Microsoft is Alerting Hospitals Vulnerable to VPN Attacks
Microsoft has started to send targeted notifications to dozens of hospitals that have been detected as being vulnerable to a known gateway and VPN appliance exploits.
Microsoft has been tracking various groups behind human-operated ransomware attacks and has seen one of the operations known as REvil (Sodinokibi) targeting vulnerabilities in VPN devices and gateway appliances to breach a network.
Pulse VPN devices have been known to be targeted by threat actors, with these vulnerabilities thought to be behind the Travelex ransomware attack by REvil.
Other attackers such as DoppelPaymer and Ragnarok Ransomware were also seen in the past utilizing the Citrix ADC (NetScaler) CVE-2019-1978 vulnerability to compromise a network.
Once REvil, and other ransomware actors, breach a network with these vulnerabilities they will spread laterally throughout the network while obtaining administrative credentials. Ultimately, they deploy the REvil ransomware to encrypt all of the data on the network.
With health care organizations such as hospitals being overwhelmed during the Coronavirus pandemic, Microsoft wants to help these organizations stay ahead of the actors by sending targeted notifications about vulnerable devices on their network.
"Through Microsoftâs vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure. To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular exploits and others like it," Microsoft stated today in a new blog post.
By sending these targeted alerts to hospitals, health care organizations can proactively install security updates on public-facing devices to prevent threat actors from taking advantage of them.
To protect against ransomware operations such as REvil, the Microsoft Defender Advanced Threat Protection (ATP) Research Team recommends implementing the following mitigation measures against human-operated ransomware attacks:
⢠Harden internet-facing assets:
- Apply latest security updates
- Use threat and vulnerability management
- Perform regular audit remove privileged credentials
⢠Thoroughly investigate and remediate alerts:
- Prioritize and treat commodity malware infections as potential full compromiseÂ
⢠Include IT Pros in security discussions:
- Ensure collaboration among SecOps, SecAdmins, and IT admins to configure servers and other endpoints securelyÂ
⢠Build credential hygiene:
- Use MFA or NLA, and use strong, randomized, just-in-time local admin passwords
- Apply principle of least-privilege
⢠Monitor for adversarial activities:
- Hunt for brute force attempts
- Monitor for cleanup of Event logs
- Analyze logon eventsÂ
⢠Harden infrastructure:
- Use Windows Defender Firewall
- Enable tamper protection
- Enable cloud-delivered protection
- Turn on attack surface reduction rules and AMSI for Office VBAÂ
Gloss