CISA and NCSC joint alert: Healthcare and essential services targeted

The U.S. Department of Homeland Security Cybersecurity Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) released a joint alert May 5 on healthcare breaches. The memo updates an April 8 alert on COVID-19 cyber exploitations by addressing recent advanced persistent threats (APTs) on healthcare and essential services. Below is a summary of the alert, details about known attack methods, and mitigation strategies.

Targets of APT groups

APT groups are actively targeting healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments. Recent news trace cyberattacks on U.K. universities, attempting to produce vaccines and testing kits, to APT groups from Russia and Iran. CISA and NCSC believe that these APTs want to obtain intelligence on behalf of foreign states, for their domestic fights against COVID-19. And cybercriminals are hoping that cybersecurity is taking a back seat because of other priorities. Bryan Ware, CISA Assistant Director of Cybersecurity, responded by saying: “CISA has prioritized our cybersecurity services to healthcare and private organizations that provide medical support services and supplies in a concerted effort to prevent incidents and enable them to focus on their response to COVID-19.”

Exploiting known vulnerabilities

The agencies believe cyber actors scan targeted companies for technological vulnerabilities either brought on or exacerbated by the current situation. First, unpatched or outdated software and hardware, utilized by many within the healthcare industry, open doors for many cybercriminals. For example, APT groups are known to recently benefit from problems with virtual private network (VPN) services. Second, supply chain hacking allows access to a target through small third-party vendors with weak cybersecurity. Indeed, vendor/business associate hacks were one of the major reasons for breaches last year. And finally, more remote workers mean spikes in brute force attacks, especially on remote desktop protocol servers.

SEE RELATED: Working from Home during COVID-19 Pandemic By exploiting known weaknesses, APT actors are more than likely to find the intelligence they seek.

Password spraying

Password spraying is a well-known, brute force method in which cybercriminals try common passwords on numerous accounts at the same time. The basic idea is that someone in every organization utilizes at least one of these passwords. According to a 2015 NCSC research study, 75% of participants had accounts with passwords that featured in the top known 1,000 passwords. Eighty-seven percent had accounts with passwords that featured in the top 10,000. And a 2020 survey found that over 99% of its participants reused passwords, between old and new employees and/or on other work-related or personal accounts, as well. By collating employee usernames from online sources, APTs can ‘spray’ accounts using common password lists. And once a password works, cybercriminals: 1) Access other accounts from the same user (that might use the same credentials) 2) Access other employees using an organization’s Global Address List 3) Move laterally through an organization’s network looking for intelligence. Unfortunately, password spraying typically evades most detections and instead looks like an isolated failed login from a user.

How to protect yourself?

• Malware/spam filters
• VPNs
• Network infrastructure devices
• Management interface protections
• Remote working devices and software
• Security monitoring capabilities
• Incident management processes

To add to this, organizations should ask employees to employ multi-factor authentication and high password complexity. NCSC recommends having employees use three random words for passwords. Furthermore, an organization’s IT should perform regular password audits against common passwords lists. And finally, healthcare organizations must ensure that they have HIPAA compliant email for added data protection. CISA and NCSC will release more information on COVID-19 cyber exploitations as needed.