Many cybercriminals have been exploiting the coronavirus to specifically target hospitals and healthcare providers. The thinking is that these types of organizations are so busy and engaged handling COVID-19 cases that security may be taking a back seat amid other priorities. Specific attacks against healthcare providers detected by security agencies in the UK and US are using password spraying to compromise accounts with weak passwords.

Password spraying is a type of brute-force attack in which criminals try to obtain the passwords of multiple accounts in one shot. In a password spraying campaign, the attackers feed a large number of usernames or email addresses into a program that attempts to match those accounts with commonly used passwords.

Most organizations use a standard email addressing format such as [FirstName].[LastName]@[DomainName]. At the same time, many users still rely on weak and vulnerable passwords. As such, a password spraying campaign can find a host of vulnerable accounts relatively quickly.

SEE: The end of passwords: Industry experts explore the possibilities and challenges (TechRepublic)

In a report issued Tuesday, both the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) warned about a new wave of large-scale password spraying campaigns directed at healthcare and medical organizations. The advanced persistent threat (APT) groups behind such campaigns typically seek out bulk personal information and intellectual property. In this case, attackers have been targeting national and international healthcare bodies, pharmaceutical companies, research organizations, and local government agencies with the likely goal of stealing information related to the coronavirus outbreak.

In response, the UK’s NCSC has been aiding the country’s National Health Service to protect its systems.

“By prioritizing any requests for support from health organizations and remaining in close contact with industries involved in the coronavirus response, we can inform them of any malicious activity and take the necessary steps to help them defend against it,” the NCSC said.

At the same time, the US’s CISA has been focusing its efforts on healthcare organizations.

“CISA has prioritized our cybersecurity services to healthcare and private organizations that provide medical support services and supplies in a concerted effort to prevent incidents and enable them to focus on their response to COVID-19,” CISA said.

To help protect hospitals and medical facilities from password spraying attacks, the two security agencies are advising workers to change any passwords that could be reasonably guessed to one created with three random words. The two also are urging organizations and workers to implement two-factor authentication to reduce the threat of these attacks.

Further, the NCSC offers specific tips to organizations and their security staff to prevent successful password spraying attacks:

  1. Configure protective monitoring over externally reachable authentication endpoints to look for password spraying attacks. Some ideas are given in the password guidance.
  2. Deploy alternatives to passwords where possible. Examples can be found in recently published case studies.
  3. Enforce multifactor authentication on your externally reachable authentication endpoints.
  4. Provide pragmatic advice to users on how to choose “good” passwords.
  5. Regularly audit user passwords against common password lists using free or commercial tools (or the NCSC PowerShell script).

Finally, another NCSC document contains additional recommendations for organizations to follow:

  1. Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. See CISA’s guidance on enterprise VPN security and NCSC guidance on virtual private networks for more information.
  2. Use multifactor authentication (MFA) to reduce the impact of password compromises. See NCSC guidance on multifactor authentication services and setting up two-factor authentication. Also see the U.S. National Cybersecurity Awareness Month’s how-to guide for multifactor authentication.
  3. Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers from easily gaining privileged access to your most vital assets. See the NCSC blog on protecting management interfaces.
  4. Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See the NCSC introduction to logging for security purposes.
  5. Review and refresh your incident management processes. See the NCSC guidance on incident management.
  6. Use modern systems and software. More modern systems have better built-in security. If you cannot move off out-of-date platforms and applications, there are short-term steps you can take to improve your position. See the NCSC guidance on obsolete platform security.
  7. Invest in preventing malware-based attacks across various scenarios. See the NCSC guidance on mitigating malware and ransomware attacks. Also see CISA’s guidance on ransomware and protecting against malicious code.

Image: iStockphoto/Natali_Mis