LabCorp, one of the largest clinical laboratory networks in the US, reported to the SEC that it had many of its assets infected with ransomware. The 50 minute attack that occurred on July 13th beginning at midnight was suspected to be caused by the attackers entering the network via brute force with public RDP and then spreading a variant of SamSam ransomware. Although the attack was contained in 50 minutes, according to CSO Online, the attackers were able to infect 7,000 systems, 1,900 server, and 350 production servers. The attack only is thought to have compromised Windows servers on the LabCorp network.
The attackers behind the RDP brute force attacks leading to SamSam ransomware used the same methods that led to many successful attacks within the last year on multiple healthcare organizations, government entities, and schools. The best known of the recent victims was the City of Atlanta.
This is an additional major company breach where public facing RDP was likely overlooked and enabled massive damage to an organization.
Proficio Threat Intelligence Recommendations:
- Implement two-factor authentication to any public facing RDP services required for business
- Implement monitoring use cases to look for any newly detected public RDP services open to the internet and take appropriate action to mitigate each new detection
- Implement and test rapid responses that can contain spreading ransomware attacks through MDR services or an EDR platform.
- Validate any public facing Windows servers are up-to-date on patching and endpoint security controls
General Information – Click Here