The increased enterprise VPN use due to the COVID-19 pandemic and the work-from-home (WFH) shift has not gone unnoticed by ransomware gangs, Microsoft warns.
“We’re seeing from signals in Microsoft Threat Protection services (Microsoft Defender ATP, Office 365 ATP, and Azure ATP) that the attackers behind the REvil ransomware are actively scanning the internet for vulnerable systems. Attackers have also been observed using the updater features of VPN clients to deploy malware payloads,” the company shared.
Microsoft has also pinpointed several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure and decided to notify them directly about it and offer advice on how to keep safe.
“Now more than ever, hospitals need protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information,” they added.
Human-operated ransomware is a rising threat in COVID-19 times
Human-operated ransomware campaigns targeting organizations have became the prevalent type of attack that involves the use of ransomware.
Organizations have more money than individuals and spreading the malware on as many systems as possible within the target organizations before running it ensures maximum effect and increases the likelihood of a payout.
These campaigns are executed by sophisticated attackers who don’t miss a trick and always find a way to exploit the latest changes and trends, such as the soaring enterprise use of RDP and VPN and exploits for vulnerabilities in popular VPN solutions.
“Human-operated ransomware attacks are a cut above run-of-the-mill commodity ransomware campaigns. Adversaries behind these attacks exhibit extensive knowledge of systems administration and common network security misconfigurations, which are often lower on the list of ‘fix now’ priorities. Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network,” Microsoft noted.
“In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time. This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints, or applications that have been compromised.”
Microsoft says that the attackers’ have yet to introduce technical innovations in their attacks as the old tactics, techniques, and procedures (TTPs) work just fine. The only changes they saw was in the social engineering tactics, which are “tailored to prey on people’s fears and urgent need for information.”
Healthcare (and, really, all types of organizations) should apply immediately all available security updates for VPN and firewall configurations, Microsoft advises.
They should also keep a watchful eye on their remote access infrastructure and be quick to investigate anomalies; employ attack surface reduction rules (e.g., block macros, executable content, process creation, and process injection initiated by Office applications); and, if they have Office 365, use security tools the company provides for customers.