Healthcare employees on the frontlines working day and night to end the COVID-19 global pandemic are now targets for cybercriminals. Recent email scams sent to a number of healthcare organizations imitating internal IT teams are attempting to capitalize on the already vulnerable landscape. Black Kite is now diving deeper into the security posture of the hospitals combatting the COVID-19 pandemic in New York.

Targeted Attacks towards HealthCare on the rise

Due to the increased workloads on healthcare workers, targeted attacks have dramatically increased in the medical sector over the past several months. Threat actors with various motives craft phishing campaigns as an initial vector in their attacks. In some cases, they even deploy ransomware through inherent cybersecurity vulnerabilities in the IT systems of healthcare organizations.

An email scam pretending to come from the IT-desk announces a COVID-19 seminar with the subject  “ALL STAFF: CORONAVIRUS AWARENESS” [1]

Will cybercriminals stick to their word? 

Despite the Maze hackers’ public pledge to, “stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus,” they attacked a British medical lab slated to test COVID-19 vaccines. According to a spokesman of Hammersmith Medical Research, the cyber attack was contained immediately  and the officials refused to pay the requested ransom. Some patient information was leaked as a part of the attack.  The research lab performed tests for the Ebola vaccine in the past.

Hospitals and medical research centers are not the only ones undertaking vaccination studies,  rather universities and local government organizations are also pouring in time and efforts. These groups are also among the targets of  sophisticated networks of hackers, most of which are backed by state actors. 

Senior US intelligence official Bill Evanina’s latest statement on the issue claims, “In today’s world, there is nothing more valuable or worth stealing than any kind of biomedical research that is going to help with a coronavirus vaccine.”

Although espionage stands as the top objective behind these attacks, they also tend to steal bulk personal data, intellectual property, and broader information supporting those aims.

Recent Statistics on HealthCare Attacks Align with NormShield’s Findings

In such a climate, a newly established group of cyber security professionals called “Covid-19 Cyber Threat Coalition” now commit their efforts towards coronavirus related cyber attacks. According to their initial findings, the most common coronavirus threats are  [2] credential phishing (33%), scams (30%) and malicious documents as attachments (18%)

These malicious files were identified in the form of Microsoft Word Document files, 7-zip compressed files, Microsoft Visual Basic Script, Java, and Microsoft Executables  [3]. Although the details are not fully known at this stage, the threats are  assumed to have created an initial intrusion vector to enable follow-on system exploitation, persistence, and exfiltration.

A recently discovered COVID-19 bait attributed to TA505 using a Microsoft Excel document. It requests the user to enable macros [4]

Over the past couple of weeks, security researchers observed a campaign from TA505, using coronavirus lure as part of a downloader campaign [5]. While the group previously targeted retail and finance, their new targets became U.S. healthcare, manufacturing, and pharmaceuticals industries.

It is also noted that a number of ransomware groups are hunting for exposed Remote Desktop Protocol, Citrix and Pulse Secure VPN servers, which hospitals frequently use to support remote-working administration staff.
NormShield’s findings on the cyber security of New York City pandemic hospitals also align with these recent attack vectors against healthcare. Vulnerabilities in Email Configurations, Leaked Credentials and Publicly Visible Critical Ports, which are among the most common security findings of NormShield, are merely invitations to hackers whose motive is to turn this crisis into an opportunity.  

What Are the Specific Motives of Hackers?

Cybercriminals execute attacks towards healthcare workers for different reasons. Here is a shortlist of those motivations:

  • To exfiltrate information, any treatment methodology, or novel research regarding COVID-19, including testing of existing drugs  or vaccination studies
  • To infiltrate IT systems of the hospitals and exfiltrate as many PHI (protected health information) as possible 
  • To exfiltrate personal information other than PHI to sell on dark web
  • Immediate monetization through ransomware attacks

Our Research 

The latest attacks against the healthcare sector motivated Normshield researchers to take a closer look into the cyber security of COVID-19 treating hospitals. Our research  is scoped to 20 pandemic hospitals in New York City.

NormShield’s platform ran a passive non-intrusive comprehensive scan for each hospital. Based on the hospital domain name, researchers were able to derive a comprehensive digital footprint including every related healthcare domain, subdomain, IP address, service, email, etc. Building upon the assets discovered in the digital footprint, common security issues were identified and a cyber security score was calculated for each hospital. 

Leaked Credentials in Hospital-related Domains

Image Courtesy: Gerd Altmann from Pixabay 

Leveraging breached credentials is often the initial vector of a phishing email campaign. Phishing attacks present a scheme to trick consumers into thinking they are from legitimate sources, such as the IT department or a peer organization they already trust. 

According to NormShield’s study, 1661 credentials have been leaked from the 20 New York hospitals and their healthcare related domains, from January 2019 to present.  2019 was a year of prominent credential breaches, such as Zynga and Canva, as well as a mass exposure of  credential collections on hacking forums and platforms as in the case of Collection1 and PasteBin.  

