Cyber Terrorism: A look into the future

21 May 2016

One of the key challenges of understanding ‘cyberterrorism’ is defining exactly what the term means. The term has been used in the past to refer to known terrorists or terrorist organisations using the internet to communicate.

Currently, the term cyberterrorism more often refers to the act of attempting to damage or exploit cyber networks and their connected computers or the act of attempting to use cyber networks (especially the internet) to wreak havoc and destruction on other targets, which they access through cyber networks. Even the individual terms ‘cyber’ and ‘terrorist’ are inconsistently interpreted.

Cyber terrorism definition

Cyber terrorism refers to attacking computers, networks, and other electronic technological capabilities to either damage the cyberspace infrastructure itself or to damage some other target, motivated by terrorism. Cyber terrorism may grow depending on a cyber terrorist’s perceived benefits of using such tactics.

One way it may manifest itself in the future is by applying cyber terrorism tactics to Supervisory Control and Data Acquisition (SCADA) systems, creating the potential (or fear of the potential) for damage to the integrity of the critical infrastructures such as water supply, electrical grid, transportation systems, and financial systems. Such attacks could undermine a population’s faith in its government and in the security of the nation’s critical infrastructures.

To be able to defend against acts of cyber terrorism, we must act now both as a government and as individuals.

What the experts say

Andrew M. Colarik of the USA and Lech J. Janczewski of New Zealand state that, “In the context of information security, terrorists may come in many forms such as politically motivated, anti-government, anti-world trade, and pro-environmental extremists”.1

They further state, “Cyber terrorism means premeditated, politically motivated attacks by sub national groups or clandestine agents, or individuals against information and computer systems, computer programmes, and data that result in violence against non-combatant targets” (ibid).

This interpretation of cyber terrorism creates a distinction between a cyber terrorist and a malicious hacker, prankster, identity thief, cyberbully, or corporate spy based on the political motivation of the attacker. It also differs from hacking, cracking, phishing, spamming, and other forms of computer-related abuse, though cyber terrorists may use these tactics to accomplish their politically motivated goals.

Dr. Dorothy Denning, Professor in the Department of Defense Analysis at the Naval Postgraduate School states that cyber terrorism “refers to the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attacks against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political and social objectives”2.

According to Dr. Irving Lachow, PhD, Professor of Systems Management at the US National Defense University in Washington, D.C., “While there is clear evidence that terrorists have used the internet to gather intelligence and coordinate efforts to launch physical attacks against various infrastructure targets, there has not been a single documented incidence of cyber terrorism against the US Government.”3

It should also be noted that there is another school of thought that says cyber terrorism does not exist and is really a matter of hacking or information warfare. Those who hold this view disagree with labeling it ‘terrorism’ because it is unlikely that these acts cause fear, significant physical harm, or death.

How serious is the problem of cyber terrorism?

Ask Estonia. The three-week cyberattack on Estonia threatened to black out the country's digital infrastructure, infiltrating the websites of the nation’s banks and political institutions. What really keeps cyber security professionals up at night is not necessarily the threat of shutting down banking and financial infrastructures, rather the concern for the security of Supervisory Control and Data Acquisition (SCADA) systems related to the nation’s critical infrastructures.

These are the industrial controls systems that are managed by computer systems. SCADA systems include railroad track switches, draw bridges, sewage treatment and water purification plants, traffic signals in busy cities, the electrical distribution grid, subway control systems, and other critical systems that can easily cause massive injuries and loss of life if exploited maliciously.

Many of these systems are connected to the internet and run on commonly understood operating systems using well-known, standard communications protocols. In many cases, access to these systems is not controlled as tightly as expected given their potential impact on life and safety.

A concerted, focused cyber terrorism attack on these systems could have a devastating effect on public safety and confidence. If terrorists were to attack a SCADA system simultaneously with physical bombings, public panic could quickly spin out of control. If terrorists were to bomb a busy city intersection while simultaneously shutting down the electrical systems in a nearby hospital – a combined attack known as a ‘force multiplier’ in military terms – this would result in national panic. The impact would be devastating to the surrounding population.

Some recent occurrences of cyber terrorism attacks on these systems include an incident in Romania where a cyber terrorist illegally gained access to the computers controlling the life support systems at an Antarctic research station, endangering the 58 scientists involved. Fortunately, the culprits were stopped before damage occurred.

Most acts of sabotage, while not politically motivated, have caused financial and other damage, as was the case where a disgruntled employee in Maroochy Shire, Australia, caused the release of untreated sewage into water.

If Hollywood and popular fiction resemble future predictions, we might consider how cyber terrorism is being depicted in fictitious scenarios such as in Dan Brown's novel, Digital Fortress, Amy Eastlake's Private Lies, and the Tom Clancy series, Netforce (about an FBI/military team dedicated to combating cyber terrorists).

The films Live Free or Die Hard (a group of cyber terrorists intent on shutting down the entire computer network of the United States) or Eagle Eye (involving a super computer controlling everything electrical and networked to accomplish the goal), and a television episode of 24 which included plans to breach the nation's nuclear plant grid and then to seize control of the entire critical infrastructure protocol, are also examples of how media depicts cyber terrorism.

