ALERT: APT Groups Target Healthcare and Essential Services

Source: CISA

​APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.
The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[1],[2] and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[3],[4]

Mitigations
A number of other mitigations will be of use in defending against the campaigns detailed in this report:

• Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. See CISA’s guidance on enterprise VPN security and NCSC guidance on virtual private networks for more information.
• Use multi-factor authentication to reduce the impact of password compromises. See the U.S. National Cybersecurity Awareness Month’s how-to guide for multi-factor authentication. Also see NCSC guidance on multi-factor authentication services and setting up two factor authentication.
• Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See the NCSC blog on protecting management interfaces.
• Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See the NCSC introduction to logging security purposes.
• Review and refresh your incident management processes. See the NCSC guidance on incident management.
• Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See the NCSC guidance on obsolete platform security.
• Further information: Invest in preventing malware-based attacks across various scenarios. See CISA’s guidance on ransomware and protecting against malicious code. Also see the NCSC guidance on mitigating malware and ransomware attacks.

Read More