ISA is committed to keeping the security community up to date with the latest cybersecurity news.
Woman dies during ransomware attack on German hospital
German authorities may lay negligent manslaughter charges against the hackers who locked up the systems of a Düsseldorf, Germany hospital with a suspected ransomware attack. In the early hours of September 10, some 30 servers at the Dusseldorf University Clinic were encrypted. The hackers left a message on the systems directing them to contact the cyber criminals for directions on unencrypting the compromised machines.
The note, however, was addressed to the Heinrich Heine University, an affiliated but separate institution about two kilometres away on the same south Düsseldorf campus. In an awful twist, the hackers appear to have attacked the wrong target, which had tragic results. The shutdown of the hospital systems coincided with a critical care procedure scheduled for a female patient at the hospital. Unable to proceed, paramedics were forced to rush the patient to another hospital in the city of Wuppertal, some 30 kilometres east of Düsseldorf, delaying her procedure by about an hour. The unidentified woman did not survive the ordeal.
When police were able to contact the hackers for further instructions, they advised them that they had in fact attacked the wrong target. The hackers reportedly provided the decryption keys to reverse the damage from the ransomware, but too late to help the patient. The hackers cut off all further communication with the authorities.
The ransomware used was widely reported to be malware known as “Doppelpaymer”. According to a report filed by the Ministry of Justice of North Rhine-Westphalia last week, “private security firms” have suggested the ransomware had been used globally and may be traceable back to hackers based in Russia. German authorities also suspect that the hackers likely exploited a critical Citrix security leak coded CVE-2019-19781. The vulnerability was identified in December 2019, and a patch released in January 2020. The hospital insists that the bug was patched almost immediately after Citrix released the patch, suggesting that their systems may have been compromised in the intervening month between discovery and remediation, and the hackers had been lying in wait for months.
This incident drives home the potential seriousness of ransomware attacks, and underscores the importance of top-flight maintenance and cybersecurity practices for healthcare institutions.
Check Point and Facebook partner to patch critical vulnerability in Instagram
In a blog post released September 24, Check Point revealed that they have identified a critical vulnerability in Instagram that could lead to remote code execution enabling an attacker to hijack a smartphone camera or microphone. The vulnerability was first identified in the Android OS, but was shown to exist on iOS as well.
Check Point privately disclosed the vulnerability – coded CVE-2020-1895 – to Facebook early this year. The patch was reported fixed by February, and the CVE report was made in April. Check Point, however, agreed to withhold reporting the details of the bug for several more months, thereby providing ample time for mobile device users to patch their devices in the normal course. There have been no reported cases of the flaw being exploited in the wild, but this may change now that the details of the bug have been made public.
The security flaw is described as “a critical vulnerability in Instagram’s image processing.” The advisory goes on to warn that, “a large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128.“ More simply put, the flaw allowed an attacker to send Instagram a large-size picture while tricking the app into “thinking” that the picture was actually much smaller, causing the app to malfunction.
Of particular note amidst the Check Point report’s recommendations is the fact that the vulnerability actually appeared in a third-party software library used by the Instagram programmers. With open source and third-party libraries in wide use, developers must take care that they conduct rigorous security testing not only against their own software, but in any code that is used as part of an application or software service. Taken further, this lesson can be applied at a corporate level: cybersecurity responsibility cannot end at the corporate perimeter – validation of third-party vendors and service providers is an important aspect to consider when managing relationships with business partners.
Windows 2000, Windows XP, Windows Server 2003 source code leaked online
Windows Central has reported that the file-sharing site Mega and the notorious, anonymous forum 4chan contain threads that link to database archives containing copies of the old Windows operating systems. While Microsoft has not supported these platforms since April 2014, there is concern that the release of the source code could allow intrepid hackers to explore potential vulnerabilities in the old code to learn how to exploit similar flaws in more recent versions of Windows. Further, while exact figures cannot be determined, a report from TechRadar suggests that a remarkable 1.26% of the estimated two billion laptops and desktop computers in the world are still running Windows XP, which could mean that over 25 million machines could be directly targeted for attack if new vulnerabilities are found.
In a statement, Microsoft confirmed that they are investigating the matter.