Share this article on:
Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, pharmaceutical firms, research institutions, and others involved in the COVID-19 response, prompting a further joint alert from cybersecurity authorities in the United State and United Kingdom.
The latest warning from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) follows on from an earlier joint alert issued on April 8, 2020 and provides further information on the tactics, techniques, and procedures being used by the APT groups to gain access to networks and sensitive data.
In the latest alert, CISA/NCSC explained that APT groups are targeting organizations involved in COVID-19 research to obtain sensitive information on the COVID-19 response and research data to further the domestic research efforts in countries that fund the APT groups.
APT groups often target healthcare organizations to obtain personal information of patients, intellectual property, and intelligence that aligns with national priorities. APT groups do not appear to be conducting higher numbers of attacks, they have just shifted their focus and are now concentrating attacks on organizations engaged in the response to COVID-19. CISA/NCSC warn that efforts to obtain sensitive data are continuing with national and international healthcare organizations being targeted in order to acquire sensitive COVID-19 research data.
One of the ways that the attacks are being conducted is to target supply chains, which are seen as a weak link that can be exploited to gain access to higher value targets. Many employees of organizations in the supply chain are now working from home due to the COVID-19 lockdown, and new vulnerabilities have been introduced as a result.
The APT groups are using a variety of methods to infiltrate networks, gain persistence, and steal sensitive data. The alert raises awareness of two tactics that have been observed over the past few weeks: Exploitation of vulnerabilities and password spraying.
Many employees have been forced to work from home during the pandemic to help control the spread of the virus and are accessing their corporate networks using virtual private networks (VPNs). Several commercial VPN solutions have been found to have exploitable vulnerabilities which are now being exploited. In 2019, VPN solutions from Palo Alto Networks, Pulse Secure, and Fortinet were found to have vulnerabilities and patches were released to correct the flaws. Many organizations are also vulnerable to the Citrix vulnerability, CVE-2019-19781. Patches to correct these flaws were released several months ago but many organizations have not yet applied the patches and are vulnerable to attack. APT groups have been observed conducting scans to identify organizations that have not yet patched the Citrix and VPN vulnerabilities and are actively exploiting the flaws.
APT groups are also conducting password spraying attacks to gain access to corporate systems. Password spraying is a type of brute force attack that involves the use of commonly used passwords. These attacks involve using a commonly used passwords to see if it allows access to a system. The same password is then tried on multiple accounts before the process is repeated with a second password. That process continues until the correct password is found.
CISA/NCSC warn that this tactic is often successful, as within any large group of users there will be commonly used passwords. The approach of using one password on many different accounts before moving on to the next also helps the attackers conduct attacks undetected, as this would be less likely to trigger account lockouts due to too many failed password attempts in a short period of time.
Once an attack succeeds and a correct password is found, the password is used to access other accounts where the password has been reused. Attackers also download global address lists which are used for further password spraying attacks on the organization. The attackers also attempt to move laterally to steal additional credentials and sensitive data.
CISA/NCSC have provided mitigations that will help healthcare organizations harden security against these attacks. These include ensuring VPN clients and infrastructure are updated and running the latest versions of software and patching all other software and operating systems promptly. Multi-factor authentication should be configured to prevent stolen or brute forced passwords from being used to access accounts, the management interfaces of critical systems should also be protected to prevent attackers from gaining privileged access to vital assets, and monitoring capability should be stepped up to identify network intrusions.
You can view the CISA/NCSC alert, mitigations, and other useful resources on this link.