Cause of controversial ransomware hack found, lessons from a hack and attackers give away malware code
Welcome to Cyber Security Today. It’s Monday September 21st. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
You may recall me reporting on Friday that an ill woman who was en route to a hospital in Germany died. She couldn’t be admitted to the hospital because its systems had been shut by a ransomware attack. Instead she had to be diverted to another institution. Well, Germany’s cybersecurity authority says the hackers got in by exploiting a vulnerability in a Citrix virtual private network application within either the Citrix Gateway or Application Delivery Controller. VPNs are used by employees to remotely get into office computers. But if they aren’t secured properly they can also be used by hackers. This particular vulnerability was fixed in a security patch released in January. Police didn’t say if the hackers got into the hospital system before the patch was issued, or after. It also isn’t known if the hospital had patched the application. But German authorities are warning that some Citrix systems were compromised before the patch was released and hackers could still be in victims’ systems even if they later applied the patch. Users of the Citrix Gateway and Citrix Application Delivery Controllers should check their network infrastructure and systems for unusual activity that might be an indication of a hack.
More on ransomware: Usually attackers spread this malware manually after getting access to a corporate system. However, security firm Sophos reports that some ransomware groups are trying a new tactic: Infecting a virtual machine within a victim’s system, which then spreads the malware. A virtual machine is a software server within a server. Companies use virtual machines to save money by not having to buy as many hardware servers. Hackers using virtual machines isn’t new. But the Sophos report on one recent incident shows not only how hackers are using VMs, but also how they think their way through an attack.
The incident started with the hackers getting into the victim’s system and trying to distribute the ransomware by infecting Windows on a number of computers. The ransomware set to go off at a particular time. It didn’t work. They tried another way, and that didn’t work. Why? Because the defensive software the company used was working. So on the third try the hackers created a virtual machine to do the dirty work. They succeeded. I’ve simplified the story, but there are a couple of lessons: First, these attacks took place over six days. That means defending IT staff may have time to detect a cyber attack. Second, defensive software like anti-virus and endpoint protection can do a good job. And if properly used they can give warnings of cyber attacks. And third, some attackers are patient, persistent and inventive.
Hacking gangs are like any business partners: Sometimes they just can’t get along and have to sell the assets. That’s often bad news for the rest of us. Here’s an example: As reported by ZDNet, the cybersecurity firm Kaspersky told a conference last week that a gang behind an Android banking malware called Cerberus gave away its software code to premium users of an underground forum after an auction for criminals failed to raise enough money. The fact that the Cerberus software is now free means more criminals are using it. People who get suckered into downloading an app with this malware can lose access to their bank accounts when their passwords are stolen. If the victims use two-factor authentication codes sent by SMS text messages, those codes get stolen too. That means the extra protection offered by two-factor authentication is worthless. This is another reason why you need to be careful about the apps you download. For extra two-factor authentication protection use an app like Google Authenticator, Authy, Duo Mobile or Microsoft Authenticator to get those security login codes.
Finally, Users of the Firefox Android browser should update to the latest version. It closes a security hole that could allow a hacker on a Wi-Fi network to get into your mobile device.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.