Microsoft is sending notifications to dozens of hospitals about vulnerable VPN devices and gateways exposed online in their network.

Microsoft is warning dozens of hospitals of the risks of ransomware attacks due to insecure VPN devices and gateways exposed online.

Recently Microsoft has published details about human-operated ransomware attacks that targeted organizations in various industries.

Attack Chain

Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

Microsoft pointed out that operators behind Sodinokibi ransomware are targeting vulnerabilities in VPN devices (i.e. Pulse Secure VPN devices) and gateways to compromise the target network.

Once the attackers have breached the target network, they leverage stolen credentials, attempt to dump credentials and disable security solutions, then download tools to gather intelligence and make lateral movements.

They deploy their ransomware on the largest number of internal machines as possible.

With Coronavirus outbreak, the protection of healthcare organizations has become a pillar of our society and Microsoft was committed to providing all the necessary support to mitigate the risks of cyber attacks.

The tech giant is sending notifications to hospitals about their surface of attack.

“During this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances. Unfortunately, one sector that’s particularly exposed to these attacks is healthcare.” reads the post published by Microsoft.

“As part of intensified monitoring and takedown of threats that exploit the COVID-19 crisis, Microsoft has been putting an emphasis on protecting critical services, especially hospitals. Now more than ever, hospitals need protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information.”

This is the first targeted notifications sent by Microsoft to the hospitals, the warnings contain precious information of threat actors and related tactics, techniques, and procedures.

“Through Microsoft’s vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure.” continues Microsoft. “To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular”

Microsoft urges hospitals and health care organizations to implement security measures to protect public-facing devices to increase their resilience to cyber attacks.

Below some mitigations recommended by the Microsoft Defender Advanced Threat Protection (ATP) Research Team to reduce risk from threats that exploit gateways and VPN vulnerabilities:

  • Apply all available security updates for VPN and firewall configurations.
  • Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately.  In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
  • Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if you have Office 365.

Pierluigi Paganini