by Margaret Young Levi and Kathie McDonald-McClure

On May 5, 2020, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of techniques that advanced persistent threat (APT) groups are using to exploit the COVID-19 pandemic.

APT groups target and exploit organizations responding to COVID-19, such as healthcare organizations, pharmaceutical companies, universities, medical research organizations, and local governments. These groups seek to steal “bulk personal information, intellectual property, and intelligence that aligns with national priorities.” For example, pharmaceutical companies, medical research organizations, and universities have been targeted in order to steal sensitive research into COVID-19-related medicine for both commercial and governmental benefit.

These cybercriminals employ a variety of techniques to steal data.

One way cybercriminals invade a network is simply to take advantage of unpatched software. As more people are working remotely, the APT groups scan for vulnerabilities in unpatched software on Citrix and virtual private network (VPN) products that allow people to work from home with a remote connection to their business network.

Another method APT groups are using against healthcare entities is to conduct large-scale password spraying campaigns. Password spraying is a type of brute force attack in which cybercriminals try one common password against many accounts before moving on to try a second common password, and a third, etc. This technique spaces out the attempts on each account and allows the attacker to avoid being locked out or detected because they tried too frequently or too close in time. If someone uses a common password, such as “123456” or “password1” or the name of the organization, then a password spraying attack has a greater chance of successfully compromising an email account, which, in turn, can permit criminals to access other corporate accounts and networks.

In light of this uptick in cyber activity, CISA and NCSC advise organizations to take the following steps to reduce the chance of compromise from these types of attacks:

• Strengthen password policies and require robust passwords. NCSC has provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. Employees should be warned not to use any of the 100,000 passwords on this list as well as to avoid any password based on the name of their company. CISA and NCSC have published these helpful resources for organizations on password spraying and improving password policies:
  • CISA alert on password spraying attacks
  • CISA guidance on choosing and protecting passwords
  • CISA guidance on supplementing passwords
  • NCSC guidance on password spraying attacks
  • NCSC guidance on password administration for system owners
  • NCSC guidance on password deny lists
• Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. See CISA’s guidance on enterprise VPN security and NCSC guidance on virtual private networks for more information.
• Use multi-factor authentication to reduce the impact of password compromises. See the U.S. National Cybersecurity Awareness Month’s how-to guide for multi-factor authentication. Also see NCSC guidance on multi-factor authentication services and setting up two factor authentication.
• Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See the NCSC blog on protecting management interfaces.
• Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See the NCSC introduction to logging security purposes.
• Review and refresh your incident management processes. See the NCSC guidance on incident management.
• Use modern systems and software.  Modern systems and software have better security built in. If you cannot move off out-of-date platforms and applications immediately, then there are short-term steps you can take to improve your position. See the NCSC guidance on obsolete platform security.
• Invest in preventing malware-based attacks across various scenarios. See CISA’s guidance on ransomware and protecting against malicious code. Also see the NCSC guidance on mitigating malware and ransomware attacks.

*Other COVID-19 related cyber security alerts include: A previous alert by CISA, COVID-19 Exploited by Malicious Cyber Actors, April 8, 2020 (Alert AA20-099A), and an alert by the Federal Bureau of Investigation (FBI), COVID-19 Email Phishing Against US Healthcare Providers, April 21, 2020 (Alert No. MI-000122-MW), on which we report here.

For additional guidance on responding to a cyber security incident within the first 24-48 hours afterward, see our Six Tips, which can also be found on the blog’s Data Incident Response Team tab. For information about Wyatt’s Data Privacy & Security Incident Response Team, see the tab on this blog to the Data Incident Response Team and our Data Privacy & Incident Response Team brochure.