#COVID19, Password Spraying and the NHS

Written by

The National Cyber Security Centre (NCSC) last year released specific advice on how healthcare organizations should defend themselves against cyber-attacks in light of the increased digital traffic associated with the COVID-19 pandemic. The advisory, which was jointly written with the US Cybersecurity and Infrastructure Security Agency (CISA), highlights the need for advanced security measures as advanced persistent threat (APT) groups target healthcare and essential services involved in national and international COVID-19 responses.

The report identifies the key methods APTs use to perform COVID-19-related cyber-attacks, predominantly highlighting the vulnerability of pharmaceutical and research organizations and other entities with access to sensitive COVID-19 data, particularly through malicious campaigns known as password spraying. The advisory also lays out some suggestions of how healthcare organizations could mitigate these threats. These seek to minimize the risk of password compromising attacks by enforcing stricter institutional password security through, for instance, comprehensive security software, password screening and adding multi-factor authentication (MFA) to login credentials.

Since the beginning of the pandemic, there has been a slew of attacks by cyber-criminals exploiting the amplified sense of uncertainty and fear associated with the disease. The reasons for these attacks have run the gamut: commercial gain, espionage, poaching bulk personal information, response manipulation through misinformation and theft of intellectual property, to name a few. Given the primacy of the pandemic, cyber-criminals will likely be interested in gathering COVID-19-specific information, leaving organizations such as the NHS, integral to the pandemic response, particularly vulnerable to attack.

Password Spraying

One particularly effective and much used line of attack has been through password spraying. Password spraying is the process in which cyber-attackers use a list of commonly used passwords to try and infiltrate end user accounts. Once one account has been successfully hacked, attackers are able to access linked accounts where certain credentials are shared or attempt to infiltrate other users’ accounts laterally, creating a knock-on compromising effect.

Password spraying is particularly effective in large-scale organizations as there is a high chance that, within a large set of accounts, some users will use predictable, easy-to-crack passwords. In a recent research study, NCSC found that 75% of participating organizations had accounts using the 1000 most commonly-found passwords amongst their ranks.

This position is also reflected in the case of the Greater Manchester West Mental Health NHS Foundation Trust, which took the initiative against potential threats of cyber-attack even before the pandemic by implementing a Breached Password Protection solution which enabled the NHS Trust to block weak passwords for Cyber Essentials Plus accreditation, while enjoying the added benefit of multiple policies and clear end user feedback. Head of ICT Andre de Araujo, who was in charge of the move, highlighted the vulnerable position the Trust was in going into the change: “We ran a script to look for hashes that could be cracked. We had hundreds of users with passwords that included the day of the week, month or even the word password, often with a number at the end or an exclamation point. It was interesting to see how many people follow the same patterns, resulting in easy-to-guess passwords.”

Threat Mitigation

A key recommendation given by the NCSC to protect against password spraying is to ensure that there is good institutional policy in place to mitigate the threat of infiltration. Although suggesting available pragmatic guidance to employees on how to choose good, secure passwords, there is a strong emphasis on the implementation of security frameworks that block the adoption of high-probability passwords in the first place, as well as offering up solutions such as MFA and protective monitoring software.

These policy frameworks may include disallowed lists, such as the “pwned” password list collated by the NCSC which is integrated into the Specops Password Policy, password expiration or the implementation of passphrases, which are proven to be more resilient against brute force spraying attacks.

Speaking on the significance of shoring up healthcare organizations against attack, Paul Chichester, director of operations of NCSC, noted the importance of a collaborative cybersecurity effort against APT actors and malicious cyber-actors: “Protecting the healthcare sector is the NCSC’s first and foremost priority at this time, and we’re working closely with the NHS to keep their systems safe. By prioritizing any requests for support from health organizations and remaining in close contact with industries involved in the coronavirus response, we can inform them of any malicious activity and take the necessary steps to help them defend against it. However, we can’t do this alone, and we recommend healthcare policy makers and researchers take our actionable steps to defend themselves from password spraying campaigns.”

Specops Software is working with multiple NHS Trusts and Healthcare organizations to strengthen their cyber-defense and requirements for achieving Cyber Essentials accreditation. Through world class password security and user authentication solutions, Specops solutions and support reduce costs for the IT department, burden on the helpdesk and ensure your first line of defense is protected against the growing threat of cyber-attack.

Specops is currently offering a FREE solution to identify password vulnerabilities in Active Directory, which is an essential first step in your situational analysis against topics discussed in this article.

What’s hot on Infosecurity Magazine?