Healthcare & Essential Services Involved in COVID-19 Response Targeted by Threat Groups

The national cybersecurity agencies in two countries, the UK and the US, recently issued a joint alert warning that threat actors are targeting healthcare and essential services involved in the response to COVID-19.

In a joint alert, the United Kingdom’s National Cyber Security Centre (NCSC) and United State’s Cybersecurity and Infrastructure Security Agency (CISA) warned that advanced persistent threat (APT) groups are targeting organizations involved in both national and international COVID-19 responses, including healthcare bodies, pharmaceutical companies, academia, medical research organizations and local governments. APT groups refer to malicious actors, typically nation-state or state-sponsored, whose sole purpose is to gain access to victims’ computer networks and remain there undetected for an extended period.

According to NCSC and CISA, organizations involved in COVID-19 responses are targeted for the purpose of collecting bulk personal information and intellectual property related to COVID-19. Organizations involved in COVID-19-related research, in particular, the national cybersecurity agencies said, are attractive targets for APT actors as they are looking to get hold of information for their domestic research efforts into COVID-19-related medicine.

The shift to remote working as a result of the COVID-19 crisis, NCSC and CISA said, resulted in the exploitation of known security vulnerabilities. The Canadian Centre for Cyber Security earlier warned local organizations that the COVID-19 pandemic presents an “elevated level of risk” to the cybersecurity of Canadian health organizations involved in the national response to the pandemic. The Cyber Centre said that the vulnerabilities related to remote working are of particular concern during the current pandemic.

Known Security Vulnerabilities Exploited by APT Groups

According to NCSC and CISA, the following known security vulnerabilities are being actively exploited by APT actors in order to gain access to the networks of organizations involved in COVID-19 responses:

  1. CVE-2019-19781 Vulnerability

CVE-2019-19781 is a security vulnerability in Citrix devices. This security vulnerability allows remote attackers to read sensitive information from system configuration files without the need for user authentication and remotely execute arbitrary code.

  1. VPN Vulnerabilities in Products from Pulse Secure, Fortinet and Palo Alto

In August 2019, vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet and Palo Alto were publicly disclosed. While patches, fixing these vulnerabilities, were released by the concerned VPN product vendors, malicious actors exploit the fact that many don’t timely apply the released patches.

In Fortinet Fortigate VPN products, the following security vulnerabilities were identified:

-CVE-2018-13382: A vulnerability that allows unauthenticated user to change VPN user passwords

-CVE-2018-13379: A vulnerability that allows a remote, unauthenticated actor to view sensitive information, including plaintext usernames and passwords.

-CVE-2018-13380: A cross-site scripting vulnerability.

-CVE-2018-13383: A remote code execution vulnerability that allows an authenticated user to execute code on the VPN server.

In Palo Alto GlobalProtect VPN products, the security vulnerability designated as CVE-2019-1579 allows a remote, unauthenticated actor to execute arbitrary code on the VPN server. In Pulse Connect Secure and Pulse Policy Secure VPN products, the security vulnerability designated as CVE-2019-11510 allows a remote, unauthenticated actor to view cached plaintext user passwords and other sensitive information.

  1. Password Spraying

The national cybersecurity agencies in the UK and the US also emphasized in their joint alert that APT groups are using the tactic called “password spraying” in their attempts to infiltrate organizations involved in the COVID-19 responses. Password spraying is a cyberattack that attempts to brute force a large number of accounts using only a few commonly used passwords. In a brute force attack, an attacker uses a trial and error method in guessing the correct password.

“Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions,” NCSC and CISA said. “The actors will then “spray” the identified accounts with lists of commonly used passwords.”

Results from a separate study conducted by NCSC showed that 75% of the participating organizations had accounts with passwords that featured in the top 1,000 passwords, and 87% had accounts with passwords that featured in the top 10,000.

The study results, NCSC said, suggest that password spraying attacks are likely to have some success against these organizations. While account lockout policy limits attackers in guessing, for instance, 8 passwords per day against a single account, this policy allows resets over time, enabling threat actors to launch additional password spraying attacks.

Preventive and Mitigating Measures Against Known Security Vulnerabilities

Here are some of the preventive and mitigating measures against the above-mentioned known security vulnerabilities:

– Keep All Software Up to Date

For the known security vulnerabilities in Citrix devices and Pulse Secure, Fortinet and Palo Alto VPN devices, it’s important to keep these devices up to date by applying the latest security updates, specifically patches to the above-mentioned security vulnerabilities.

-Use Multi-Factor Authentication

The use of multi-factor authentication reduces the impact of password compromises, as in the case of password spraying attacks, guessing the correct username and password combination isn’t enough to authenticate a user. While multi-factor authentication may be bypassed by some attackers, this additional measure gives another layer of security to your organization’s network.

-Protect Management Interfaces

Management interfaces refer to the more traditional ones such as consoles and remote desktops. These also refer to browser-based admin interfaces to configure infrastructure, and web-based interfaces to configure many cloud services. Once attackers gain access to one of these management interfaces, they will inherit full control of your organization’s network.

One of the best practices in protecting management interfaces is by ensuring that system administrators fulfill their administrative duties, such as accessing management interfaces in a “clean” environment, while tasks such as checking emails and browsing the internet are done in a separate “dirty” environment. This dirty environment should be designed in such a way that it anticipates cyberattacks.

Making sure your systems are secure takes a lot of time and requires a particular skillset. Cybercriminals exploit our vulnerabilities and would not stop until they reach their goals. GenX Solutions delivers managed IT support services making sure that you can focus on your business.

Don’t fall victim and call us today (416) 920-3000 to schedule a free consultation and assessment of your IT or email

Leave a Reply

Your email address will not be published. Required fields are marked *