An advisory from the US Department of Homeland Security (DHS) Cybersecurity, the Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) warns of a coordinated attack against the healthcare industry and other essential services.
Advanced Persistent Threat (APT) groups are targeting numerous organizations, including healthcare bodies, pharmaceutical companies, academia, medical research organizations and local governments, especially those involved in national and international COVID-19 response teams.
APTs are usually groups backed by states or an actual state actor seeking to disrupt services, steal data, or spy on the activities of companies and even countries. Healthcare organizations are often hit because they host valuable health-related data. The pandemic makes them a prime target because APTs try to obtain information for domestic research into COVID-19-related medicine.
“These organizations’ global reach and international supply chains increase exposure to malicious cyber actors,” reads the advisory. “Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.”
One method used in these attacks is called password spraying, in which bad actors try a brute force attack using common passwords. Since one of the most significant security issues consists of people who choose ridiculously easy passwords or reuse the same password on multiple services, the technique usually yields results.
Even if a single password works in an organization, it’s enough, especially for APT groups who are much more prepared than regular hackers. They can compromise the network, move laterally inside the company or institution if necessary, and access other credentials.
CISA and NCSC say that, as long the COVID-19 pandemic continues, any organization in the healthcare industry will carry extra risk. The two government institutions also presented several possible mitigations:
- Update VPNs, network infrastructure devices and devices being used in remote work environments with the latest software patches and configurations.
- Use multi-factor authentication to reduce the impact of password compromises.
- Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers from easily gaining privileged access to your most vital assets.
- Set up a security monitoring capability so you collect data that will be needed to analyze network intrusions.
- Review and refresh your incident management processes.
- Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position.