By Margaret Young Levi and Kathie McDonald-McClure
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of techniques that advanced persistent threat (APT) groups are using to exploit the COVID-19 pandemic.
APT groups target and exploit organizations responding to COVID-19, such as healthcare organizations, pharmaceutical companies, universities, medical research organizations and local governments. These groups seek to steal “bulk personal information, intellectual property, and intelligence that aligns with national priorities.” These cybercriminals employ a variety of techniques to steal data.
One way cybercriminals invade a network is simply to take advantage of unpatched software. As more people are working remotely, the APT groups scan for vulnerabilities in unpatched software on Citrix and virtual private network (VPN) products that allow people to work from home with a remote connection to their business network.
Another method APT groups are using against healthcare entities is to conduct large-scale password spraying campaigns.
Considering this uptick in cyber activity, CISA and NCSC advise organizations to take the following steps to reduce the chance of compromise from these types of attacks:
- Strengthen password policies and require robust passwords. NCSC has provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. Employees should be warned not to use any of the 100,000 passwords on this list as well as to avoid any password based on the name of their company.
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. See CISA’s guidance on enterprise VPN security and NCSC guidance on virtual private networks for more information.
- Use multi-factor authentication to reduce the impact of password compromises. See the U.S. National Cybersecurity Awareness Month’s how-to guide for multi-factor authentication. Also see NCSC guidance on multi-factor authentication services and setting up two factor authentications.
- Protect the management interfaces of your critical operational systems. Use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See the NCSC blog on protecting management interfaces.
- Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See the NCSC introduction to logging security purposes.
- Review and refresh your incident management processes. See the NCSC guidance on incident management.
- Use modern systems and software. Modern systems and software have better security built in. If you cannot move off out-of-date platforms and applications immediately, then there are short-term steps you can take to improve your position. See the NCSC guidance on obsolete platform security.
- Invest in preventing malware-based attacks across various scenarios. See CISA’s guidance on ransomware and protecting against malicious code. Also see the NCSC guidance on mitigating malware and ransomware attacks.
– Margaret Young Levi and Kathie McDonald-McClure are with Wyatt Tarrant & Combs.