Advanced Persistent Threat (APT) groups are continuing to exploit the SARS-CoV-2 (COVID-19) pandemic and are conducting cyberattacks on the healthcare sector and other essential services. The groups have several aims that align with the objectives of the nation states that fund these APT groups. These include obtaining large volumes of personal information, stealing intellectual property, as accessing information directly related to the COVID-19 response and research.
Attacks have been conducted on healthcare providers, pharmaceutical companies, research organizations, academic institutions, and local governments and APT groups are attempting to compromise supply chains. A variety of methods are used to conduct these attacks, including phishing and spear phishing attacks, brute force attacks to guess passwords, and the use of malware to obtain a persistent presence in the targeted organizations’ networks.
On May 5, 2020, a joint alert was issued by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) that warns of ongoing attacks. CISA-NCSC issued an earlier joint on these attacks on April 8, 2020, with the latest alert providing further information on the attack techniques now being used.
The alert warns of ongoing attacks on pharmaceutical companies, medical research organizations, and universities. These entities were targeted by APT groups before the pandemic, but attacks have been stepped up on entities that are involved in the COVID-19 response. These organizations are being targeted to obtain research data and other COVID-19 related information to help further the domestic research programs of the nation states funding the attacks.
These organizations often have mature cybersecurity programs, but there are vulnerabilities that can be exploited. One of the weak links is the supply chain. By conducting attacks on suppliers, who typically have much weaker security controls, the attackers can bypass cybersecurity controls and gain access to their targets’ networks. With many employees now working remotely, new vulnerabilities have been introduced that are being extensively targeted.
CISA-NCSC warns that it has observed an increase in scans of external websites of targeted companies to identify unpatched vulnerabilities. One of the most commonly exploited vulnerabilities is the CVE-2019-19781 Citrix vulnerability. Vulnerabilities in VPN solutions from Pulse Secure, Fortinet, and Palo Alto Networks are also being exploited. A patch was released for the vulnerability in April 2019, but many companies have not yet applied the patch.
APT groups are also conducting password-spraying attacks, which is a type of brute force attack to guess passwords. The passwords used in these attacks have been obtained from previous data breaches and take advantage of password reuse across multiple platforms.
Many companies have implemented controls that lock accounts after a set number of password failures to prevent brute force attacks from succeeding. To get around this measure, a password is used against many different accounts, before a second password is attempted.
Once access has been gained to an account, the threat actors try to compromise further accounts and move laterally with the aim of gaining access to high-privilege accounts. CISA-NCSC has observed cases of APT groups compromising an account, obtaining the Global address list and using that list for further password spraying attacks.
There are several steps that can be taken to harden security defenses and prevent these attacks from succeeding, which are detailed in the latest CISA-NCSC Alert.
All organizations involved in the COVID-19 response are strongly advised to access the resources on the above link and take steps to harden their defenses.