Following a recent disclosure about Iranian hackers targeting on vulnerabilities in VPN servers like the Pulse Secure, Palo Alto Systems, Fortinet, and Citrix, Microsoft gave its first-ever ‘targeted’ warning to a few dozen hospitals, informing them of the vulnerabilities in their own virtual private network (VPN) appliances.
With the organizations depending all the more heavily on the VPN servers as the lockdowns are in full swing of the unfortunate outbreak of the Corona Virus. They had no other option except to fall back to this means to help telecommuters but that in the end has made that specific part of the system a weakness i.e a soft spot for ransomware attackers to target – specifically at hospitals with already stressed assets.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) a month ago cautioned all organizations to fix VPN services, however, Microsoft is especially worried about hospitals’ vulnerability to human-operated ransomware due to unpatched VPN servers.
One group the Microsoft team has been following is the REvil, otherwise known as Sodinokibi, ransomware gang, which is known for setting monstrous ransom demands for businesses and government agencies.
While the ransomware gang hasn’t yet developed new attack techniques but instead has repurposed strategies from state-sponsored attacks for new campaigns that exploit the heightened requirement for information in the current coronavirus crisis.
The Microsoft Threat Protection Intelligence Team uncovered in a new post, “Through Microsoft’s vast network of threat intelligence sources, and we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure.”
“To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities,” it added later.
When mentioning these new ransomware gangs the Microsoft team noted, “We haven’t seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people’s fears and the urgent need for information.”
And so the Multinational Technology’s recommendation to hospitals and various other organizations is to follow three key steps to shield their VPN services from attacks:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to your remote access infrastructure.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity.
Apart from these, there are a few more published by Microsoft to further help mitigate these attacks.