Malicious actors use “Password Spraying” to breach sensitive medical and health data
A U.S. and UK joint alert on May 5 warns hackers “are actively targeting organizations involved in both national and international COVID-19 responses.”
The UKs National Cyber Security Center (NCSC) and the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) exposed hacking campaigns (pdf) targeting organizations involved in the response to the CCP (Chinese Communist Party) virus outbreak, commonly known as the novel coronavirus.
According to the CISA alert, the campaigns were conducted by “advanced persistent threat” (APT) groups that used a “password spraying” technique to steal bulk personal information from health care, medical research, pharmaceutical, academic institutions as well as local governments.
APT actors are typically hacking groups sponsored by foreign states which gain unauthorized access to computer networks to steal data, or destroy operations, and can continue to attack on the same network for months or years while remaining undetected, according to Fire Eye, a cyber security company. They are believed to be sponsored by China, Russia, Iran, and some other states.
With the outbreak of the CCP virus, APT actors have intensified their activities “to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research for commercial and state benefits,” according to the NCSC alert.
Password spraying is a hacking technique that uses a single commonly used password against a large number of accounts. The password is used only once per account and if the attempt fails the next account is tried. The more accounts are attempted the higher the likelihood of finding an account that uses the password. Then the attacker can try to use a second commonly used password also for a large number of accounts.
This approach allows hackers to avoid account lockout since many systems have a limit set on the number of invalid passwords and will lock an account when the limit of failed attempts is reached.
Once an account is compromised the hacker can use the access to steal personal data, compromise more accounts, and steal intelligence, or intellectual property from the system.
To reduce the risk of hacking CISA recommends two measures, changing all passwords that can be easily guessed to stronger passwords using a sequence of _