Dozens Of Hospitals Alerted About Vulnerability In Their VPN Infrastructure

While hospitals are inundated with coronavirus patients and scrambling to get remote workers set up, ransomware hackers are trying to take advantage of the chaos. They've been scanning hospital network devices like gateways and VPN systems for weaknesses and potential vulnerabilities.

Microsoft recently made a targeted notification to dozens of hospitals they identified to have high vulnerabilities. This is part of their campaign to help support hospitals and other critical infrastructure to monitor and combat cyber threats during this time of need.

While many ransomware hackers have vowed to stay away from healthcare during the pandemic, Microsoft has identified one group, that goes by the name REvil, to be scanning healthcare systems for vulnerabilities.

They employ a tactic called Human-Operated Ransomware Attack which is typically employed by nation-state actors. Which means they're more sophisticated than your typical run-of-the-mill ransomware campaigns.

These hackers have extensive knowledge on system administration and security misconfigurations that are not high on the priority list for many healthcare organizations.

Microsoft explains how REvil operates in their latest blog post:

"In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time. This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints, or applications that have been compromised."

So how can you protect your gateway and VPN infrastructure?

Microsoft had this advice to help protect your gateway and VPNs from being exploited:

"We understand how stressful and challenging this time is for all of us, defenders included, so here’s what we recommend focusing on immediately to reduce risk from threats that exploit gateways and VPN vulnerabilities:

• Apply all available security updates for VPN and firewall configurations.
• Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately.  In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
• Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
• Turn on AMSI for Office VBA if you have Office 365."

If you're not sure how to properly monitor your remote access infrastructure or you're confused about any of the advice given, don't hesitate to reach out. We're always here to help!

‍