An advisory from the US Department of Homeland Security
(DHS) Cybersecurity, the Infrastructure Security Agency (CISA) and the UK’s National
Cyber Security Centre (NCSC) warns of a coordinated attack against the
healthcare industry and other essential services.
Advanced Persistent Threat (APT) groups are targeting
numerous organizations, including healthcare bodies, pharmaceutical companies,
academia, medical research organizations and local governments, especially those
involved in national and international COVID-19 response teams.
APTs are usually groups backed by states or an actual
state actor seeking to disrupt services, steal data, or spy on the activities
of companies and even countries. Healthcare organizations are often hit because
they host valuable health-related data. The pandemic makes them a prime target
because APTs try to obtain information for domestic research into
COVID-19-related medicine.
“These organizations’ global reach and international
supply chains increase exposure to malicious cyber actors,” reads the advisory.
“Actors view supply chains as a weak link that they can exploit to obtain
access to better-protected targets. Many supply chain elements have also been
affected by the shift to remote working and the new vulnerabilities that have
resulted.”
One method used in these attacks is called password
spraying, in which bad actors try a brute force attack using common passwords.
Since one of the most significant security issues consists of people who choose
ridiculously easy passwords or reuse the same password on multiple services,
the technique usually yields results.
Even if a single password works in an organization, it’s enough,
especially for APT groups who are much more prepared than regular hackers. They
can compromise the network, move laterally inside the company or institution if
necessary, and access other credentials.
CISA and NCSC say that, as long the COVID-19 pandemic continues,
any organization in the healthcare industry will carry extra risk. The two
government institutions also presented several possible mitigations:
- Update VPNs, network infrastructure devices and
devices being used in remote work environments with the latest software patches
and configurations. - Use multi-factor authentication to reduce the
impact of password compromises. - Protect the management interfaces of your
critical operational systems. In particular, use browse-down architecture to
prevent attackers from easily gaining privileged access to your most vital
assets. - Set up a security monitoring capability so you collect
data that will be needed to analyze network intrusions. - Review and refresh your incident management
processes. - Use modern systems and software. These have
better security built in. If you cannot move off out-of-date platforms and
applications straight away, there are short-term steps you can take to improve
your position.