A new advisory from U.S. and U.K. cybersecurity officials warns healthcare organizations that bad actors are trying to steal research related to COVID-19.
The joint advisory from the Cybersecurity and Infrastructure Security Agency and the National Cyber Security Center says there are indications that Advanced Persistent Threat (APT) actors are targeting organizations involved in both national and international coronavirus responses.
Targeted group included healthcare bodies, pharmaceutical companies, academia, medical researchers and local governments, the advisory says. These actors are seeking bulk personal information, intellectual property and intelligence that aligns with national priorities, the advisory says.
“The pandemic has likely raised additional requirements for APT actors to gather information related to COVID-19,” the agencies said. “For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research.”
Organizations involved in coronavirus-related research are particularly attractive targets for hacking groups looking to obtain information for their domestic research efforts into COVID-19 related medicine, the advisory says.
Thanks to a rapid shift to remote work, the supply chain and network infrastructure of these organizations are especially vulnerable, the agencies say.
The global reach and international supply chains of these organizations increase exposure to malicious actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many elements of the supply chains will also have been affected by the shift to remote working and the new vulnerabilities that have resulted.
Recently the NCSC and CISA have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-197811,2 and vulnerabilities in Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto.
The agencies also say they’re investigating large-scale password-spraying campaigns in which bad actors try commonly used passwords against many accounts, but avoid account lockouts by only trying passwords once.
Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actor will then ‘spray’ the identified accounts with lists of commonly used passwords. Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.
In previous incidents investigated by the NCSC and CISA, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL). The actors then used the GAL to password spray further accounts.