Alert: APT Groups Targeting COVID-19 Researchers'Password-Spraying' Campaigns Aimed at Stealing Research Data, US and UK Authorities Warn
Authorities in the U.S. and U.K. are warning medical institutions, pharmaceutical companies, universities and others about "password spraying campaigns" by advanced persistent threat groups seeking to steal COVID-19 research data.
A joint warning issued Tuesday by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the United Kingdom's National Cyber Security Center notes that APT actors are targeting a variety of organizations involved in COVID-19 responses.
"Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine," the alert notes. "CISA and NCSC continue to see indications that APT groups are exploiting the coronavirus disease 2019 pandemic as part of their cyber operations."
APT actors "frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities," the alert notes. "For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19-related research."
Organizations involved in research have international supply chains that increase their exposure to malicious cyber actors, according to the alert. Threat actors view supply chains "as a weak link that they can exploit to obtain access to better-protected targets," the alert states. "Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted."
Brett Callow, a threat analyst at security firm Emsisoft, notes: "While the overall number of cyberattacks has remained relatively steady during the pandemic, it is inevitable that both state actors and criminal enterprises will target organizations engaging in COVID-19 research. The research data is a valuable commodity, and the pandemic represents an opportunity for state actors to increase geopolitical tensions to further their own agendas."
Ido Geffen, a vice president at security firm CyberMDX, says the COVID-19 crisis is fueling a race between nations in developing or accessing a vaccine.
"This unfortunately may signal just the beginning of campaigns by rival states in an effort to gain precious IP," he says. "As the situation unfolds, stealing efforts will increase. There is so much to gain, and the efforts for stealing data through cyber is much quicker, easier and does not come with a lot of risks from the attacker point of view."
The CISA and NCSC alert follows warnings in March from the FBI about a surge in hacking incidents involving reconnaissance of medical and healthcare organizations, as well as some network intrusions at facilities that have publicly announced their COVID-19 research (see FBI: Hackers Targeting U.S. Covid-19 Research Facilities).
CISA and NCSC say that they have seen APT actors scanning websites of targeted organizations, looking for vulnerabilities in unpatched software.
"Actors are known to take advantage of Citrix vulnerability CVE-2019-19781 and vulnerabilities in virtual private network products from Pulse Secure, Fortinet and Palo Alto," the alert states.
The U.S. and U.K. are investigating large-scale password-spraying campaigns - a type of brute force attack - conducted by APT groups, the alert notes. In such campaigns, "the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on," the alert notes.
"This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords."
APT groups previously have used password spraying to target organizations across a range of sectors - including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies, the alert notes. "These attacks are successful because, for any given large set of users, there will likely be some with common passwords."
In March, technology vendor Citrix Systems disclosed it was investigating an apparent penetration of its network and theft of business documents by hackers in what the FBI suspects was a password-spraying attack.
"Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused," CISA and NCSC warn in their alert. "Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network."
In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization's Global Address List, the alert notes. "The actors then used the GAL to password spray further accounts."
Password-spraying attacks "are avoidable with simple and stronger cyber hygiene techniques," says retired FBI agent Jason G. Weiss, a forensics expert who's an attorney with Faegre Drinker, Biddle and Reath.
"One of the most effective ways to prevent these types of attacks is to institute multifactor authentication," he says. "MFA would completely prevent password spraying attacks, since a cybercriminal would need a second layer of authentication to access an account even if they stumbled across a weak password during a password spraying attack."
"It's also a good idea to provide consistent employee security awareness training so employees understand why they shouldn't use simple or easy-to-guess passwords - especially passwords that could be compromised through basic social engineering tactics," Weiss adds.
CISA and NCSC, in their alert, highlight risk mitigation steps, including:
- Update VPNs, network infrastructure devices and devices being used to connect remotely to work environments with the latest software patches and configurations;
- Use multifactor authentication to reduce the impact of password compromises;
- Protect the management interfaces of critical operational systems - especially using browse-down architecture to prevent attackers easily gaining privileged access to the most vital assets;
- Set up a security monitoring capability to collect data needed to analyze network intrusions.
Other Vulnerable Entities
Smaller organizations also are potential targets for APT gangs.
"Given that nonprofits may not be in the same position as larger and more prepared for-profit companies with regard to their cybersecurity defenses, they can certainly be considered targets for the recently reported APTs," says Stanley Mierzwa, the director of the Center for Cybersecurity at Kean University in Union, New Jersey.
"Regarding the password-spraying issue, many nonprofits and nongovernmental organizations [NGOs] include links to their internal systems from publicly available portals on the Internet," he adds. "These web-enabled portals could certainly be a target for password spraying. If successful with such an APT attack, the proprietary or intellectual property of a nonprofit or NGO can possibly be gained by the attacker."
Because so many employees are working from home during the pandemic and require a web-enabled portal to access information systems, "this by default can possibly make them a target," Mierzwa notes.