Microsoft Warns Hospitals They Are Vulnerable to Ransomware, Must Fix VPNs
A warning was sent to the hospitals that Microsoft believes are particularly high-risk.
Microsoft announced on Wednesday that it has identified dozens of hospitals that have vulnerable gateway and virtual private network (VPN) appliances in their infrastructure that make them susceptible to more sophisticated human-operated ransomware attacks during the COVID-19 crisis.
“To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others,” the company said in a blog post.
Microsoft said it has observed several nation-state and cybercrime actors targeting unpatched VPN systems for many months. Although some ransomware attackers have vowed to spare the healthcare industry during the coronavirus outbreak, Microsoft says the individuals behind the REvil ransomware are scanning the internet for vulnerable systems.
These attackers are relying mostly on social engineering tactics, preying on people’s fears and need for information during the COVID-19 crisis, the tech giant says.
Ransomware attacks have increased in quantity and severity over the past several years. Usually, they shut down the victim’s computer until the victim pays a ransom in digital currency.
Microsoft recommends all enterprises do the following:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Turn on AMSI for Office VBA if you have Office 365.
It also provided mitigation steps for making networks resistant to ransomware and cyberattacks in general. The mitigation steps can be found here.