A joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) was released regarding indications that Advanced Persistent Threat (APT) groups are actively exploiting the COVID-19 pandemic as part of their cyber operations to target pharmaceutical companies, medical research organizations, and universities.
It is believed the intention is to steal sensitive research data and intellectual property for commercial and state benefit. Any organization involved with COVID-19 related research are considered high-value targets for these APT groups.
CISA and NCSC are currently investigating a large-scale password spraying campaign conducted by these groups. Password spraying is a common tactic used by APT groups as a brute force attempt. This involves using a single password, spread across multiple accounts before moving onto the next attempted password. This helps avoid locking out accounts and being detected. These attacks are usually successful because against a large group of accounts, there are likely some with common passwords.
Once an account is compromised, the attackers can begin to access other accounts where the same credentials are reused while also moving laterally throughout the network where they can begin to place backdoors, steal data, and perform additional attacks.
How to Prevent
At the following link, NCSC has provided a downloadable text file containing the top 100,000 passwords. https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
If your password is within this list, it should be changed immediately.
CISA also provides guidance on password Do's and Don'ts: https://www.us-cert.gov/ncas/tips/ST04-002
- Use different passwords on different systems and accounts.
- Use the longest password or passphrase permissible by each password system.
- Develop mnemonics to remember complex passwords.
- Consider using a password manager program to keep track of your passwords.
- Do not use passwords that are based on personal information that can be easily accessed or guessed.
- Do not use words that can be found in any dictionary of any language.
It is strongly suggested that organization conduct user awareness training regarding password best practices.