by John R. Fischer
, Senior Reporter | April 13, 2020
Microsoft has identified several dozen hospitals that are vulnerable to incurring attacks on their gateway and VPN appliances in their infrastructure during the COVID-19 pandemic.
The tech giant is warning healthcare providers to be on the lookout for ransomware operators seeking to access critical systems in hospitals, to cause downtime or steal sensitive information. It is especially concerned about REvil — also known as Sodinokibi — a ransomware campaign that actively exploits gateway and VPN vulnerabilities to access organizations.
“During this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances,” it said in a blog post
. “Unfortunately, one sector that’s particularly exposed to these attacks is healthcare. As part of intensified monitoring and takedown of threats that exploit the COVID-19 crisis, Microsoft has been putting an emphasis on protecting critical services, especially hospitals.”
Human-operated ransomware attacks target common network security misconfigurations, which are lower on the list of priority repairs. Attackers like REvil can infiltrate a network and perform reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they uncover in the network. They can then install ransomware or other malware payloads.
Signals in Microsoft Protection Services show that those behind the REvil ransomware are actively scanning the internet for vulnerable systems and are using updater features of VPN clients to deploy malware payloads. The pandemic gives them the opportunity to use old tactics, techniques and procedures (TTPs) to launch new attacks on organizations that have not had the time or resources to install the latest patches, update firewalls and check the health and privilege levels of users and endpoints. While it has not observed technical innovations in such attacks, Microsoft reports it has seen social engineering efforts that aim to take advantage of people’s fears and desire for information during this social climate.
“In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time,” it said. “This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints, or applications that have been compromised.”