Cyber criminals have figured out that with millions of American workers logging on remotely for telework during the global coronavirus pandemic, it’s easy to plant malicious software, including ransomware. That’s why it’s more important than ever to practice good cyber hygiene. (All it takes is one wrong person with access to cause mayhem and commit fraud or identity theft.)
Now, Microsoft is warning hospitals of sophisticated ransomware attacks targeting remote healthcare workers. The technology giant has identified dozens of hospitals with network gateways and virtual private networks that are vulnerable to attacks.
Human-operated ransomware attacks employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. A ransomware campaign called REvil (also known as Sodinokibi) actively exploits gateway and VPN vulnerabilities to gain a foothold in target organizations. Once attacks breach the network, they steal credentials, elevate their privileges and move laterally across networks to ensure persistence before installing malware, according to Microsoft. (This could have devastating effects on hospitals, health care providers and patients, especially in the midst of a pandemic.)
Microsoft has notified hospitals about the vulnerabilities, along with a strong recommendation to apply security updates. (This goes for anyone, not just hospitals. There are so many ways a fraudster can gain access to personal identifiable information.) The recommendations include:
- Apply all available security updates for VPN and firewall configurations.
- Monitor remote access infrastructure and investigate any anomalies immediately. In the event of a compromise, ensure that any account used on these devices has a password reset.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity.
- Turn on AMSI for Office VBAif the organization uses Office 365.
- Healthcare organizations should review guidance on securing VPN/virtual private server infrastructure from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Department of Commerce’s National Institute of Standards and Technology.
Cybercriminals target organizations that are most vulnerable to disruption—”orgs that haven’t had time or resources to double-check their security hygiene like installing the latest patches, updating firewalls, and checking the health and privilege levels of users and endpoints,” the Microsoft team wrote. Such attacks can go undetected for months, making it harder to fix, they said. (A little protection today can go a long way toward preventing fraud and saving lives.)
Today’s Fraud of the Day comes from a Fierce Healthcare article, “Microsoft warns hospitals of sophisticated ransomware attacks targeting remote workforce,” published on April 1, 2020.
Microsoft is warning hospitals that sophisticated ransomware attacks are trying to exploit remote workers to gain access to their networks.
As healthcare organizations move their nonessential employees to work remotely during the COVID-19 pandemic, ransomware operators are trying to find vulnerabilities in network devices like gateway and virtual private network (VPN) appliances.