A small Ontario hospital admits its website could have been dispensing links to malware and ransomware as recently as a month ago due to an unpatched content management system, but insists the site is now fixed and safe — a claim disputed by its endpoint security provider.
Dennis Saunders, system administrator at Simcoe, Ont.’s Norfolk General Hospital, said in an interview Monday he was told last month by the institution’s hosting provider that the hospital’s Joomla CMS needed updating and did have “a couple of scripts” that were directing visitors to other URLs.
Those other sites could have been the source of ransomware that struck three hospital PCs earlier this year, Saunders said.
However, those scripts have been removed and the CMS is in the process of being updated.
“It has been updated and taken care of,” he said of the content management system.
That’s not what Jérôme Segura, a British Columbia-based senior security researcher and ransomware expert at Malwarebytes, said of the CMS in an interview Monday.
Segura, who warned the hospital Feb. 26 about its site being an unwitting source of ransomware, said patients, their families and medical staff should stay off the site until the latest version of Joomla is installed.
“As of today when I went on the site, the site wasn’t infected itself — but it was still running the older version of Joomla, which means its only a matter of time before this happens again.”
Not only do the sides differ on whether the hospital’s site is safe, they also differ on how the incident began.
By co-incidence, the hospital recently became a Malwarebytes customer, which is part of the story.
Segura says that three weeks ago some of its customers complained of a ransomware infection, which he traced to the Norfolk website. (He also posted a blog Monday afternoon outlining his version).
“Most likely” the problem was because the institution was running version 2.5.6 of Joomla, which is “quite outdated and vulnerable,” he said in the interview. The current version is 3.4.8.
“We played the attack in our lab to see the payload it would serve. We saw it was downloading ransomware to our machine through the Angler exploit kit — definitely something pretty nasty.”
He said the hospital’s IT department told him that its hosting provider acknowledged there had been malicious scripts, but no ransomware on the site.
Saunders said this goes further back than the first email Segura sent the hospital on Feb. 26.
On Feb. 11, after the discovery of the three PCs with ransomware, Saunders said he added Malwarebytes protection to its PCs and servers.
Then on Feb. 22, after a user alerted him to a warning that popped up on a PC, Saunders asked the hospital’s hosting provider to check its systems. The provider acknowledged finding the unusual scripts, and also told Saunders his Joomla needed to be upgraded. Saunders said that was the responsibility of the web developer, who was contacted.
But, he added, the web developer looked into the problem and thought it was more a phishing email than a Joomla problem.
At any rate, Saunders said, the developer told him some security updates have been added and it is being monitored daily “to make sure nothing is happening.”
“I don’t believe it (Joomla) is at 3.4 yet, but it is a different version.” The developer had other updates to add as well, he explained.
As for the safety of the site, “I’m on the website now and I’m not getting anything,” Saunders said this morning. “I was on multiple times over the weekend going trough just to be sure … and I don’t get any popups (warnings) from Malwarebytes.”
Segura said ransomware is a “huge” problem in Canada. Since January Malwarebytes has stopped 10,000 attempted infections on customers’ hardware. Top cities where malware has struck are (in order) Toronto, Ottawa, Montreal, Markham, Ont., Calgary, Vancouver, London, Ont., Edmonton and Winnipeg.
This comes as McAfee Labs released its latest quarterly report on malware. After three quarters of decline, the number of new malware
samples resumed climbing in Q4 2015 , with 42 million new malicious hashes discovered, up 10 per cent from the third quarter. The growth
in Q4 was driven, in part, by 2.3 million new mobile threats, 1 million more than in Q3.
There was a 26 per cent increase in new ransomware samples in Q4 2015. McAfee attributes that to the recent availability of open source ransomware code (for example, Hidden Tear, EDA2) and ransomware-as-a-service (Ransom32, Encryptor), which make it simpler to create successful attacks. TeslaCrypt and CryptoWall 3 campaigns also continue.