Advanced Persistent Threat (APT) groups keep on targeting healthcare companies, research groups, pharmaceutical firms, and other organizations actively helping during the COVID-19 crisis. That is why, the United Kingdom and the United States cybersecurity authorities issued another joint notification.
The prior advice issued by the UK’s National Cyber Security Centre (NCSC) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) was circulated on April 8, 2020. The latest alert provides much more information on the techniques, solutions, and procedures used by APT groups to access systems and sensitive data.
In the latest alert, CISA/NCSC pointed out that APT groups are giving more efforts on institutions participating in COVID-19 research to acquire sensitive information on the COVID-19 response along with research data to raise the domestic research projects in countries that give APT groups’ funding.
APT groups generally target healthcare companies to acquire patients’ personal information, intellectual property, and information that fits in with the country’s main concerns. APT groups don’t appear to undertake a lot of attacks, they have altered their target and currently focus on attacking institutions engaged in responding to COVID-19. CISA/NCSC indicates that projects to get sensitive data are in progress with the national and global healthcare organizations being targeted to obtain sensitive COVID-19 research facts.
Some APT groups attack supply stores, which are regarded as a weak link that can be used to gain access to more valuable victims. Supply chains are considered vulnerable during this time of COVID-19 lockdown because many employees of firms in the supply chain are working from home.
The APT groups are using diverse methods to access networks, grab control, and thieve sensitive data. The alert raises awareness of two techniques, vulnerabilities exploitation and password spraying, which were just discovered a few weeks ago.
Employees working from home during the pandemic connect to their corporate systems by using virtual private networks (VPNs). Many commercial VPN tools have vulnerabilities that attackers are already exploiting. In the past year, VPN solutions from Pulse Secure, Fortinet and Palo Alto Networks had vulnerabilities, though patches were accessible to resolve the problems. Plenty of companies are similarly impacted by Citrix vulnerability, CVE-2019-19781. Patches were on the market a couple of months earlier, but numerous companies did not apply the patches making them vulnerable to attack. APT groups are monitoring for establishments that are exposed to the Citrix and VPN vulnerabilities and are targeting them.
APT groups are similarly conducting password spraying attacks to gain access to corporate networks. Password spraying is the same as brute force attacks. The attackers employ a commonly used password to try to access a system. The same password is then employed on various accounts before doing again the process using another password. The attackers use this procedure repeatedly to find the correct password. The password spraying tactic is typically effective.
If an attacker correctly guessed a password, it is used for other accounts as well. Attackers are also able to get global address lists that they use for other password spraying attacks. Then, attackers work laterally, if feasible, to thieve other credentials and sensitive records.
CISA/NCSC offered mitigations to assist healthcare organizations in reinforcing their security.
- VPN clients and infrastructure must use up-to-date and the latest software versions
- Apply patches to all software and operating systems right away.
- Use multi-factor authentication to deter the access of accounts using stolen or brute-forced passwords to access accounts
- Secure the management interfaces of critical systems so that attackers cant’ get privileged access to vital assets
- Enhance tracking capacity to identify network infiltrations.