Cyberattacks on Critical Infrastructure Use Valid Credentials as Initial Access Vector

by | Sep 20, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a report detailing the findings from risk and vulnerability assessments (RVAs) conducted across various organizations, including state, local, tribal, and territorial (SLTT) entities, federal civilian executive branch (FCEB) agencies, and critical private and public infrastructure providers. The analysis offers information about the most frequently exploited vulnerabilities and methods cybercriminals use to infiltrate internal networks.

Attackers use several methods for breaching systems. In 41% of successful attacks, malicious threat actors used valid accounts. In 89% of assessments done by the U.S. Coast Guard (USCG) to acquire access to Domain Administrator accounts, cybercriminals succeeded by cracking the password hashes. Attackers gained entry through internal or external accounts, exploiting weak passwords, default credentials, or stolen administrator accounts. Valid administrative credentials bought from initial access brokers were also used in these attacks.

The report also noted the compromise of accounts of former employees, which were not properly deactivated. These accounts are often used to install or execute software with exploitable vulnerabilities. Then attackers gain initial access by exploiting the vulnerabilities. Although using valid accounts remains the primary method for breaching systems, the number of attacks involving valid accounts has decreased compared to 2022, where over 50% of the attacks on critical infrastructure used this approach.

The second most common attack path was phishing or spear phishing to obtain sensitive information or credentials that could be used to gain access to the network. These attacks often involved the impersonation of a trusted individual such as a colleague, vendor, organization, or acquaintance. The success rate of these attacks depends on the protections in place for detecting malicious emails, including spam filters, web filters, and antivirus software, along with network boundary protection mechanisms, and the perceived authenticity of the email content. The exploitation of vulnerabilities accounted for a relatively small number of successful attacks on critical infrastructure – just 6% of all successful attacks in 2023.

Phishing and spear phishing were identified as the second most common attack method, often used to get sensitive data or credentials. Attackers impersonated trusted persons, such as vendors, colleagues, or acquaintances, to trick recipients into disclosing credentials. The success of these attacks varies according to the strength of safety measures in place, such as antivirus software, spam filters, and web filters, and the credibility of the phishing emails. Despite being a common attack strategy, phishing was not effective as the rate of successful attacks is only 6% in 2023.

To avoid phishing attacks, CISA recommends organizations apply strong anti-phishing measures, such as filters using Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to restrict spoofed or tampered email messages. Considering that phishing attacks target persons, giving security awareness HIPAA training can help employees identify and avoid phishing attempts. Furthermore, organizations could offer a simple system for workers to report alleged phishing attempts to their security teams.

CISA recommends several steps for healthcare institutions to improve cybersecurity, based on its Cross-Sector Cybersecurity Performance Goals developed in collaboration with the National Institute of Standards and Technology (NIST).

  • Adopt the HPH Sector Cybersecurity Performance Goals.
  • Implement secure password policies, which require the use of strong, unique passwords across all accounts
  • Protect accounts with phishing-resistant multifactor authentication (MFA)
  • Remove unnecessary and inactive accounts and separate user and privileged accounts
  • Establish safe configuration baselines for user systems, including the default deactivation of macros are deactivated to decrease the risk of malware download through document files
  • Keep software updated by promptly using security patches
  • Security teams must log all successful and unsuccessful login attempts and review them regularly.
    Lock user accounts following a particular number of unsuccessful login attempts to minimize brute-force attacks.

By doing these suggestions and employing strong cybersecurity practices, organizations can significantly reduce the risk of cyberattacks and strengthen their defenses against increasingly sophisticated threats.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy