Coronavirus: Microsoft directly warns hospitals, 'Fix your vulnerable VPN appliances'

Microsoft issues its first-ever targeted ransomware alert to hospitals over their vulnerable VPN appliances.
Written by Liam Tung, Contributing Writer

Microsoft says it has issued its first-ever targeted warning to several dozen hospitals, alerting them to vulnerabilities in their virtual private network (VPN) appliances after spotting a ransomware gang targeting them. 

Also: The best VPNs in 2020

The warning follows the recent discovery that Iranian hackers have been targeting vulnerabilities in VPN servers from Pulse Secure, Palo Alto Networks, Fortinet, and Citrix. 

Now, with COVID-19 coronavirus outbreak lockdowns in full swing, companies are relying on VPN servers more than ever to support remote workers, making that part of the network a soft spot for ransomware attackers to hit – in particular at hospitals with already strained resources. 

While the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) last month warned all organizations to patch VPN services, Microsoft is particularly concerned about hospitals' vulnerability to human-operated ransomware due to unpatched VPN servers.

SEE: 10 tips for new cybersecurity pros (free PDF)    

"Through Microsoft's vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure," the Microsoft Threat Protection Intelligence Team revealed in a new post.

"To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities," it added. 

The alert contained information about how attackers can exploit the flaws, and a "strong" warning that the affected hospitals need to apply security updates that will protect them from exploits. 

One group the Microsoft team has been tracking is the REvil, aka Sodinokibi, ransomware gang, which is known for making massive ransom demands on businesses and government agencies. In January it was caught targeting unpatched Pulse Secure VPNs, as well as flaws in enterprise Citrix servers.   

"Our intel on ransomware campaigns shows an overlap between the malware infrastructure that REvil was observed using last year and the infrastructure used on more recent VPN attacks," the Microsoft team said.

The ransomware gang hasn't developed new attack techniques but rather has repurposed tactics from state-sponsored attacks for new campaigns that exploit the heightened need for information in the current coronavirus crisis. 

"We haven't seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people's fears and urgent need for information," the team noted. 

Despite just copying techniques from other attackers, Microsoft warns that REvil and other human-operated ransomware gangs are a superior threat to commodity ransomware campaigns, in part because they're run by IT pros who are very familiar with systems administration and common network security misconfigurations that often aren't treated as urgent to fix. 

"Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network," Microsoft says. 

SEE: VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers

Microsoft's advice to hospitals and other organizations is to follow three key steps to protect VPN services from attacks: 

  • Apply all available security updates for VPN and firewall configurations.
  • Monitor and pay special attention to your remote access infrastructure. Any detections from
    security products or anomalies found in the event logs should be investigated immediately. In the event of a compromise, ensure any account used on these devices has a password reset as the credentials could have been exfiltrated.
  • Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode. 

Microsoft has published more steps to mitigate these types of attacks

Editorial standards