The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

U.S., UK Govt: APT Groups Targeting Healthcare Orgs

by Chris Brook on Thursday May 7, 2020

Contact Us
Free Demo
Chat

A joint alert via cybersecurity agencies in the UK and U.S. this week warned about how APT groups are exploiting COVID-19 to collect PII, IP, and other intelligence.

It seems as if there are alerts almost daily now around how bad actors are leveraging the ongoing coronavirus (COVID-19) pandemic to target end users.

The latest came this week after agencies from two countries, the U.S. and the U.K. warned about how advanced persistent threat (APT) groups are using the pandemic to their advantage. 

In a joint warning issued Tuesday via the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) the groups explained how attackers are looking for vulnerabilities in unpatched software to test the defenses of healthcare companies.

DHS, CISA, and NCSC warn that when it comes to healthcare, no organization is really being spared from APT groups; healthcare bodies, pharmaceutical companies, academia like universities, medical research organizations, and local governments especially.

The groups are largely looking to collect intelligence on national and international healthcare policies and sensitive data on COVID-19-related research, the agencies warned.

It probably shouldn't come as a surprise that to do so the attackers are still hitting vulnerabilities previously uncovered and disclosed in Citrix along with VPN products from Pulse Secure, Fortinet, and Palo Alto. CISA warned of an uptick in attacks exploiting Pulse Secure in particular in January, claiming it was being used to install Sodinokibi ransomware. It warned of the Citrix vulnerability (CVE-2019-19781) in January also.

The groups are also carrying out password spraying campaigns to target healthcare companies. In password spraying attacks, attackers essentially use as many kinds of common passwords as possible against accounts before moving on to the next one. Every so often they'll be successful, when they're not, they'll manage to avoid getting locked out.

According to the groups' guidance, they've observed attackers leveraging password spraying to get into an account, then downloading an organization's internal email list and using it to password spray further.

“CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic,” the groups warned.

To mitigate the attacks, the groups are encouraging administrators to follow these tips if they’re not already:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.
  • Use multi-factor authentication to reduce the impact of password compromises.
  • Protect the management interfaces of your critical operational systems - use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets.
  • Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions.
  • Review and refresh your incident management processes.
  • Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position.

 

Tags: Healthcare, Industry Insights

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.