Nation-state hackers are targeting COVID-19 response orgs

Nation-state hackers are targeting COVID-19 response orgs

Organizations involved in international COVID-19 responses, healthcare, and essential services are actively targeted by government-backed hacking groups according to a joint advisory issued today by cyber-security agencies from the US and the UK.

Healthcare bodies, medical research organizations, pharmaceutical companies, academia, and local governments are some examples of organizations currently being targeted by state-backed hacking groups.

Vulnerabilities introduced by remote working actively exploited

“APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities,” the advisory says.

“The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.”

The DHS Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) say (1, 2) that they are currently investigating incidents where advanced persistent threat (APT) groups attacked universities, research organizations, and pharmaceutical companies.

Government-backed hackers have been abusing new vulnerabilities stemming from the shift to remote working in their attacks, exploiting the CVE-2019-19781 Citrix vulnerability and the CVE-2019-11510 Pulse Secure VPN vulnerability (1, 2) in vulnerable appliances exposed to remote access.

Password spraying used against international healthcare entities

CISA and NCSC are also investigating APT campaigns using large-scale password spraying in attacks against international healthcare orgs and national healthcare entities from several countries including but not limited to the United States and the United Kingdom.

In password spraying attacks, threat actors are using a slow approach to test commonly used weak passwords against large numbers of accounts for the same online service provider, thus escaping detection and avoiding being locked out or blocked.

After they get access to one account, it will be used to take control of other accounts that reuse the same credentials, to move laterally within the network, or as a launch point for future cyber-attacks.

“Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies,” the two agencies further explain.

Mitigation measures

CISA and NCSC have also shared guidance and mitigation measures (1, 2) for drastically reducing the risk of compromise in password spraying attacks.

The two cyber-security agencies also provide tips on how to protect against other active APT campaigns currently targeting healthcare and essential services across the globe:

A previous joint alert from last month also warned that cybercriminal and advanced persistent threat (APT) groups are using COVID-19-related themes in their attacks against individuals, small and medium enterprises, and large organizations.

They are exploiting the pandemic as part of phishing attacks, for malware distribution, to register coronavirus or COVID-19 related domains for use as part of their attack infrastructure, and in attacks targeting hastily deployed remote access and teleworking infrastructure.

The U.S. Federal Bureau of Investigation (FBI) alerted of ongoing phishing campaigns against US healthcare providers using COVID-19 themed lures to distribute malicious payloads during late-April.