  Network Rail takes the threat seriously.  With UK testing through the European Rail Traffic Management System underway, Network Rail says, “We work closely with government, the security services, our partners and suppliers in the rail industry and external cyber security specialists to understand the threat to our systems and make sure we have the right controls in place”.

So what could happen? 
The new system is designed to make networks safer by reducing driver error, however if the system were hacked with malware, then the speed at which a train travelled could be overridden and the length of time it was programmed to stop could be slowed down, creating either disruption or worse, a potential accident.

With a robust security system to the outside world, the threat is deemed to be greatest from a rogue employee or an ill-informed worker, say plugging in a malware infected device.  With an aged and disconnected infrastructure, the rail networks have hitherto not been a frequent target, however as transport systems become more computerised and connected, this threat will only increase.

This comes at a time when the FBI have recently sent out a formal alert to US airlines to warn them of the dangers of their wi-fi network being hijacked, following a tweet by an independent security expert that he had successfully accessed the network through the in-flight entertainment system (IFE) .   The FBI and the US Transportation Security Administration are working fast to cover up the cracks, but this is not new news.  The concern is that an avionic network could be accessed illegally, and controls for the plane being taken over – either from someone on board or on the ground.

Technology is a wonderful thing, but only in the right hands.  The job of defencing network systems can truly be life critical, let alone business critical.  Whatever your line of business, take the time to regularly review your security systems and test it for failure.   Sometimes it only takes one incident to do irreparable damage to the public’s trust in an organisation.  Don’t let that company be yours.


Amicus ITS – Our views on this week’s new

Apple’s profits – The Bigger Picture

Research firm, Statisa have announced Apple’s profits amount to more than Google, Microsoft, Amazon, Facebook, eBay and Yahoo combined.  Their $47.1 billion profits are primarily thanks to the popularity of their well-designed, fashionable, mobile devices and the growing impact on the work environment.  Whilst we love the iPad and the iPhone, can Apple maintain this lead by using their design and phenomenal budgets to drive consumers to the next big thing?

The end of XP

This week saw the start of the 500 day countdown for the end of XP support, giving Windows 8 a fighting chance in gaining significant sales figures.  Although Windows 8 has so far seen a slow start, we think Microsoft’s big gamble will pay off.  As mobility grows, organisations will look to the best solution to meet their OS needs and we think Windows 8 will come up trumps.

Windows Phone anyone?

Microsoft is placing all bets on the new Windows 8 ecosystem to push sales of its phone division.  The new device comes with a similar look and feel to its desktops, tablets, Xbox and phones, in the hope that users will enjoy the experience on one device and try another. We think this is a smart move for Microsoft and predict that by the end of 2014, we may see the market share spilt between Apple, Microsoft and Google.

Security breaches enhance corporation’s awareness

In recent months, hacking has increased.  Many big names are currently in the firing line; Google, Yahoo and Microsoft becoming the latest.  As industry leaders succumb to security breaches, the rest of the world becomes increasingly concerned as to how secure their IT infrastructure really is.  Organisations need to step up their game and will look to managed service providers for help.