Jason Lackey
Solutions Marketing

Windows XP, Orangeworm/Kwampirs and the Soft Underbelly of Healthcare and Embedded Systems

April 30, 2018 by Jason Lackey

Kwampirs breached the system here...

A long time ago when I was first getting my start in the world of tech, I worked for a really awesome guy, John, who for some reason saw some potential in me and gave me a chance to learn IT while working in his silicon wafer reclaim business. This was back in the day of Novell Netware, which was part of an even older concept called on-prem IT. I digress.

Anyway, while John was a great guy and very generous with me and other people, he was also a notorious miser with regards to hardware. We were always getting servers from eBay or dead startup auctions. They built out a multi-million dollar wafer reclaim facility and part of the line was supported by some awesome six-figure tool. That tool had a networking option, which cost several thousand dollars and consisted of a $25 network card and some drivers. Thus, I got to take a ride up to Vancouver, WA and put on a cleanroom bunny suit and get busy working on an obsolete embedded OS on an expensive tool.

At this time, Windows NT4 had been out a while and most of the consumer desktop was using Win98 or ME. I was young and naïve and thus was somewhat unprepared and really shocked to find out that this huge, expensive and moonshot sophisticated tool was being run by Win 3.11 and was a couple generations behind most suburban living room PCs. Fortunately the NIC still came with Win 3.11 drivers (on a floppy) and by some miracle setup.exe actually worked. Hallelujah, get me out of this bunny suit. Surely in the near future someone will solve this problem of expensive tools running old operating systems….

Fast forward to the present day and the whole paradigm of expensive, specialized gear being driven by systems running on old or obsolete operating systems is alive and well.

Case in point, Orangeworm, a new attack group, leveraging malware called Kwampirs. These guys seem to have cracked the code with regards to certain verticals tending to run old/legacy operating systems, and healthcare is one of those verticals and an increasingly attractive target for the badguys.

One of the challenges is that systems like X-Ray machines are very expensive, relatively long lived tools. The companies that make them are not usually focused on IT and related issues, so they are most interested in shipping the tool and don’t necessarily think about updates and patches ten years down the line or even security beyond whatever is required by HIPAA (a commenter on The Register suggested putting some credit card data on those systems and watching how quickly PCI gets previously un-updatable systems updated and patched).

Other environments, like manufacturing or just about any sort of place where you can find SCADA systems, can be somewhat similar – expensive equipment that does not go obsolete overnight made and installed and maintained by people who probably don’t really focus on IT can lead to similar outcomes – lots of embedded XP or other similarly old and obsolete and vulnerable operating systems embedded in not easily updatable ways.

It may seem hard to believe how hard it is to update some of these systems, but it is. Some of the reason may be certification related – with significant changes requiring expensive and time-consuming recertification. In some cases there might be an expensive support contract that gets voided if you touch things, in others there may be stuff soldered to a motherboard or special hardware that requires drivers that only run on an old OS or any of a number of other reasons why rip and replace or “just virtualize it” won’t work.

Because of these reasons, Orangeworm has been able to impact a fairly large number of organizations using relatively old malware, in this case Kwampirs. While the combination is not particularly sneaky, trick or sophisticated, they have proven adequately skilled to get in to a number of production healthcare, industrial, logistics and manufacturing networks.

Orangeworm doesn’t seem to care too much about flying low and slow and trying to avoid detection. To the contrary, they do a lot of noisy, easy to detect things that seem a lot more like kicking down a weak front door than picking the lock. While the purist may cringe, considering the state of IT in many of the target verticals, maybe stealthy approaches would not buy a bad actor very much.

Next Steps

Next steps for organizations running networks, particularly those in health care, manufacturing include:

1. Make sure existing tools (X-Ray, MRI, CAT etc) are patched and updated to the extent possible.

2. You may want to explore network segmentation and create highly protected network segments with fairly restrictive ACLs etc for vulnerable IoT devices.

3. To ensure the steps you have taken to protect your devices have been effective, you may want to test your security with a product such as BreakingPoint.