FBI: Kwampirs Malware Targeting Supply Chain Software Providers

The Federal Bureau of Investigation (FBI) has sent a security alert to the U.S. private sector about an ongoing hacking campaign that's targeting supply chain software providers.

According to ZDNet, the FBI says hackers are attempting to infect companies with the Kwampirs malware, a remote access trojan (RAT).

"Software supply chain companies are believed to be targeted in order to gain access to the victim's strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution," the FBI said in a private industry notification.

The FBI noted that the same malware was also deployed in attacks against companies in the healthcare, energy and financial sectors. The notification did not identify the targeted software providers, nor any other victims, says the report. Instead, the FBI shared IOCs (indicators of compromise) and YARA rules so organizations can scan internal networks for signs of the Kwampirs RAT used in the recent attacks, says ZDNet.

ZDNet reports that the Kwampirs malware was first described by U.S cybersecurity firm Symantec. Back in April 2018, Symantec identified the new attack group dubbed Orangeworm, which was deploying the Kwampirs backdoor in a targeted attack campaign against the healthcare sector and related industries. In addition, Symantec said that Orangeworm was first identified in January 2015 and had conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage, Symantec said.

ZDNet reports that it appears the malware has evolved to target the energy sector and ICS, as noted by the FBI in the alert.

“Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunity for RATs to operate undiscovered as they hide in plain sight," says Matt Walmsley, EMEA Director at Vectra. "The FBI’s report that threat actors are using digital supply chain infections as a distribution means for Kwampirs opens the door for the possibility of widespread deployments. Consider the scope and impact of NotPetya which was embedded into an update service of the popular Ukrainian accounting application M.E. Doc, or the malware that was stealthily placed inside the updates for Avast’s CCleaner."

"While it’s good to see government agencies warn about, and provide identification signature profiles for RATs such as Kwampirs, the pathways and services that RATs exploit remain open and hard to monitor for many organizations. Signatures exist for the most common RATs, but skilled attackers can easily customize or build their own RATs using common remote desktop tools such as RDP to exert remote access. This is held up by some recent analysis we made on live enterprise networks that found that 90 percent of surveyed organizations exhibit a form of malicious RDP behaviors," says Walmsley. "This type of behavioral detection approach (instead of trying to perfectly fingerprint each RATs’ signature) can be achieved with machine learning models designed to identify the unique behaviors of RATs. By analyzing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behavior without prior knowledge of the attack, or individual RAT’s code.”

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.