Earlier today Microsoft put out a new blog post in their security section concerning ransomware attacks that seek to exploit the current global COVID-19 crisis. “As organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances.”
As part of intensified monitoring and take-down of threats that exploit the COVID-19 crisis, Microsoft has been putting an emphasis on protecting critical services, especially hospitals. Now more than ever, hospitals need protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information.–Microsoft security blog post-April 1, 2020.
Microsoft’s Advice on how to detect, protect, and prevent this type of ransomware
We understand how stressful and challenging this time is for all of us, defenders included, so here’s what we recommend focusing on immediately to reduce risk from threats that exploit gateways and VPN vulnerabilities:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Turn on AMSI for Office VBA if you have Office 365.
To help organizations build a stronger security posture against human-operated ransomware, we published a comprehensive report and provided mitigation steps for making networks resistant against these threats and cyberattacks in general. These mitigations include:
- Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
- Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
- Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102 when this occurs.
- Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations.
- Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.