Health sector must implement strategies to mitigate these attacks.
The Australian health sector is continually being threatened by advanced persistent threat actors (APT).
The Cyber Security Centre (ACSC — part of the Australian Signals Directorate) has issued its Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services, with recommendations for the health sector to implement strategies to mitigate these attacks.
Australia’s health sector is feeling extra pressure, not only are they having to deal with COVID-19, but also associated threats and attacks on medical facilities/ research centres.
According to ACSC, sophisticated actors have been using “efficient means” available to target a victim’s network, with APT groups seeking “to maximise on the public desire for COVID-19 related information by generating specific COVID-19 themed spear-phishing emails”.
Adversaries and cybercrime actors have been identified as responsible for compromising email servers of health sector entities in Australia, which are then used to distribute COVID-19 phishing emails in an attempt to deploy malicious software, including ransomware, or to gain access to other targeted organisations, states the ACSC.
“Malicious actors view health sector entities as a lucrative target for ransomware attacks. This is because of the sensitive personal and medical data they hold, and how critical this data is to maintaining operations and patient care. A significant ransomware attack against a hospital network would have major impact,” it states.
According to ACSC sophisticated actors have also been seen undertaking brute force attacks using a trial-and-error method to guess login credentials, and password spray attacks that attempt to access numerous accounts with a list of commonly used passwords.
Attacks such as these often result in the theft of sensitive data and underscore the importance of a strong cyber security culture amongst employees. This includes adopting multi-factor authentication, strong password policies, and regular reviews of network logs for signs of malicious activity.
The exploitation of compromised Remote Desktop Protocol (RDP) credentials by malicious actors is also a significant concern, particularly as RDP is widely used by medical clinics and doctors’ surgeries to access centralised patient databases and other shared information repositories. Compromised RDP credentials can enable unauthorised access to networks in a manner that enables the malicious actor’s digital footprint and identification to be obscured.
Organisations should implement the recommendations in this advisory to mitigate the threat of this malicious activity and harden their network against unauthorised access.
The ACSC recommends that organisations in the health sector implement the following cyber security mitigations:
- Implement Essential Eight security controls
- Enabling multi-factor authentication
- Block macros
- Implementing regular patching of systems and applications
- Making regular back-ups of critical systems and databases
- Alert and educate staff
- Email content scanning
- Develop/update incident response plans
Organisations should ensure that they have an up-to-date Incident Response Plan (IRP) that includes procedures to respond to a ransomware infection. In most situations, the aim of the ransomware procedures will be to:
- quickly identify affected systems
- quarantine the affected systems and isolate business critical systems
- identify and implement security controls to prevent the propagation of the ransomware to other systems, and
- preserve evidence for future analysis and restoration from backup.
During the COVID-19 pandemic, systems that support an organisation pandemic response and patient care functions should be considered business critical. The IRP should document a tested procedure for isolating these systems so that they can be quickly placed under protection if a ransomware outbreak occurs.
Tags: ACSCADSCOVID-19cybercriminalsemailhealthmedicalphishingSecurity
