AA20-126A: APT Groups Target Healthcare and Essential Services

["US-CERT" <US-CERT () ncas us-cert gov>]

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:



AA20-126A: APT Groups Target Healthcare and Essential Services [ https://www.us-cert.gov/ncas/alerts/AA20126A ] 
05/05/2020 08:58 AM EDT 
Original release date: May 5, 2020

Summary

*This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure 
Security Agency (CISA) and the United Kingdoms National Cyber Security Centre (NCSC).*

CISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus 
Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT 
groups against organizations involved in both national and international COVID-19 responses. It describes some of the 
methods these actors are using to target organizations and provides mitigation advice.

The joint CISA-NCSC Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors [ 
https://www.us-cert.gov/ncas/alerts/aa20-099a ] from April 8, 2020, previously detailed the exploitation of the 
COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious 
cyber activity relating to COVID-19. For a graphical summary of CISAs joint COVID-19 Alerts with NCSC, see the 
following guide [ 
https://www.cisa.gov/sites/default/files/publications/Joint_CISA_UK_Tip-COVID-19_Cyber_Threat_Exploitation_S508C.pdf ].

COVID-19-related targeting

APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These 
organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local 
governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and 
intelligence that aligns with national priorities.

The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For 
example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive 
data on COVID-19-related research.

Targeting of pharmaceutical and research organizations

CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical 
companies, medical research organizations, and universities. APT groups frequently target such organizations in order 
to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in 
COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic 
research efforts into COVID-19-related medicine.

These organizations global reach and international supply chains increase exposure to malicious cyber actors. Actors 
view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain 
elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.

Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for 
vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[1] [ 
https://www.us-cert.gov/ncas/alerts/aa20-031a ],[2] [ https://www.ncsc.gov.uk/news/citrix-alert ]and vulnerabilities in 
virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[3] [ 
https://www.us-cert.gov/ncas/alerts/aa20-010a ],[4] [ https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities ]

COVID-19-related password spraying activity

CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors 
are using this type of attack to target healthcare entities in a number of countriesincluding the United Kingdom and 
the United Statesas well as international healthcare organizations.

Previously, APT groups have used password spraying to target a range of organizations and companies across 
sectorsincluding government, emergency services, law enforcement, academia and research organizations, financial 
institutions, and telecommunications and retail companies.

Technical Details

Password spraying [ https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks ] 
is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against 
many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain 
undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large 
set of users, there will likely be some with common passwords.

Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational 
details and use this information to identify possible accounts for targeted institutions. The actors will then spray 
the identified accounts with lists of commonly used passwords.

Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the 
credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional 
data and implement further attacks against other accounts within the network.

In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email 
accounts in an organization and then, in turn, used these accounts to download the victim organizations Global Address 
List (GAL). The actors then used the GAL to password spray further accounts.

NCSC has previously provided examples of frequently found passwords [ 
https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere ], which attackers are known to use in password spray 
attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often 
use passwords based on the month of the year, seasons, and the name of the company or organization.

CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will 
continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA 
and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.

Mitigations

CISA and NCSC have previously published information for organizations on password spraying and improving password 
policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.


  * CISA alert on password spraying attacks [ https://www.us-cert.gov/ncas/alerts/TA18-086A ] 
  * CISA guidance on choosing and protecting passwords [ https://www.us-cert.gov/ncas/tips/ST04-002 ] 
  * CISA guidance on supplementing passwords [ https://www.us-cert.gov/ncas/tips/ST05-012 ] 
  * NCSC guidance on password spraying attacks [ 
https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks ] 
  * NCSC guidance on password administration for system owners [ https://www.ncsc.gov.uk/collection/passwords ] 
  * NCSC guidance on password deny lists [ https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere ] 

CISAs Cyber Essentials [ 
https://www.cisa.gov/sites/default/files/publications/19_1106_cisa_CISA_Cyber_Essentials_S508C_0.pdf ] for small 
organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT 
professionals to put that culture into action. Additionally, the UK governments Cyber Aware [ 
https://www.ncsc.gov.uk/cyberaware/home ] campaign provides useful advice for individuals on how to stay secure online 
during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

A number of other mitigations will be of use in defending against the campaigns detailed in this report:


  * *Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the 
latest software patches and configurations. *See CISAs guidance on enterprise VPN security [ 
https://www.us-cert.gov/ncas/alerts/aa20-073a ] and NCSC guidance on virtual private networks [ 
https://www.ncsc.gov.uk/collection/mobile-device-guidance/virtual-private-networks ] for more information. 
  * *Use multi-factor authentication to reduce the impact of password compromises.* See the U.S. National Cybersecurity 
Awareness Months how-to guide for multi-factor authentication [ 
https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_howtoguidemfa_508.pdf?trackDocs=ncsam_howtoguidemfa_508.pdf
 ]. Also see NCSC guidance on multi-factor authentication services [ 
https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services ] and setting up two factor authentication 
[ https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa ]. 
  * *Protect the management interfaces of your critical operational systems.* In particular, use browse-down 
architecture to prevent attackers easily gaining privileged access to your most vital assets. See the NCSC blog on 
protecting management interfaces [ https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces ]. 
  * *Set up a security monitoring capability *so you are collecting the data that will be needed to analyze network 
intrusions. See the NCSC introduction to logging security purposes [ 
https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes ]. 
  * *Review and refresh your incident management processes.* See the NCSC guidance on incident management [ 
https://www.ncsc.gov.uk/guidance/10-steps-incident-management ]. 
  * *Use modern systems and software.* These have better security built in. If you cannot move off out-of-date 
platforms and applications straight away, there are short-term steps you can take to improve your position. See the 
NCSC guidance on obsolete platform security [ https://www.ncsc.gov.uk/guidance/obsolete-platforms-security ]. 
  * *Further information: *Invest in preventing malware-based attacks across various scenarios. See CISAs guidance on 
ransomware [ https://www.us-cert.gov/Ransomware ] and protecting against malicious code [ 
https://www.us-cert.gov/ncas/tips/ST18-271 ]. Also see the NCSC guidance on mitigating malware and ransomware attacks [ 
https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks ]. 

Contact Information

CISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by 
emailing CISAServiceDesk () cisa dhs gov [ https://www.us-cert.govmailto:CISAServiceDesk () cisa dhs gov ].

The NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: 
https://report.ncsc.gov.uk/.

Disclaimers

"This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made 
have not been provided with the intention of avoiding all risks and following the recommendations will not remove all 
such risk. Ownership of information risks remains with the relevant system owner at all times."

"CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific 
commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute 
or imply their endorsement, recommendation, or favoring by CISA."

References

  * [1] CISA Alert: Detecting Citrix CVE-2019-19781 [ https://www.us-cert.gov/ncas/alerts/aa20-031a ] 
  * [2] NCSC Alert: Actors exploiting Citrix products vulnerability [ https://www.ncsc.gov.uk/news/citrix-alert ] 
  * [3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability [ 
https://www.us-cert.gov/ncas/alerts/aa20-010a ] 
  * [4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide [ 
https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities ] 

Revisions

  * May 5, 2020: Initial Version 
________________________________________________________________________

This product is provided subject to this Notification [ https://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ https://www.dhs.gov/privacy-policy ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]