Advanced persistent threat (APT) groups targeting healthcare and essential services

APT groups are exploiting the COVID-19 pandemic

Advanced persistent threat (APT) groups are exploiting the pandemic in their cyber operations.The targets of these actions are healthcare organizations, pharmaceutical companies, academic institutions, medical research organizations and government. The groups are attempting to collect targeted intelligence,  intellectual property, and personal information. These groups are likely focused on acquiring highly-confidential and sensitive COVID19 research.

Cyber actors are targeting the supply chain of vulnerable organizations

The world has shifted in mass to remote work. This work from home shift creates new vulnerabilities and exposures. The US government has reported APT groups are scanning target external websites and searching for vulnerabilities in unpatched software. These groups will exploit Citrix vulnerability CVE-2019-19781 and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.

Password spraying brute force attack activity

Password spraying common brute force attack where one password is used against many accounts. The goal of this brute force attack is to remain undetected by generating too many account lockouts. Attackers use this this technique because it works. As research has proven, too many people use common passwords. The attacker collects open source information to identify potential usernames. The attacker will then spray the target accounts with a brute force attack from common password list. As the attacker compromises an account, the attacker will likely continue to identify other accounts and continue to move laterally through the organization.

Mitigating the threat from groups targeting the COVID19 pandemic.

  • Keep all external facing devices (VPNs, routers, and any other gateway) patched the latest software.
  • Enable multi-factor authentication  (MFA) to reduce the risk of a common password compromise.
  • Set up a security monitoring capability that collects data from external facing devices and alarms on password failures.
  • Set up a external threat monitoring capability to be aware of new vulnerabilities and exploits targeting external facing systems.

Monitoring open source intelligence for new threats

To understand where to focus resources in this new threat landscape, organizations require real-time open source vulnerability intelligence. DigitalStakeout Scout enables you to automate this process by collecting online chatter about vulnerabilities & exploits. Scout enables you to create rules on tagging, enriching and alarming on what’s most important.

If you need immediate help with this concern, please contact us and a member of our team will get back to you ASAP.