In an unprecedented move, the Microsoft Threat Protection Intelligence Team and the Microsoft Threat Intelligence Center have collaborated in an effort to alert healthcare organisations of potential vulnerabilities that could lead to a successful human-operated ransomware attack.
Microsoft was prompted to issue targeted notifications to organisations like this, as healthcare as a sector has been facing severe threats from cyber-criminals since the very start of the Covid-19 pandemic, with no sign of slowing down.
Despite the pledges from ransomware operators such as DopelPaymer and Maze not to target healthcare during the evolving crisis, the ransomware threat continues to be a major thorn in the side of hospitals and medical centres. By issuing targeted notifications containing tactics, techniques and procedures of human-operated ransomware actors along with details of vulnerabilities detected by Microsoft's threat intelligence networks, it hopes to help already stressed IT departments to avoid becoming victims at the worst possible time.
"We identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure," said the official announcement.
The notifications included important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities among others.
"Working from home opens a number of attack vectors which will definitely be targeted by cyber attackers far more frequently," warns Dave Waterson, CEO at SentryBay.
"REvil (Sodinokibi) ransomware has exploited the vulnerabilities identified in Pulse Secure’s VPN, now patched. With more and more employees working from home, this is one of the attack vectors which are likely to become far more prevalent," he told SC Media UK.
As enterprises feel the IT support strain, SC Media UK asked the infosecurity professional community for advice regarding ransomware and VPN vulnerabilities at this time of increased risk.
When you consider that, as HackerOne head of IT Aaron Zander puts it, "a VPN breach is about as bad as you can get, the ability for someone to travel internally from VPN infrastructure into sensitive data is extremely easy," the risk is there for all to see.
Or not, and that's the problem.
"With the sudden surge of user traffic, malicious behaviour will be difficult to detect, and, much like Covid-19, while we may return to work very soon, the virus and these hacks, will be lingering around considerably longer than our quarantine," Zander told SC Media UK.
Charles Ragland, security engineer at Digital Shadows, explains that VPNs are high value targets because "they allow threat actors to pivot from a compromised endpoint to a corporate network" and with increased numbers of remote workers likely to be using VPNs, the attack surface has expanded rapidly.
"Home networks are not likely to have the same security controls in place as corporate networks. So compromising one and pivoting to the corporate network over VPN follows the more targeted nature of recent ransomware trends," he warned.
According to Ragland, the risk could extend beyond just this typical exploit behaviour though, encompassing disruption campaigns as well. "By targeting VPNs, threat actors could demand payment for allowing the organisation to get connections up and running again," he said.
At the crux of the risk issue is the fact, often overlooked, that "it's not VPNs themselves that’s targeted, it's more the end user and devices using the VPN to connect back to the organisations systems," said Jim Rees, MD at Razorthorn Security.
"This is because there is no way to guarantee the state of security of that endpoint, as at the moment these will be the home networks of the employees using those VPNs."
With little or no control over these home networks, should compromised devices be connected "it puts that whole home network at risk, including the employees, device and the VPN just allows a potential delivery of malicious code such as ransomware into the network of the organisation bypassing the perimeter security controls," Rees told SC Media UK.
So, what should enterprise security teams be doing to mitigate this threat?
"Enterprise security teams can mitigate these threats by ensuring their VPN devices are patched and that all accounts require multi factor authentication," said Joe McManus, director of security at Canonical.
However, security doesn’t stop at the firewall, as McManus pointed out. "Ensuring your assets behind the VPN are protected includes a mixture of host-based firewalls, MFA and unattended upgrade and livepatch for patching of your applications and systems," he warned.
Part of the problem is that IT teams are being required to do things they otherwise would strongly resist, noted Mark Lomas, technical architect at Probrand.
"Broaden out remote access, poke-holes in firewalls and cobble together solutions that have security risks," Lomas said. So, the more lockdowns that can be put in place, the better.
"Look to make good use of additional protections like Conditional Access authentication to further limit logins and try to be as managed as possible. So combine this with device registration for even BYOD devices being used to work from home," Lomas told SC Media UK.
"Triple-check all of your network configurations, ACL’s, firewall rules, etc," said HackerOne’s Zande.
"Without a doubt, in nine months from now, we’ll be looking at news stories about two impacts resulting from COVID-19: all the babies being born, and all the breaches that have happened because of negligent infrastructure."