Microsoft has told “several dozen hospitals” to immediately patch weaknesses in their virtual private network (VPN) infrastructure after finding evidence that a ransomware crew was probing for weaknesses to exploit.
The VPN threats targeting hospitals are particularly ominous as the coronavirus (Covid-19) rampages across the globe. While some ransomware groups have pledged not to hit hospitals others armed with Ryuk malware have refused to back off in yet another stark example for managed security service providers (MSSPs) not to let their guard down.
Ransomware attackers have been zeroing in on VPN servers from Citrix, Fortinet, Palo Alto Networks and Pulse Secure used in hospital settings, ZDNet reported. A "targeted notification" of this magnitude is Microsoft's "first-of its kind," the vendor's Threat Protection Intelligence Team wrote in a new blog post. Hackers have been using the REvil (also known as Sodinokibi) ransomware to “actively exploit gateway and VPN vulnerabilities” in targeted organizations, Microsoft said. "Now more than ever, hospitals need protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information," the post cautioned.
Microsoft Statement on VPN Security
Healthcare organizations straining under the Covid-19 load that haven’t had the time or resources to install security patches, update firewalls, and check the health and privilege levels of users and endpoints are more likely to meet ransom demands, the hackers figure. “Our intel on ransomware campaigns shows an overlap between the malware infrastructure that REvil was observed using last year and the infrastructure used on more recent VPN attacks," Microsoft said.
Bad actors are repurposing old tactics, techniques and procedures (TTP) and social engineering rather than deploying technical innovations in new attacks to capitalize on the Covid-19 crisis, using “human-operated attack methods to target organizations that are most vulnerable to disruption,” Microsoft said. Cyber crews behind this type of attacks are not your garden variety data kidnappers. They typically command extensive knowledge of systems administration and common network security misconfigurations.
Ransomware hackers have identified healthcare organizations as “big game” targets to hijack critical business systems to extort millions, previous reports said. Earlier this year, cybercriminals used REvil to target unpatched Pulse Secure VPN servers to disable antivirus software. The ransomware has previously been used to attack managed service providers (MSPs), Texas local governments and encrypt data of hundreds of dentist offices.
Two weeks ago, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) warned all organizations to patch VPN services.
Microsoft VPN Security Guidance
To reduce the risk from threats that exploit gateways and VPN vulnerabilities, Microsoft “strongly recommends” that hospitals and other organizations immediately take these four measures:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Turn on AMSI for Office VBA if you have Office 365.
Early last month, Microsoft published a report and provided mitigation steps for making networks resistant against threats and cyberattacks in general.