Microsoft issues targeted notifications to healthcare organisations as Covid-stressed sector faces serious threats from ‘heartless’ cyber-criminals
Unique
In a believed unique action, the Microsoft Threat Protection Intelligence Team and the Microsoft Threat Intelligence Center have together collaborated in order to alert healthcare organisations of potential vulnerabilities that could, it is sadly feared, lead to a successful human-operated ransomware attack.
Microsoft was motivated to issue targeted notifications to organisations such as these, as healthcare as a sector has been facing severe threats from cyber-criminals since the very start of the pandemic, with few signs of slowing down. Never has the expression ‘Criminal’ better described the actions of the twisted perpetrators!
‘Promises’ & trusting criminals’ intentions
Despite ‘promises’ from ransomware operators such as DopelPaymer and Maze not to target healthcare during the crisis, the ransomware threat continues to be a major worry for hospitals and medical centres. By issuing targeted notifications containing tactics, techniques and procedures of human-operated ransomware actors along with details of vulnerabilities detected by Microsoft’s threat intelligence networks, it is trying to help hugely stressed IT departments to avoid becoming unwitting victims at the worst possible time imaginable.
Hospitals
“We identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure,” it was said in their announcement.
The notifications included important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities among many others.
Enterprises across all sectors are at risk, much more so now that so very many businesses have asked employees to work remotely.
Working from home
“Working from home opens a number of attack vectors which will definitely be targeted by cyber attackers far more frequently,” warns Dave Waterson, CEO at SentryBay.
“REvil (Sodinokibi) ransomware has exploited the vulnerabilities identified in Pulse Secure’s VPN, now patched. With more and more employees working from home, this is one of the attack vectors which are likely to become far more prevalent,” he further explained.
The infosecurity professional community has offered advice regarding ransomware and VPN vulnerabilities at this time of heightened risk.
HackerOne head of IT Aaron Zander explained, “a VPN breach is about as bad as you can get, the ability for someone to travel internally from VPN infrastructure into sensitive data is extremely easy,” the risk is there for all to see.
Or perhaps not, and therein lies the problem
“With the sudden surge of user traffic, malicious behaviour will be difficult to detect, and, much like Covid-19, while we may return to work very soon, the virus and these hacks, will be lingering around considerably longer than our quarantine,” Zander further warned.
VPNs
Charles Ragland, security engineer at Digital Shadows, outlined that VPNs are high value targets because “they allow threat actors to pivot from a compromised endpoint to a corporate network” and with increased numbers of remote workers likely to be using VPNs, the attack targets have vastly expanded very rapidly.
“Home networks are not likely to have the same security controls in place as corporate networks. So, compromising one and pivoting to the corporate network over VPN follows the more targeted nature of recent ransomware trends,” he warned users at this challenging time.
The risk could extend far beyond just this typical exploit behaviour though, encompassing disruption campaigns too. “By targeting VPNs, threat actors could demand payment for allowing the organisation to get connections up and running again,” he added.
End User
At the heart of the risk issue is the fact, which is more often than not overlooked, that “it’s not VPNs themselves that’s targeted, it’s more the end user and devices using the VPN to connect back to the organisations systems,” said Jim Rees, MD at Razorthorn Security.
“This is because there is no way to guarantee the state of security of that endpoint, as at the moment these will be the home networks of the employees using those VPNs.”
Home networks
With little or even no control over home networks, should any compromised devices then be connected “it puts that whole home network at risk, including the employees, device and the VPN just allows a potential delivery of malicious code such as ransomware into the network of the organisation bypassing the perimeter security controls,” Rees worryingly explained.
What should enterprise security teams do to mitigate the threat?
“Enterprise security teams can mitigate these threats by ensuring their VPN devices are patched and that all accounts require multi factor authentication,” said Joe McManus, director of security at Canonical.
Firewalls
However, security doesn’t stop at the firewall, as McManus emphasised. “Ensuring your assets behind the VPN are protected includes a mixture of host-based firewalls, MFA and unattended upgrade and live patch for patching of your applications and systems,” he warned.
Part of the problem is that IT teams are being required to do things they otherwise would strongly resist, noted Mark Lomas, technical architect at Probrand.
“Broaden out remote access, poke-holes in firewalls and cobble together solutions that have security risks,” Lomas said. So, the more lockdowns that can be put in place, so much the better.
Conditional Access
“Look to make good use of additional protections like Conditional Access authentication to further limit logins and try to be as managed as possible. So, combine this with device registration for even BYOD devices being used to work from home,” Lomas explained.
“Triple-check all of your network configurations, ACL’s, firewall rules, etc,” observed HackerOne’s Zande.
9 months on
“Without a doubt, in nine months from now, we’ll be looking at news stories about two impacts resulting from COVID-19: all the babies being born, and all the breaches that have happened because of negligent infrastructure.”
I’m sure he has a point!