The NCSC and CISA have released a joint warning aimed at medical research organisations to strengthen their cyber security, as groups of cyber threat actors conduct large-scale campaigns to mine COVID-19-related data.
The UK’s National Cyber Security Centre (NCSC) and the US Cyber security and Infrastructure Security Agency (CISA) have seen evidence of large-scale password spraying campaigns against medical bodies, where attackers try hundreds, “even thousands” of common passwords on company accounts to gain access.
Security officials have identified the targeting of national and international healthcare bodies such as pharmaceutical companies, research organisations and local governments, with the likely aim of gathering information relating to the coronavirus pandemic.
Read This! APT Actors Hitting UK Organisations via Trio of VPN Vulnerabilities: NCSC
Advanced Persistent Threat (APT) groups target such bodies to collect bulk personal information, intellectual property and intelligence that aligns with national priorities.
Recently, the NCSC and CISA have seen APT actors scanning the external websites of targeted companies to scour for vulnerabilities in unpatched software. Actors are known to take advantage of vulnerabilities in Virtual Private Network (VPN) products from vendors Pulse Secure and Palo Alto.
Technology strategist Zeki Turedi at cybersecurity company CrowdStrike explained to Computer Business Review why these organisations are at such a high risk:
“The NCSC is right to warn healthcare organisations involved in the coronavirus response that they are at huge risk. A vaccine is undoubtedly the most valuable commodity in the world right now — and adversaries will stop at nothing to get access to it. In fact, we have seen a 100x increase in malicious coronavirus-related files circulating in recent months.
“Adversaries are leveraging COVID-19 lures to launch targeted attacks against an overstretched healthcare industry. We’re in a state of high alert when it comes to information pertaining to COVID-19 and the current situation has created the perfect storm.
“To defend against these threats, it’s crucial these organisations take a proactive approach and maintain a holistic view of their IT environment, with full control and visibility of all activity happening in their network. This includes having an understanding of the broader threat landscape so organisations can quickly identify adversaries and their techniques, learn from attacks, and take action on indicators to strengthen their overall defences.”
What is Password Spraying?
According to a survey conducted by the NCSC, 75 percent of the participants’ organisations had accounts with passwords that featured in the security centre’s top 1,000 most popular, and 87 percent had accounts with passwords that featured in its top 10,000.
These sorts of passwords are easily bypassed by regular expression attacks, with tools that are open source (freely available online). A first mode regular expression attack will try a supplied password list file, which includes the likes of password123. It only takes a few seconds for a password cracker to extract the root password and user password from the password hash file, gaining quick and easy access into the organisation.
Access to even one account is enough for an APT group to extract all of the information they need. The report urges healthcare bodies and medical research facilities to use NCSC and CISA guides detailing how to protect against password spraying attacks, with techniques including multi-factor authentication and the regular audit of passwords against common password lists. The full report can be found here.