Microsoft has identified several dozen hospitals that are vulnerable to incurring attacks on their gateway and VPN appliances in their infrastructure during the COVID-19 pandemic.
The tech giant is warning healthcare providers to be on the lookout for ransomware operators seeking to access critical systems in hospitals, to cause downtime or steal sensitive information. It is especially concerned about REvil — also known as Sodinokibi — a ransomware campaign that actively exploits gateway and VPN vulnerabilities to access organizations.
“During this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances,” it said in a blog post
. “Unfortunately, one sector that’s particularly exposed to these attacks is healthcare. As part of intensified monitoring and takedown of threats that exploit the COVID-19 crisis, Microsoft has been putting an emphasis on protecting critical services, especially hospitals.”
Human-operated ransomware attacks target common network security misconfigurations, which are lower on the list of priority repairs. Attackers like REvil can infiltrate a network and perform reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they uncover in the network. They can then install ransomware or other malware payloads.
Signals in Microsoft Protection Services show that those behind the REvil ransomware are actively scanning the internet for vulnerable systems and are using updater features of VPN clients to deploy malware payloads. The pandemic gives them the opportunity to use old tactics, techniques and procedures (TTPs) to launch new attacks on organizations that have not had the time or resources to install the latest patches, update firewalls and check the health and privilege levels of users and endpoints. While it has not observed technical innovations in such attacks, Microsoft reports it has seen social engineering efforts that aim to take advantage of people’s fears and desire for information during this social climate.
“In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time,” it said. “This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints, or applications that have been compromised.”
The company recommends that all enterprises review VPN infrastructure for updates while employees work remotely, and that it is “critical” that they be aware of the current status of related security patches. To do this, it suggests the following:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Turn on AMSI for Office VBA if you have Office 365.
It also recommends that providers build on their security protocols against human-operated ransomware by hardening internet-facing assets; ensure they have the latest security updates; secure remote desktop gateways with solutions like Azure Multi-Factor Authentication; practice the principle of least privilege, and maintain credential hygiene; and utilize the Windows Defender Firewall and hospital network firewalls to prevent RPC and SMB communication among endpoints, among other tactics.
“We continue to work with our customers, partners, and the research community to track human-operated ransomware and other trends attackers are using to take advantage of this global crisis,” it said.