CISA Gives New Notification About APT Groups Attacking Healthcare Providers

Advanced Persistent Threat (APT) groups continue to target healthcare organizations, pharmaceutical companies, research organizations, and others engaged in responding to the COVID-19 crisis, forcing another joint notification from cybersecurity authorities in the United Kingdom and the United States.

The previous alert by the UK’s National Cyber Security Centre (NCSC) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) was published on April 8, 2020. The current alert gives more details on the strategies, techniques, and processes that APT groups used to access networks and sensitive information.

In the most recent alert, CISA/NCSC mentioned that APT groups are focusing their efforts on organizations engaged in COVID-19 research to get sensitive data on the COVID-19 response as well as research information to boost the domestic research initiatives in nations that give funding to APT groups.

APT groups usually target healthcare providers to get patient personal data, intellectual property, and data that lines up with the country’s priorities. APT groups don’t seem to do attacks in higher numbers, they have changed their target and are now focusing attacks on institutions involved in the COVID-19 response. CISA/NCSC advise that initiatives to get sensitive information are ongoing with national and global healthcare companies being targeted to get sensitive COVID-19 research information.

One type of attack being done is targetiing supply stores, which are considered as a weak link that could be taken advantage of to access higher value victims. Supply chains are vulnerable because a lot of employees of companies in the supply chain are currently operating from home because of the COVID-19 lockdown.

The APT groups are utilizing different strategies to access networks, get control, and steal sensitive information. The alert increases consciousness of two strategies that were discovered in the last few weeks: vulnerabilities exploitation and password spraying.

Plenty of employees working from home while there is pandemic access to their corporate systems through virtual private networks (VPNs). A number of commercial VPN tools were found to have vulnerabilities that attackers are currently exploiting. Last year, VPN solutions from Pulse Secure, Palo Alto Networks, and Fortinet had vulnerabilities but patches were made available to fix the problems. A lot of companies are likewise affected by the Citrix vulnerability, CVE-2019-19781. Though patches were available a few months ago, many companies are still vulnerable to attack because they have not applied the patches. APT groups are scanning for organizations that are still exposed to the Citrix and VPN vulnerabilities and are working on exploiting them.

APT groups are likewise password spraying attacks to access corporate networks. Password spraying is similar to brute force attack that uses often used accounts. The attackers use a frequently used password to check if it permits system access. The same password is then used on several accounts prior to repeating the process with another password. That procedure goes on until the attackers discover the right password. The password spraying tactic is generally successful.

When an attack is successful, the correctly guessed password is utilized for accessing other accounts that probably used the same password. Attackers additionally download global address lists that are employed for other password spraying attacks. The attackers also move laterally, if possible, to steal other credentials and sensitive information.

CISA/NCSC presented the following mitigations  to help healthcare companies strengthen security against these attacks:

  • Ensure VPN clients and infrastructure are up-to-date and use the most recent software versions
  • Patch all software programs and operating systems immediately.
  • Configure multi-factor authentication to block the use of stolen or brute forced passwords to access accounts
  • Protect the management interfaces of crucial systems to keep attackers from getting privileged access to important assets
  • Improve tracking capability to discover network infiltrations.