Microsoft has been forced to alert several dozen hospitals in a “first of its kind notification” that their gateway and VPN appliances are vulnerable to ransomware groups actively scanning for exposed endpoints.
The tech giant claimed that attackers behind the REvil (Sodinokibi) variant, for one, are probing the internet for vulnerable systems, with VPNs in high demand at the moment as COVID-19 forces home working.
The group appears to be repurposing malware infrastructure it used last year in the new attacks, which aim to take advantage of vulnerable healthcare organizations already under extreme pressure dealing with infected patients.
These “human-operated” attacks differ from commodity ransomware efforts in that the hackers use their extensive knowledge of system administration and common network security misconfigurations, said Microsoft.
“Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network,” it continued.
“In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time. This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints or applications that have been compromised.”
Reports emerged earlier this year that ransomware attackers including REvil were targeting flaws in Citrix ADC and Gateway products. It’s also suspected that the group exploited vulnerabilities in the Pulse Security VPN platform to compromise Travelex last year.
The National Cyber Security Centre (NCSC) and the NSA pushed out alerts last October that these products were being targeted by APT groups.
Microsoft’s advice is to patch promptly, monitor remote access carefully, turn on attack surface reduction rules in Windows, and switch on AMSI for Office VBA in Office 365 environments.
A report it issued last month details further steps to mitigate targeted ransomware.