Ransomware attacks targeting remote workforce

HFM Daily

HFM Daily offers blog coverage by the award-winning HFM editorial team and links to in-depth information on health care design, construction, engineering, environmental services, operations and technology. You can read HFM Daily stories on this page or subscribe to Health Facilities Management This Week for a Friday roundup of the week's posts.

DHS and others publish cybersecurity guidance as Microsoft warns of ransomware attacks

April 16, 2020

HFM Staff

Microsoft recently reported an increase in ransomware attacks against network devices like gateway and virtual private network (VPN) appliances being used extensively by remote staff as employees work from home during the COVID-19 crisis.

The software company’s report provides more details on human-operated ransomware campaigns such as REvil (also known as Sodinokibi), which actively exploits gateway and VPN vulnerabilities to gain a foothold in target organizations.

“After successful exploitation, attackers steal credentials, elevate their privileges, and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads,” the report states.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency and Department of Commerce National Institute of Standards and Technology have published useful guidance on securing VPN/Virtual Private Server infrastructure.

In understanding how stressful and challenging this time is for many health care organizations, the American Society for Health Care Engineering recommends organizations follow Microsoft’s recommendations and immediately focus on reducing risk from threats that exploit gateways and VPN vulnerabilities:

Microsoft guidance includes:

Apply all available security updates for VPN and firewall configurations.
Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
Turn on AMSI for Office VBA if you have Office 365.

Corporate News

04-10-24 By Acuity Brands
Care Collection Offers Curated Lighting for the Unique Needs of Health Care Environments.
01-02-24 By Smart Facility Software
The Environmental Services software trusted by hundreds of EVS departments.

Tweets by @hfmmagazine

Quick Links

HFM Daily

Ransomware attacks targeting remote workforce

DHS and others publish cybersecurity guidance as Microsoft warns of ransomware attacks

Related Articles

Is OSHA targeting data center safety regulations?

DHS/HHS councils urge health sector vigilance after Belgium attacks

Targeting C. difficile reductions