The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) have released a joint advisory that highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.

The joint NCSC/CISA advisory from 8 April 2020 previously detailed the exploitation of the COVID-19 pandemic by cyber criminals and APT groups. The new joint NCSC/CISA advisory provides an update to ongoing malicious cyber activity relating to coronavirus.

According to the agencies, APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local government. APT actors frequently target organizations in order to collect bulk personal information, intellectual property and intelligence that aligns with national priorities, say the agencies.

The pandemic has likely raised additional requirements for APT actors to gather information related to COVID-19, notes the advisory, and for example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research.

Chris Morales, head of security analytics at Vectra, says, “Password spraying is a highly opportunistic technique that continually works because passwords are commonly reused across multiple services. The bigger problem here is that authentication has always been about what you know (a remembered phrase, i.e. password) but not about who and where you are. A strong password doesn’t fix the problem. Until authentication evolves to being truly adaptive with contextual understanding of who the user is, what the user knows, and where the user is requesting access to particular services, techniques like password spraying will continue to work and therefore to be used for opportunistic access.”

Some risk mitigation practices both agencies recommend are:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.
  • Use multi-factor authentication (MFA) to reduce the impact of password compromises.
  • Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets.
  • Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions.
  • Review and refresh your incident management processes.
  • Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position.
  • Further information: Invest in preventing malware-based attacks across various scenarios.

For the full joint advisory and mitigation strategies, visit https://www.ncsc.gov.uk/files/Joint%20NCSC%20and%20CISA%20Advisory%20APT%20groups%20target%20healthcare%20and%20essential%20services.pdf