What Sources do Hackers Utilize?

The name of a leaked credential is usually mentioned along with the organization where the data breach originated. The two dominating credential leak sources in our research are Zynga (gaming company) and Canva (graphic design website) platforms. NormShield identified the email accounts of NYC healthcare workers, which were used on Zynga and Canva platforms, have been leaked as part of 2019 breaches. The hackers usually sell the credentials on the dark web and do not mind sharing the information with each other.

Why do previously compromised accounts matter?

Employees register various platforms on the internet under their corporate email addresses, sometimes using the same password they use on corporate accounts.  It’s common for hackers to leverage these sources (not the company itself) in crafting their attacks, which is also called “credential stuffing”. Hackers use this method to infiltrate a company’s system by automated injection of previously breached username/password pairs. 

Leaked credentials serve as either a potential target list for their phishing campaigns or a way to access the organization’s resources. When plain (unencrypted) passwords are obtained, a hacker might impersonate regular hospital staff to gain access to these internal resources.

Depending on the type of information leaked, plain (unencrypted) or hashed passwords can open up new attacking methods.

Simple Steps to Prevent “Credential Stuffing” Attacks

  • Keep an eye on credential breaches
  • Warn employees against password reuse across different platforms
  • Enable two-factor authentication where possible
  • Disable macros on Microsoft documents
  • Warn employees against clicking links in email bodies

Email Security of the COVID-19 Hospitals

The graph shows what percent of NYC hospitals a particular email security issue is discovered.

Email Configuration is of paramount importance, especially when another entity attempts to send an email on behalf of an organization. Here, we discovered about 85% of the New York City Hospitals  lack DKIM and 70% of them lack DMARC related controls in their email configurations. DKIM and DMARC records together protect a domain name from being used in phishing and scam emails.

The purpose of an SPF record is to prevent spammers from sending messages forged from addresses of a domain, and in our case, a hospital domain or a trusted party. 25% of the hospitals lack SPF validation and 10% have no SPF record at all.

About 15% of the hospitals on our list are vulnerable to a process called “email address spoofing to itself” which is pretty simple and widespread. In most cases, it doesn’t mean the email account has been hacked; instead, someone is able to imitate the hospital in the email address. 

10% of the hospitals suffer from insecure -not SSL protected webmail communication. Webmail is any email client implemented as a web application running on a web server. 

How hackers leverage these vulnerabilities: Hackers might leverage these vulnerabilities when crafting spoofed emails to hospital staff, pretending to be from WHO or the CDC. In the message body, some announce so-called COVID-19 seminars and provide links to malicious sites for registration.

Simple Steps to Prevent “Email Spoofing” Attacks

  • Ensure DMARC and SPF are in place and setup correctly
  • Create DKIM information for every domain that is used to send emails
  • Enhance spam filters 
  • Read message headers, and cross check IP addresses 
  • Disable SMTP relay for your domain from the internet
  •  If you manage your own email, audit it to see how it responds to SPF and DMARC records

Other Common Security Issues – New York City Hospitals

Apart from email configurations and leaked credentials, some common security findings among hospitals relate to Publicly Visible Critical Ports, SSL/TLS issues and fraudulent sites. 


Statistics show healthcare workers are under immense pressure and exhaustion amid the coronavirus. As “ruthless” as it may seem under these circumstances, it is no surprise that cyber criminals are taking advantage of a worldwide crisis and preying on the most critical element to human survival at the time. 

This research reveals healthcare staff is only a click away from giving a hacker access to critical resources, or allowing cybercriminals to install ransomware that could shut down the systems entirely. Despite these unfortunate conditions, simple steps can be taken to prevent further attacks. 

5 takeaways: 

  1. Educate staff; awareness is the first line of defense 
  2. Check continuously for leaked credentials, warn staff against password reuse, enable MFA where possible
  3. Invest in strong Email Security. Make sure SPF, DMARC, and DKIM controls are in place and properly set up. Enable SSL on webmail.
  4. Beware of cleartext transmission on web site; disable any vulnerable versions of SSL/TLS.
  5. Manage critical ports externally and internally; disable unnecessary services and ports

For the full white paper, visit

How to rate your Cyber Ecosystems

Black Kite’s platform aims to provide full visibility into a cyber ecosystem. The platform enables enterprises to continuously assess third-party risks, assigns a letter grade to each vendor, correlates findings with industry standards to inform compliance requirements, and determines the probable financial impact if a third-party experiences a breach. 

The NormShield Platform’s intuitive interface compiles reports and communicates risks in qualitative, quantitative and easy-to-understand business terms for executives. The interface also allows IT-security teams to drill down to the technical details in each risk category. 

With the alerting mechanism, the users of the platform become aware of the security vulnerabilities within a cyber ecosystem promptly and can take immediate actions.

Learn more at







Featured image courtesy: Image by Lucas Vasques on Unsplash