Orangeworm, a New Hacking Group Targeting Healthcare Industry

Security researchers at Symantec have discovered a hacker group that is attacking the healthcare industry. Dubbed Orangeworm, the group has been installing a backdoor called Trojan.Kwampirs on machines that are used to control medical equipment like X-ray and MRI systems. In addition, Orangeworm also seems interested in machines that are used to help patients in filling out consent forms for required procedures.

Trojan.Kwampirs creates backdoor remote access to the compromised system and starts collecting information about the computer. Symantec believes that Orangeworm probably uses this information to determine whether a researcher or a high-value target uses the system. If Orangeworm finds that the victim is a person of interest, it moves in to infect other computers on the network. Trojan.Kwampirs creates a service to ensure persistence, so that the main payload is loaded into memory during system reboot.

"When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections," explained Symantec's Security Response Attack Investigation Team in a blog post.

The healthcare industry is not the sole target of Orangeworm. According to Symantec, Orangeworm is also targeting manufacturing, IT, agriculture, and logistics companies. According to Symantec, "While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products."

The US tops the charts of victims, followed by India and European countries.

Meltdown and Spectre Revisit Intel, AMD, and ARM Processors

Researchers from Google and Microsoft have discovered new flaws in AMD, ARM, and Intel processors.

Microsoft has published a technical analysis of Speculative Store Bypass (SSB), which has been assigned CVE-2018-3639. The vulnerability was discovered by Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn (@tehjh) of Google Project Zero (GPZ).

"SSB arises due to a CPU optimization that can allow a potentially dependent load instruction to be speculatively executed ahead of an older store. Specifically, if a load is predicted as not being dependent on a prior store, then the load can be speculatively executed before the store. If the prediction is incorrect, this can result in the load reading stale data and possibly forwarding that data onto other dependent micro-operations during speculation. This can potentially give rise to a speculative execution side channel and the disclosure of sensitive information," Microsoft wrote in a blog post.

At the moment, Microsoft is downplaying the impact of the vulnerability and said that the risk posed by it to Microsoft customers is low. "We are not aware of any exploitable instances of this vulnerability class in our software at this time, but we are continuing to investigate and we encourage researchers to find and report any exploitable instances of CVE-2018-3639 as part of our Speculative Execution Side Channel Bounty program. We will adapt our mitigation strategy for CVE-2018-3639 as our understanding of the risk evolves," said the company in a blog post.

The company has already released some fixes to mitigate Spectre and Meltdown, but as the Meltdown and Spectre stories continue to evolve, these companies will be on their toes to keep up with new discoveries.

Docker EE 2.0 Announced

Docker Inc. has announced the release of Docker Enterprise Edition (EE) 2.0, comes with Kubernetes as a fully supported orchestration tool.

Docker said that the Docker Desktop integration of a complete Kubernetes stack ensures that developers can seamlessly leverage features like multistage builds, application composition (Docker Compose), and in-container development and have these features run consistently from development all the way to production.

"Developers have the flexibility to write their application with Docker and then can choose their orchestrator without requiring any additional modification. Similarly, developers can maintain their Docker native workflows while experimenting with Kubernetes native tools and commands," said the company in a press release.

Docker made it easier for users to consume containers, which also lead to the microservices/containerization movement. Getting started with technologies like Kubernetes, Cloud Foundry, and OpenStack can be challenging, and Docker EE 2.0 is designed to reduce that learning curve.

"Docker EE provides a unified operational model that simplifies the use of Kubernetes for those who want the capabilities for their application delivery environment, but do not want to hire a team of Kubernetes experts," Docker said in the press release.

In an phone interview, David Messina, CMO of Docker Inc., told us that the company is focusing on three areas with this release: agility, security, and choices. Elaborating on the choice part, Messina said that Docker EE is the only container platform that can run on multiple Linux distributions, Windows, mainframes, and a hybrid cloud environment.

"Docker EE 2.0 is the only solution that delivers a policy-based secure supply chain that is designed to give you governance and oversight over the entire container lifecycle without slowing you down," said Vivek Saraswat, group product manager at Docker Inc.