The UK National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory today(pdf), highlighting ongoing activity by Advanced Persistent Threat (APT) groups against healthcare and essential services.
The six-page advisory states that unnamed hacking groups are targeting organizations “in order to collect bulk personal information, intellectual property and intelligence that aligns with national priorities.” They specifically called out pharmaceutical and research organizations as active targets with APT groups trying to obtain IP for commercial and state benefit. NCSC and CISCA state that a recent Citrix vulnerability (CVE-2019-19781) and vulnerabilities in various VPN products are known tools for the threat actors.
The advisory goes on to describe how the APT groups are using password spraying to attempt to brute force access to sensitive accounts. Password spraying is a type of authentication attack where a cyber-criminal first identifies the logon username or email for a valid account and then “sprays” commonly used passwords at the account in hopes of finding the correct one. This attack takes advantage of users who don’t create strong, unique passwords for each of their accounts and organizations that don’t deploy multi-factor authentication (MFA).
While account lockout practices are growing in popularity — where an account is automatically locked after too many authentication failures in a short time window — these particular threat actors are getting around that protection by trying a single password against a large number of accounts before moving on to try a second password.
The good news is, password spraying is easily defeated by good password policies and multi-factor authentication. Password managers can help users generate and keep track of strong, unique passwords for each of their accounts without requiring photographic memory and secure MFA deployments mitigate the risk from authentication attacks nearly entirely on their own.