Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Hospital website dispenses ransomware to unsuspecting visitors

Jérôme Segura

22 Mar 2016 - Until an attack is publicized and actually threatens bureaucrats, IT security remains an afterthought beyond budgetary consideration.

 

“Being Canadian I wanted to look into issues affecting Canadians, particularly the state of ransomware in Canada,” said Jérôme Segura, senior security researcher, Malwarebytes. “The website of Norfolk General Hospital in Simcoe, ON appeared to be compromised. I replayed the attack with a virtual machine. Ransomware encrypted all of my fields and asked for a $500 ransomware.”
[Securebuzz will not knowingky link to a compromised site.]

Since the Joomla platform on which the site was running is at version 3.8 right now, the site running version 2.5 was seriously out of date, with multiple vulnerabilities. Joomla is second only to WordPress in popularity of website platforms.

The injected code was obfuscated with strings that don’t make sense, to hide the intent. The code launched the Angler exploit kit, which defines vulnerabilities in your system. It exploits the machine to download within a few seconds of browsing the site. If your machine is not up to date it is infected.

“Two weeks ago I informed the hospital administration,” Segura said. “I even left a voice message for the president of the hospital. Apparently they receive a lot of calls from salespeople they ignore, but I wasn’t trying to sell them anything.”

On the same morning Segura spoke to Securebuzz he finally spoke with hospital officials, and learned the website is outsourced.

Instead of updating Joomla, the outsourcing firm restored a version of Joomla that was older than the compromised one. They’re now running version 2.52.28.

Criminals have scanners that look for website information. When you lock a website down you want to ensure you’re not revealing too much information about it. In this case the malware detected visitors’ IP address and launched the ransomware.

Google had already blocked the site. Yet the hosting company vehemently denied the claim of ransomware, because the hosting company IP addresses were prevented from seeing the ransomware... until Segura provided proof.

“I felt bad for the IT guy who was stuck in the middle and frustrated. I gave him names of a couple of companies that protect websites. Government entities are running sites that are outdated and putting patients, employees, and their families at risk. In theory employees could infect themselves from that site.”

It also matters if personal data is stored, although fortunately it appears there was none in this case. “Only” site visitors are at risk. There might be other malware running on the website server, although Segura couldn’t tell from the outside.

“We want to raise awareness, not point the finger at the negligence due to politics and budgets,” said Segura. “I find it almost criminal that a public hospital is running a website hosted on outdated software. The health industry has many examples, like when I go to a clinic and see they are using an unlocked Windows XP computer, with my personal information on there. The security is horrible. It’s just a matter of time.”

He’s experienced in this field, having worked website cleanup, logging into servers and removing malware, for years.

“People think they’ve cleaned the site by removing the offending code,” he said. “They forget important things, like a lot of time there a backdoor remains, or there is still residual code that allows a hacker to reinject malicious code. That’s a problem with education. Don’t just fix the symptoms – look for how the breach happened in the first place. Check your access logs. Find out if they stole your passwords. A lot of people don’t even think about that.”