Microsoft is sending alerts to dozens of hospitals about the vulnerabilities in their virtual private network (VPN) appliances after finding that a ransomware group is targeting them.
Microsoft, as part of tracking several groups behind human-operated ransomware attacks has found that one of the operations, known as REvil (Sodinokibi) is targeting vulnerabilities in VPN devices and gateway appliances to breach a network.
It is believed that Pulse VPN devices with this vulnerability were targeted by threat actors behind the Travelex ransomware attack by REvil.
Other attackers such as DoppelPaymer and Ragnarok Ransomware also occurred earlier found to be utilizing the Citrix ADC (NetScaler) CVE-2019-1978 vulnerability to compromise a network.
When the ransomware attackers breach a network with these vulnerabilities they will spread laterally across the network while obtaining administrative credentials. Finally, they deploy their ransomware to encrypt all of the data on the network.
During the Coronavirus pandemic, all the healthcare organizations are flooded with patients and Microsoft wants to help these organizations stay away from any kinds of threats by sending targeted notifications about vulnerable devices on their network.
According to a blog post by Microsoft, with the help of their vast network of threat intelligence sources, they have identified several hospitals with vulnerable gateway and VPN appliances in their infrastructure. They send notifications to the hospitals with important information about the vulnerabilities, how attackers can take advantage of them, and their suggestions to apply security updates to protect them from any kinds of exploits.
On receiving the notifications, the hospitals can install security updates on public-facing devices to prevent threat actors from taking advantage of them.
In order to protect against ransomware operations such as REvil, the Microsoft Defender Advanced Threat Protection (ATP) Research Team recommends implementing the following mitigation measures against human-operated ransomware attacks:
Harden internet-facing assets:
- Apply latest security updates
- Use threat and vulnerability management
- Perform regular audit remove privileged credentials
Investigate and remediate alerts: Prioritize and treat commodity malware infections as potential full compromise
Include IT Pros in security discussions: Ensure collaboration among SecOps, SecAdmins, and IT admins to configure servers and other endpoints securely
Build credential hygiene:
- Use strong, randomized, just-in-time local admin passwords
- Apply principle of least-privilege
Monitor for adversarial activities:
- Check for brute force attempts
- Monitor for cleanup of Event logs
- Analyze logon events
- Use Windows Defender Firewall
- Enable tamper protection
- Enable cloud-delivered protection
- Turn on attack surface reduction rules and AMSI for Office VBA