Microsoft Shares Health Sector COVID-19 Ransomware Insights

April 01, 2020 - Hackers are targeting network devices like gateway and virtual private network (VPN) appliances, as organizations have moved to a remote workforce during the COVID-19 crisis, including a rise in human-operated ransomware attacks, according to research from Microsoft.

Microsoft is urging the protection of critical services, especially hospitals, to ensure uninterrupted system access during the crisis. But recently, there have been an increasing number of human-operated ransomware campaigns that have taken advantage of vulnerable network devices.

“Human-operated ransomware attacks are a cut above run-of-the-mill commodity ransomware campaigns,” Microsoft warns. “Adversaries behind these attacks exhibit extensive knowledge of systems administration and common network security misconfigurations, which are often lower on the list of ‘fix now’ priorities.”

“Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network,” they added.

During these attacks, hackers can persist undetected on networks, at times for months, before deploying the ransomware at a later time. As a result, these make it challenging to find where the hackers have “established persistence,” and find every inbox, credential, endpoint, and application that have been compromised in the process.

READ MORE: COVID-19 Cyber Threats: Hackers Target DNS Routers, Remote Work

One of the most prominent human-operated ransomware campaigns spotted by Microsoft is the notorious REvil, or Sodinokibi variant, which first began targeting the healthcare sector in late 2019. One of the largest successful attacks was on IT vendor Complete Technology Solutions, which locked more than 100 dental practices offline for several days.

Notably, the tech giant has detected REvil ransomware hackers actively scanning the internet for vulnerable systems, as well as attackers leveraging the updater features of VPN clients to deploy malware payloads. These hackers are part of the resurgence in ransomware campaigns taking advantage of the expanded VPN and gateway use to gain access to targeted organizations.

“After successful exploitation, attackers steal credentials, elevate their privileges, and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads,” Microsoft researchers warn.

Microsoft has been tracking REVil as part of a broader monitoring operation of human-operated ransomware attacks. They found an overlap between the malware infrastructure used in 2019 and the more recently observed VPN attacks. Microsoft explained it highlights a continued hacking trend of hackers repurposing old techniques and procedures in new attacks.

These new attacks aren’t technologically innovative, rather, the hackers leverage social engineering attacks to prey on human fears surrounding the Coronavirus pandemic.

READ MORE: Zoom Domains Targeted by Hackers, as Use Surges with COVID-19

“They employ human-operated attack methods to target organizations that are most vulnerable to disruption: organizations that haven’t had time or resources to double-check their security hygiene like installing the latest patches, updating firewalls, and checking the health and privilege levels of users and endpoints – therefore increasing probability of payoff,” researchers wrote.

Most recently, the FBI, Department of Health and Human Services’ Office of the Inspector General, Department of Justice, and a host of security researchers have all warned that hackers are ramping up cyberattack efforts in light of the pandemic.

Microsoft is now also warning the healthcare sector that hackers are exploiting the crisis to their financial benefit. Making matters worse, its threat intelligence sources have identified several dozens of hospitals with vulnerable gateways and VPN appliances in their infrastructure.

The findings uphold recent research that shows thousands of organizations have failed to apply patches to vulnerabilities found in several popular VPN platforms, despite multiple warnings and remediations over the past year.

In response, Microsoft sent those hospitals a first-of-its-kind targeted notification about those vulnerabilities and the way hackers can exploit those flaws, as well as “a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others.”

READ MORE: Must-Have Telehealth, Remote Work Privacy and Security for COVID-19

“When managing VPN or virtual private server (VPS) infrastructure, it’s critical for organizations to know the current status of related security patches,” Microsoft explained. “Microsoft strongly recommends that all enterprises review VPN infrastructure for updates, as attackers are actively tailoring exploits to take advantage of remote workers."

The Department of Homeland Security recently released an advisory around VPN cybersecurity best practices in light of the pandemic.

Microsoft has added its own recommendations for protecting against these attacks, including a reminder to apply all available security updates to VPN and firewall configurations. Organizations should also give special focus and monitoring to its remote access infrastructure, with IT teams immediately investigating any anolomies.

“In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated,” researchers wrote. “Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity.”

“To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications,” they added. “To assess the impact of these rules, deploy them in audit mode.”

IT security teams should also reference earlier Microsoft guidance on human-operated ransomware campaigns, as well as some technology must-haves for healthcare organizations expanding their telehealth and remote work.