Expert Comments

Kwampirs Malware – FBI Issues Warning To US Private Sector

Expert(s): Security Experts
Expert(s): Security Experts

The FBI has sent a security alert to the US private sector highlighting a hacking campaign targeting supply chain software providers. Hackers are attempting to infect companies with the Kwampirs malware which has also been deployed in attacks against companies in the healthcare, energy, and financial sectors, and has now evolved to target companies in the ICS sector, and especially the energy sector.

Experts Comments

Dot Your Expert Comments
Matt Walmsley
February 12, 2020
EMEA Director
Vectra

The FBI’s report that threat actors are using digital supply chain infections as a distribution.
Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunities for RATs to operate undiscovered as they hide in plain sight. The FBI’s report that threat actors are using digital supply chain infections as a distribution means for Kwampirs opens the door for the possibility of widespread deployments. Consider the scope and impact of.....Read More
Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunities for RATs to operate undiscovered as they hide in plain sight. The FBI’s report that threat actors are using digital supply chain infections as a distribution means for Kwampirs opens the door for the possibility of widespread deployments. Consider the scope and impact of NotPetya which was embedded into an update service of the popular Ukrainian accounting application M.E. Doc, or the malware that was stealthily placed inside the updates for Avast’s CCleaner. Whilst it’s good to see government agencies warn about, and provide identification signature profiles for RATs such as Kwampirs, the pathways and services that RATs exploit remain open and hard to monitor for many organizations. Signatures exist for the most common RATs, but skilled attackers can easily customize or build their own RATs using common remote desktop tools such as RDP to exert remote access. This is held up by some recent analysis we made on live enterprise networks that found that 90% of surveyed organizations exhibit a form of malicious RDP behaviors. This type of behavioral detection approach (instead of trying to perfectly fingerprint each RATs’ signature) can be achieved with machine learning models designed to identify the unique behaviors of RATs. By analyzing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behavior without prior knowledge of the attack, or individual RAT’s code.  Read Less
Elad Shapira
February 12, 2020
Head of Research
Panorays

Kwampirs is a backdoor Trojan that provides attackers with remote access to a compromised computer.
It’s concerning, but not altogether surprising, that according to the FBI, the Kwampirs malware is being used against supply chain software companies. Kwampirs is a backdoor Trojan that provides attackers with remote access to a compromised computer. Once inside a victim’s network, the malware propagates aggressively, such as by copying itself over network shares. In the past, Kwampirs was used to target companies in the healthcare sector. We have seen that malicious actors will use.....Read More
It’s concerning, but not altogether surprising, that according to the FBI, the Kwampirs malware is being used against supply chain software companies. Kwampirs is a backdoor Trojan that provides attackers with remote access to a compromised computer. Once inside a victim’s network, the malware propagates aggressively, such as by copying itself over network shares. In the past, Kwampirs was used to target companies in the healthcare sector. We have seen that malicious actors will use anything in their arsenal to gain access to organizations’ data, and often, the best way to achieve this is by targeting the supply chain partners to which organizations are connected. For this reason, the FBI warning about the Kwampirs malware is just one more wake-up call for organizations to put processes in place to thoroughly assess and continuously monitor the security of their supply chain partners.  Read Less
Jeremy Hendy
February 11, 2020
CEO
Skurio

One of the most effective is to add specially tagged synthetic identities to confidential datasets.
Data breaches frequently happen because there’s a security failure at a supply chain partner. It’s not unusual for the breach to occur some way down the chain - maybe three or four levels removed from your own organisation. In truth the more partner connections you have the greater your digital risk profile, exposing you to threats beyond the network perimeter that you are powerless to control. In today’s complex digital ecosystems, confidential data is routinely shared between.....Read More
Data breaches frequently happen because there’s a security failure at a supply chain partner. It’s not unusual for the breach to occur some way down the chain - maybe three or four levels removed from your own organisation. In truth the more partner connections you have the greater your digital risk profile, exposing you to threats beyond the network perimeter that you are powerless to control. In today’s complex digital ecosystems, confidential data is routinely shared between thousands of diverse technologies. Some you never knew existed. If any one of these suppliers incurs a data breach – whether through human error, password re-use or misconfiguration – everyone in the supply chain is immediately at risk. The same holds true if a Critical National Infrastructure organisation is breached by a nation state actor. Everyone in the supply chain should straight away be on red alert. In this situation there are several options available to organisations to reduce their digital risk profile. One of the most effective is to add specially tagged synthetic identities to confidential datasets. Using an automated monitoring system to identify this data outside your network perimeter can ensure that, if the data ever gets leaked or misused, you’ll be the first to find out.  Read Less
Dave Weinstein
February 11, 2020
CSO
Claroty

The similarities between Kwampirs and Shamoon is particularly concerning, given that the latter is linked to APT33.
The similarities between Kwampirs and Shamoon is particularly concerning, given that the latter is linked to APT33 which has recently set its sights on ICS targets. The targeting of the software supply chain vendors is consistent with APT33's modus operandi of compromising individuals with one or two degrees of separation from the ultimate target. Owners and operators of critical infrastructure, especially in the oil and gas sector, should be vigilant of their communications with these third.....Read More
The similarities between Kwampirs and Shamoon is particularly concerning, given that the latter is linked to APT33 which has recently set its sights on ICS targets. The targeting of the software supply chain vendors is consistent with APT33's modus operandi of compromising individuals with one or two degrees of separation from the ultimate target. Owners and operators of critical infrastructure, especially in the oil and gas sector, should be vigilant of their communications with these third parties. As a best practice, all remote access connections should be monitored to prevent an account compromise that might expose an operational technology (OT) network.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

15 Schools Hit By Cyberattack In Nottinghamshire

Qualys Hit With Ransomware And Customer Invoices Leaked

Experts Reaction On PrismHR Hit By Ransomware Attack

Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is Back And...

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords