Microsoft Warns Hospitals: Fix VPNs or Be Threatened by Ransomware

Dozens of hospitals have been admonished to immediately patch weaknesses in their VPN infrastructure after finding evidence a ransomware crew was probing for weaknesses to exploit.

REDMOND, Wash. — Microsoft has identified dozens of hospitals that have vulnerable gateway and virtual private network (VPN) appliances in their infrastructure that make them susceptible to more sophisticated human-operated ransomware attacks during the coronavirus crisis.

“To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others,” the company said in a blog post.

Microsoft said it has observed several nation-state and cybercrime actors targeting unpatched VPN systems for many months. Although some ransomware attackers have vowed to spare the healthcare industry during the coronavirus outbreak, Microsoft says the individuals behind the REvil ransomware are scanning the internet for vulnerable systems.

Ransomware attackers have been zeroing in on VPN servers from Citrix, Fortinet, Palo Alto Networks and Pulse Secure used in hospital settings, ZDNet reported.

These attackers are relying mostly on social engineering tactics, preying on people’s fears and need for information during the COVID-19 crisis, Microsoft says.

Ransomware attacks have increased in quantity and severity over the past several years. Usually, they shut down the victim’s computer until the victim pays a ransom in digital currency.

“Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network,” Microsoft said.

“In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time. This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints or applications that have been compromised.”

Microsoft recommends all enterprises do the following:

  • Apply all available security updates for VPN and firewall configurations.
  • Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
  • Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if you have Office 365.

It also provided mitigation steps for making networks resistant to ransomware and cyberattacks in general. The mitigation steps can be found here.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters