Share this article on:
The COVID-19 pandemic is forcing many employees to work from home and the infrastructure used to support those workers is being targeted by human-operated ransomware gangs. While several ransomware operators have stated they will not attack healthcare organizations during the COVID-19 public health emergency, not all cybercrime gangs are taking it easy on the healthcare sector and attacks are continuing.
Several cybercrime groups are using the COVID-19 pandemic to their advantage. Tactics, techniques and procedures (TTPs) have been changed in response to the pandemic and they are now using social engineering tactics that prey on fears about COVID-19 and the need for information to gain access to credentials to gain a foothold in healthcare networks.
Ransomware attacks on hospitals can cause massive disruption at the best of times. Ransomware attacks that occur while hospitals are trying to respond to the pandemic will severely hamper their efforts to treat COVID-19 patients. Microsoft has committed to help protect critical services during the COVID-19 crisis and has recently offered advice to healthcare organizations to help them defense against human-operated ransomware attacks.
Microsoft has been tracking the activity of ransomware gangs and information obtained from its extensive network of threat intelligence sources shows some human-operated ransomware gangs are exploiting vulnerabilities in the gateway devices and virtual private network (VPN) appliances that allow remote workers to login to their networks.
One of the most prolific human-operated ransomware gangs, REvil (Sodinokibi), has been exploiting vulnerabilities in gateways and VPN appliances for some time. Vulnerabilities are exploited to steal credentials, privileges are then escalated, and the attackers move laterally to compromise as many devices as possible before deploying ransomware and other malware payloads.
Microsoft says these attackers are highly skilled, have extensive knowledge of systems administration, and are aware of the common network security misconfigurations that can be exploited. The threat actors adapt their techniques based on the security weaknesses and vulnerable services they discover during reconnaissance of healthcare networks and often spend several weeks or months in networks before ransomware is deployed.
Microsoft reports that the REvil gang has been scanning for the internet to identify vulnerable systems and is taking advantage of the increase in use of VPNs and gateways to support remote workers during the COVID-19 pandemic. The vulnerabilities that are being exploited are often fairly low on the list of priorities to fix and therefore remain unaddressed for relatively long periods.
During the course of its investigations and through its threat intelligence sources, Microsoft identified several hospitals that have vulnerable gateways and VPN appliances within their infrastructure. The vulnerabilities identified are exactly the same as those exploited by the REvil gang. Microsoft has notified those hospitals directly to advise them about the flaws and has strongly recommended they perform immediate updates to prevent exploitation of the vulnerabilities.
Microsoft explained that managing VPNs and virtual private server (VPS) infrastructure requires knowledge of the current status of related security patches. The company has recommended all organizations that have VPN and VPS infrastructure should conduct a thorough review and identify any updates that are available and apply those updates as soon as possible.
For several months, nation-state and cybercrime actors have been targeting unpatched VPN systems and are tailoring exploits to take advantage of remote workers, often leveraging the updater services used by VPN clients to deploy malware payloads.
Microsoft has recommended healthcare organizations should:
- Apply all available security updates for VPN and firewall configurations.
- Monitor remote access infrastructure and investigate anomalies immediately
- Perform a password reset if a compromise is identified
- Turn on attack surface reduction rules to block credential theft and ransomware activity.
- Block macros, executable content, process creation, and process injection initiated by Office applications.
- Turn on AMSI for Office VBA if you have Office 365.
- Harden internet-facing assets and apply the latest security updates
- Secure Remote Desktop Gateway and use Multi-Factor Authentication (MFA) or enable network-level authentication (NLA).
- Practice the principle of least-privilege
- Maintain good credential hygiene.
- Monitor for brute-force attacks and investigate excessive failed authentication attempts
- Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs.
- Determine where highly privileged accounts are logging on and exposing credentials.
- Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints
Organizations unsure about how best to secure their VPNs and VPS infrastructure can obtain further information from the National Institute of Standards and Technology (NIST) and the DHS Cybersecurity and Infrastructure Security Agency (CISA), both of which have recently published guidance on how to secure VPN/VPS infrastructure.