Microsoft recently reported an increase in ransomware attacks against network devices like gateway and virtual private network (VPN) appliances being used extensively by remote staff as employees work from home during the COVID-19 crisis.
The software company’s report provides more details on human-operated ransomware campaigns such as REvil (also known as Sodinokibi), which actively exploits gateway and VPN vulnerabilities to gain a foothold in target organizations.
“After successful exploitation, attackers steal credentials, elevate their privileges, and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads,” the report states.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency and Department of Commerce National Institute of Standards and Technology have published useful guidance on securing VPN/Virtual Private Server infrastructure.
In understanding how stressful and challenging this time is for many health care organizations, the American Society for Health Care Engineering recommends organizations follow Microsoft’s recommendations and immediately focus on reducing risk from threats that exploit gateways and VPN vulnerabilities:
Microsoft guidance includes:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Turn on AMSI for Office VBA if you have Office 365.