Microsoft Hospital

Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network.

As part of their tracking of various groups behind human-operated ransomware attacks, Microsoft has seen one of the operations known as REvil (Sodinokibi) targeting vulnerabilities in VPN devices and gateway appliances to breach a network.

Pulse VPN devices have been known to be targeted by threat actors, with this vulnerability thought to be behind the Travelex ransomware attack by REvil.

Wiz

Other attackers such as DoppelPaymer and Ragnarok Ransomware were also seen in the past utilizing the Citrix ADC (NetScaler) CVE-2019-1978 vulnerability to compromise a network.

Once ransomware actors breach a network with these vulnerabilities they will spread laterally across the network while obtaining administrative credentials. Ultimately, they deploy their ransomware to encrypt all of the data on the network.

With health care organizations such as hospitals being overwhelmed during the Coronavirus pandemic, Microsoft wants to help these organizations stay ahead of the threat actors by sending targeted notifications about vulnerable devices on their network.

"Through Microsoft’s vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure. To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular exploits and others like it," Microsoft stated today in a new blog post.

By sending these targeted alerts to hospitals, health care organizations can proactively install security updates on public-facing devices to prevent threat actors from taking advantage of them.

To protect against ransomware operations such as REvil, the Microsoft Defender Advanced Threat Protection (ATP) Research Team recommends implementing the following mitigation measures against human-operated ransomware attacks:

• Harden internet-facing assets:
- Apply latest security updates
- Use threat and vulnerability management
- Perform regular audit remove privileged credentials

• Thoroughly investigate and remediate alerts:
- Prioritize and treat commodity malware infections as potential full compromise 

• Include IT Pros in security discussions:
- Ensure collaboration among SecOps, SecAdmins, and IT admins to configure servers and other endpoints securely 

• Build credential hygiene:
- Use MFA or NLA, and use strong, randomized, just-in-time local admin passwords
- Apply principle of least-privilege

• Monitor for adversarial activities:
- Hunt for brute force attempts
- Monitor for cleanup of Event logs
- Analyze logon events 

• Harden infrastructure:
- Use Windows Defender Firewall
- Enable tamper protection
- Enable cloud-delivered protection
- Turn on attack surface reduction rules and AMSI for Office VBA 

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Microsoft Copilot is rolling out GPT 5.2 as "Smart Plus" mode

Microsoft Teams to let admins block external users via Defender portal

Microsoft rolls out hardware-accelerated BitLocker in Windows 11

Microsoft Teams strengthens messaging security by default in January

Increase privacy on all your devices for just $67 with Surfshark VPN