Microsoft Warns Hospitals of Sophisticated Ransomware Attacks Targeting Remote Workforce

Source: Fierce Healthcare | Published on April 3, 2020

BEC attacks

Microsoft is warning hospitals that sophisticated ransomware attacks are trying to exploit remote workers to gain access to their networks.

As healthcare organizations move their nonessential employees to work remotely during the COVID-19 pandemic, ransomware operators are trying to find vulnerabilities in network devices like gateway and virtual private network (VPN) appliances.

Through Microsoft’s network of threat intelligence sources, the tech giant identified several dozen hospitals with vulnerable gateway and VPN appliances in their infrastructure, Microsoft’s Threat Protection Intelligence Team wrote in a blog post Wednesday.

The company sent targeted notifications to these hospitals with information about the vulnerabilities, how attackers can take advantage of them and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others.

Microsoft’s warning also comes as videoconferencing platform Zoom tries to address privacy and security problems. Federal and state lawmakers are pressing the company for more answers about its data privacy and security practices amid reports that internet trolls have exploited a Zoom screen-sharing feature to hijack meetings, or what’s called “Zoombombing.”

While cyberattackers have been known to exploit vulnerabilities in network devices, more and more human-operated ransomware campaigns are seeing the opportunity and are jumping on the bandwagon, Microsoft said.

Human-operated ransomware campaigns are a cut above “run-of-the-mill” commodity ransomware campaigns and pose a significant and growing threat to businesses. These hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors, Microsoft said in a recent blog post.

A ransomware campaign called REvil (also known as Sodinokibi) actively exploits gateway and VPN vulnerabilities to gain a foothold in target organizations. Once attacks breach the network, they steal credentials, elevate their privileges and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads, according to Microsoft.

Cybercriminals behind these attacks exhibit “extensive knowledge of systems administration and common network security misconfiguration.”

They employ human-operated attack methods to target organizations that are most vulnerable to disruption—orgs that haven’t had time or resources to double-check their security hygiene like installing the latest patches, updating firewalls, and checking the health and privilege levels of users and endpoints—therefore increasing probability of payoff,” the Microsoft team wrote.

These attacks also typically persist on networks undetected, sometimes for months on end. This makes the ransomware more difficult to remediate, because it can be challenging for security teams to extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints or applications that have been compromised.

To immediately reduce the risk of a ransomware attack, Microsoft recommends hospitals take the following actions:

  • Apply all available security updates for VPN and firewall configurations.
  • Monitor and pay special attention to remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
  • Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if the organization uses Office 365.

Healthcare organizations should review guidance on securing VPN/virtual private server infrastructure from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Department of Commerce’s National Institute of Standards and Technology.

Microsoft also published a report on mitigation strategies that organizations can adopt to help make networks resistant against these ransomware threats and cyberattacks in general.