The COVID-19 outbreak is driving a lot of employees to work from home and human-operated ransomware gangs arr targeting the system employed to support those employees. Although a number of ransomware gangs have expressed they would stop attacking healthcare providers while the COVID-19 public health emergency is in effect, not every gang does the same.
A number of cybercrime gangs are taking advantage of the COVID-19 outbreak. Tactics, techniques, and procedures (TTPs) were altered due to the pandemic. Cybercriminals are currently applying social engineering techniques to target fears regarding COVID-19 and to access credentials that would allow them to exploit healthcare networks.
In general, a ransomware attack on hospitals could result in substantial disruption. But during this time that hospitals are responding to the pandemic, a ransomware attack could seriously hinder the treatment of COVID-19 patients. Microsoft has decided to help secure critical services throughout the COVID-19 crisis and give guidelines to healthcare providers to defend against human-controlled ransomware attacks.
Microsoft is actually monitoring the ransomware gangs’ activities and based on the information acquired from its comprehensive network of threat intelligence sources, certain human-controlled ransomware gangs are taking advantage of vulnerabilities in gateway gadgets and virtual private network (VPN) equipment that permit remote employees to sign in to their networks.
REvil (Sodinokibi), one of the high profile human-controlled ransomware gangs, has been taking advantage of vulnerabilities in gateways and VPN equipment for a while. After exploiting vulnerabilities to steal credentials and escalate privileges, the attackers compromise a lot of devices prior to deploying ransomware or other malware payloads.
Microsoft states that the attackers have a high level of skills, substantial expertise in systems management, and know-how to exploit prevalent network security misconfigurations. The threat actors adjust their strategies according to the defense weaknesses and vulnerable services they find when investigating healthcare networks and frequently deploy ransomware after several weeks or months within networks.
Microsoft’s report talks about how the REvil gang scans the internet to discover vulnerable systems and exploit the growing use of VPNs and gateways to help remote employees for the duration of the COVID-19 outbreak. Because the exploited vulnerabilities are typically regarded as a low priority, they stay unresolved for a long time.
Microsoft discovered a number of hospitals that have vulnerable gateways and VPN devices in their system. The identified vulnerabilities are like those which the REvil gang exploited. Microsoft has informed the hospitals about the vulnerabilities and has strongly advised the performance of updates immediately to avoid exploitation.
Microsoft discussed that running VPNs and virtual private server (VPS) infrastructure calls for an understanding of the present state of associated security patches. It is a must for all organizations with VPN and VPS infrastructure to perform a comprehensive review and identify available updates and implement those updates immediately.
For many months now, nation-state and cybercriminals are targeting unpatched VPN systems. Exploits target remote employees, usually using the updater services employed by VPN clients to release malware payloads.
Microsoft issued the following recommendations for healthcare organizations:
- Apply all VPN and firewall configurations security updates
- Keep track of remote access infrastructure and inspect anomalies right away
- Do a password reset upon identification of a compromise
- Initialize attack surface reduction guidelines to prohibit credential stealing and ransomware action.
- Obstruct macros, executable content, process creation, and injection started by Office apps.
- Activate AMSI for Office VBA when using Office 365.
- Strengthen internet-facing assets and utilize the most recent security updates
- Protect Remote Desktop Gateway and utilize Multi-Factor Authentication (MFA) or activate network-level authentication (NLA).
- Implement the rule of least-privilege
- Sustain good credential hygiene.
- Keep track of brute-force attacks and check out too much unsuccessful authentication attempts
- Check clearing of Event Logs, particularly the PowerShell Operational logs and Security Event log.
- Find out where highly privileged accounts are signing in and disclosing credentials.
- Make use of the Windows Defender Firewall as well as your network firewall to avoid RPC and SMB transmission between endpoints
Organizations uncertain regarding the best way to protect their VPNs and VPS infrastructure could get more data from the National Institute of Standards and Technology (NIST) as well as the DHS Cybersecurity and Infrastructure Security Agency (CISA). The two are the agencies behind the publication of the guidance on VPN/VPS infrastructure security.