Apparently, based on the ransom note seen by sources, the ransomware attack was aimed at “Heinrich Heine University” but ended up targeting University Hospital Düsseldorf (UKD).
Cybercriminals inflict damages every day on innocent people for monetary benefits especially when it comes to a ransomware attack. While sometimes we may see this as just another crime, there are incidents that are deeply saddening and inhumane, to say the least.
Such an incident has occurred today unfortunately where someone conducted a cyberattack on a German hospital named University Hospital Düsseldorf (UKD) which led to the death of a patient.
The cause of the entire ordeal lied in the fact that the hospital’s IT system had stopped working because of an attacker targeting one of their often-used add-on software. This naturally resulted in the system becoming inaccessible due to which emergency patients could not be admitted any more.
Therefore, the patient in question who needed an emergency treatment was being sent to another location at Wuppertal – a 32 KM distance which led to her death ultimately.
In a comment to Hackread.com, Ido Geffen – VP Product at CyberMDX said that,
The cyber risk from add-ons is significant, and I’m definitely not surprised by this attack. Add-ons are used in many types of software and applications and if not configured and restricted properly, they can cause significant risk to organizations and individuals.
However, the ransomware attack which had initially encrypted 30 of the hospital’s servers had a note left by the attackers. But a closer look revealed that the note was for “Heinrich Heine University” instead of the hospital indicating that the attackers had made a mistake in their target.
Seeing this, according to the Associated Press, Duesseldorf police informed the attackers of the situation at hand in response to which a decryption key was provided by them letting the hospital decrypt their data.
A disappointing aspect of the incident though is that the vulnerability exploited was Citrix ADC CVE-2019-19781 whose patch had already been made available in January, earlier this year. By not adopting the fix; the hospital had to pay a huge price as a result in which not only were their regular operations halted but precious lives were also put at stake.
Add-ons attacks are cost-effective for hackers and this is the reason that some of them have focused their efforts in this direction. Add-ons vary widely and their behavior can be erratic to the user. They sometimes collect personal information and credentials – or worse – we’ve seen add-ons with a backdoor of malicious code that some bad actor secretly planted in advance, Geffen added.
It is worth noting that just a couple of days ago the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory to inform the federal government and private sector entities about a new wave of cyberattacks against targeted against them by Chinese state-sponsored hackers.
The advisory also warned that hackers are hunting for Citrix VPN Appliances that are vulnerable to CVE-2019-19781. In June earlier this year, Clop ransomware operators targeted Indian Indiabulls conglomerate and leaked 4.75 GB data online. The attack also exploited the same vulnerability in Citrix Netscaler ADC VPN gateway.
Tweet from hospital officials:
Die Sicherheitslücke befand sich in marktüblicher und weit verbreiteter kommerzieller Zusatzsoftware. Bisher gibt es keine Anhaltspunkte dafür, dass Daten unwiederbringlich zerstört worden sind. Für das Abfischen von konkreten Daten gibt es nach heutigem Stand keine Belege. (2/4)
— Uniklinik Düsseldorf (@UniklinikDUS) September 17, 2020
To conclude, hospitals for one need to be extremely careful about implementing patches on time since real human lives are at stake otherwise.
Moreover, even though the attackers were “gracious” enough to realize their mistake and provide a decryption key, not every malicious actor is kind enough – especially state-sponsored attackers, hence the need for precautions.
For the time being, the authorities are searching for the attackers in order to prosecute them for “negligent manslaughter”.
It is possible for hospitals to protect themselves but only with a zero-trust approach that assumes any software or endpoint is suspectable to attack. Risk can be mitigated through a comprehensive, multi-layered approach that includes implementing tools that are continuously updating their risk assessment while also using AI and ML for detection, Geffen advised.
As a parting note, it is also important to remember that this is not the first time that a medical institute has been targeted. Previously, we have seen various criminal groups targeting hospitals and generally COVID-19 as well. An example is of a group named PentaGuard Hackers which were recently arrested in May with plans to specifically target hospitals – humanity, alas.