National Cyber Awareness System:
08:58 AM EDT
Original release date: May 5, 2020
This is a joint alert
from the United States Department of Homeland Security (DHS) Cybersecurity and
Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber
Security Centre (NCSC).
CISA and NCSC continue to see indications that advanced persistent threat
(APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as
part of their cyber operations. This joint alert highlights ongoing activity by
APT groups against organizations involved in both national and international
COVID-19 responses. It describes some of the methods these actors are using to
target organizations and provides mitigation advice.
The joint CISA-NCSC Alert:
(AA20-099A) COVID-19 Exploited by Malicious Cyber Actors from April 8,
2020, previously detailed the exploitation of the COVID-19 pandemic by
cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to
ongoing malicious cyber activity relating to COVID-19. For a graphical summary
of CISA’s joint COVID-19 Alerts with NCSC, see the following guide.
APT actors are actively targeting organizations involved in both national
and international COVID-19 responses. These organizations include healthcare
bodies, pharmaceutical companies, academia, medical research organizations, and
APT actors frequently target organizations in order to collect bulk personal
information, intellectual property, and intelligence that aligns with national
The pandemic has likely raised additional interest for APT actors to gather
information related to COVID-19. For example, actors may seek to obtain
intelligence on national and international healthcare policy, or acquire
sensitive data on COVID-19-related research.
pharmaceutical and research organizations
CISA and NCSC are currently investigating a number of incidents in which
threat actors are targeting pharmaceutical companies, medical research
organizations, and universities. APT groups frequently target such
organizations in order to steal sensitive research data and intellectual
property for commercial and state benefit. Organizations involved in
COVID-19-related research are attractive targets for APT actors looking to
obtain information for their domestic research efforts into COVID-19-related
These organizations’ global reach and international supply chains increase
exposure to malicious cyber actors. Actors view supply chains as a weak link
that they can exploit to obtain access to better-protected targets. Many supply
chain elements have also been affected by the shift to remote working and the
new vulnerabilities that have resulted.
Recently CISA and NCSC have seen APT actors scanning the external websites
of targeted companies and looking for vulnerabilities in unpatched software.
Actors are known to take advantage of Citrix vulnerability CVE-2019-19781, and
vulnerabilities in virtual private network (VPN) products from Pulse Secure,
Fortinet, and Palo Alto.,
password spraying activity
CISA and NCSC are actively investigating large-scale password spraying campaigns
conducted by APT groups. These actors are using this type of attack to target
healthcare entities in a number of countries—including the United Kingdom and
the United States—as well as international healthcare organizations.
Previously, APT groups have used password spraying to target a range of
organizations and companies across sectors—including government, emergency
services, law enforcement, academia and research organizations, financial
institutions, and telecommunications and retail companies.
spraying is a commonly used style of brute force attack in which the
attacker tries a single and commonly used password against many accounts before
moving on to try a second password, and so on. This technique allows the
attacker to remain undetected by avoiding rapid or frequent account lockouts.
These attacks are successful because, for any given large set of users, there
will likely be some with common passwords.
Malicious cyber actors, including APT groups, collate names from various
online sources that provide organizational details and use this information to
identify possible accounts for targeted institutions. The actors will then
“spray” the identified accounts with lists of commonly used passwords.
Once the malicious cyber actor compromises a single account, they will use
it to access other accounts where the credentials are reused. Additionally, the
actor could attempt to move laterally across the network to steal additional
data and implement further attacks against other accounts within the network.
In previous incidents investigated by CISA and NCSC, malicious cyber actors
used password spraying to compromise email accounts in an organization and
then, in turn, used these accounts to download the victim organization’s Global
Address List (GAL). The actors then used the GAL to password spray further
NCSC has previously provided examples
of frequently found passwords, which attackers are known to use in password
spray attacks to attempt to gain access to corporate accounts and networks. In
these attacks, malicious cyber actors often use passwords based on the month of
the year, seasons, and the name of the company or organization.
CISA and NCSC continue to investigate activity linked to large-scale
password spraying campaigns. APT actors will continue to exploit COVID-19 as
they seek to answer additional intelligence questions relating to the pandemic.
CISA and NCSC advise organizations to follow the mitigation advice below in
view of this heightened activity.
CISA and NCSC have previously published information for organizations on
password spraying and improving password policy. Putting this into practice
will significantly reduce the chance of compromise from this kind of attack.
alert on password spraying attacks
guidance on choosing and protecting passwords
guidance on supplementing passwords
guidance on password spraying attacks
guidance on password administration for system owners
guidance on password deny lists
Essentials for small organizations provides guiding principles for leaders
to develop a culture of security and specific actions for IT professionals to
put that culture into action. Additionally, the UK government’s Cyber Aware campaign
provides useful advice for individuals on how to stay secure online during the
coronavirus pandemic. This includes advice on protecting passwords, accounts,
A number of other mitigations will be of use in defending against the
campaigns detailed in this report:
VPNs, network infrastructure devices, and devices being used to remote
into work environments with the latest software patches and
CISA’s guidance on
enterprise VPN security and NCSC guidance
on virtual private networks for more information.
multi-factor authentication to reduce the impact of password compromises. See the U.S. National
Cybersecurity Awareness Month’s how-to
guide for multi-factor authentication. Also see NCSC guidance on multi-factor
authentication services and setting
up two factor authentication.
the management interfaces of your critical operational systems. In particular, use
browse-down architecture to prevent attackers easily gaining privileged
access to your most vital assets. See the
NCSC blog on protecting management interfaces.
up a security monitoring capability so you are collecting
the data that will be needed to analyze network intrusions. See the NCSC
introduction to logging security purposes.
and refresh your incident management processes. See the
NCSC guidance on incident management.
modern systems and software. These have better security built in. If you cannot move
off out-of-date platforms and applications straight away, there are
short-term steps you can take to improve your position. See the
NCSC guidance on obsolete platform security.
in preventing malware-based attacks across various scenarios. See CISA’s
guidance on ransomware
and protecting against
malicious code. Also see the
NCSC guidance on mitigating malware and ransomware attacks.
CISA encourages U.S. users and organizations to contribute any additional
information that may relate to this threat by emailing CISAServiceDesk@cisa.dhs.gov.
The NCSC encourages UK organizations to report any suspicious activity to
the NCSC via their website: https://report.ncsc.gov.uk/.
This report draws on
information derived from CISA, NCSC, and industry sources. Any findings and
recommendations made have not been provided with the intention of avoiding all
risks and following the recommendations will not remove all such risk.
Ownership of information risks remains with the relevant system owner at all
CISA does not endorse any
commercial product or service, including any subjects of analysis. Any
reference to specific commercial products, processes, or services by service
mark, trademark, manufacturer, or otherwise, does not constitute or imply their
endorsement, recommendation, or favoring by CISA.
CISA Alert: Detecting Citrix CVE-2019-19781
NCSC Alert: Actors exploiting Citrix products vulnerability
CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability
-  NCSC
Alert: Vulnerabilities exploited in VPN products used worldwide
- May 5, 2020: Initial Version