What can we do about cyber terrorism?

The good news is that there are many highly trained, internationally certified, experienced security professionals thinking about this problem. They are participating in exercises, examining case studies, war-gaming various scenarios, and implementing solutions. These experts from military, industry, and academia work well together and offer a global perspective.

There is also an abundance of policies, practices, tests, hardware, software, literature, training and education designed to protect against cyber attacks, regardless of the source (terrorist or otherwise), to detect it immediately when it happens, and to respond to it quickly and effectively.

The threat of cyber terrorism, however, is similar to the threats of other types of network exploitation, and carries with it warnings. Firstly, while cyber defenders must confront the full range of security vulnerabilities, the cyber terrorists need to succeed in finding and exploiting only a single vulnerability to accomplish their mission. Therefore, the level of effort is significant for the defenders.

Secondly, terrorists are typically passionate about accomplishing their goals, and are often willing to lose their own lives to accomplish massive destruction. However, while many security experts are professionals who take their work very seriously, they are generally not fanatics working 20 hours a day for an extreme ideology.

The third problem is that the internet was not initially designed for confidentiality or integrity (two of the services of security). It was designed for availability and resiliency by providing a packet switched network with alternate paths meshed together. The security services of confidentiality and integrity usually must be implemented at the application and end-point levels (computer, mobile phone, personal digital assistant, etc.).

While we may be somewhat positioned to defend against such acts, we must act now – as a government and as individuals – to fully meet the challenge of cyber terrorism. Some methods we may use include:

  1. Implementing strong access control systems to ensure that only authorized individuals can access cyber systems

  2. Using strong encryption to ensure confidentiality and integrity of information stored, processed, and transmitted on and through cyberspace

  3. Closely monitoring all cyber activity by using log files and log analyses

  4. Keeping policies up to date, and ensuring they are strictly enforced

  5. Implementing effective detection systems to recognise cyberattacks quickly

  6. Appointing active cyber security leadership to implement a real-time national defense strategy


The future of cyber terrorism

A critical factor in defending against cyber terrorism is thinking towards the future. It is easy to fall into the trap of projecting what terrorists might do in the future to our current technologies. But, we must think about what terrorists might do in the future to our future technologies. This becomes doubly challenging since predicting the future is always difficult and this challenges us to predict the future in two dimensions. Future terrorists will not attack what we have now.

They will attack what we will have in the future. For example, as we evolve more toward virtual worlds, diskless workstations (‘thin client’), and cloud computing, computing capabilities are being deployed at a national-level utility rather than as individual or corporate data systems. We would be wise to extrapolate into the future based on current trends, then to think about how cyberterrorists might attack our future environment and technology infrastructure.

In his best-selling book, The Big Switch, Nicholas Carr compares current computer trends to those of electricity development. More than 100 years ago, individual factories built their own electrical generators using water wheels by the sides of rivers, to generate their own personal electricity. As the electrical grid developed, it became more economical and efficient to produce electricity in massive central locations and to distribute the electricity to customers as a utility. This freed up corporations to focus on their core missions, without the encumbrance of managing their own electrical generating plant.

Similarly, software, hardware, and data may be provided as a central utility, supplying customers at low cost. This would liberate individuals and corporations to focus on their core missions, rather than maintaining an information technology department, dealing with security, applying updates and patches, managing a ‘help desk’, etc.v

With our nation’s cyber landscape destined to change, and cyber terrorism evolving its target of attack, we must channel our thoughts and actions toward the future of both cyber terrorism and technology; we must understand their convergence, and we must address the security requirements of that future.

Regardless of whether cyber terrorism is a misnomer, a serious threat to life, safety, and our critical infrastructures, or just an annoyance, we need to be ever vigilant and forward-thinking to meet future challenges regarding cyber security.
Source : Info-Security Magazine

Panama Papers – 5 Pengajaran Penting Yang Anda Mesti Tahu

22 Apr 2016

Kecoh awal April yang lepas isu Panama Papers di mana 260 GB data firma perguaman Mossack Fonseca digodam masih sensasi hingga ke saat ini. Penggodaman ini menjadikan kes pencerobohan terbesar di dalam sejarah teknologi maklumat selama ini berbanding dengan kes dokumen percukaian Luxembourg (4.4 GB), dokumen HSBC (3.3 GB) dan WikiLeaks (1.7GB).

Satu per satu individu atau profil ternama didedahkan seperti Raja Salman pemerintah Arab Saudi, Perdana Menteri Iceland Sigmundur Davíð Gunnlaugsson (yang telah meletakkan jawatan) dan Lionel Messi pemain bola sepak Barcelona terkenal daripada Argentina.

Tidak terlepas beberapa profil ternama daripada Malaysia seperti Kamaluddin Abdullah (anak kepada mantan Perdana Menteri, Tun Abdullah Ahmad Badawi), Mirzan Mahathir (anak kepada mantan Perdana Menteri,Tun Mahathir Mohamad) dan Mohamad Nazifuddin (anak kepada Perdana Menteri Malaysia , Datuk Seri Mohamad Najib).

Kesan daripada pendedahan ini telah memberi impak yang besar kepada reputasi individu serta hilang percaya kepada mana-mana syarikat yang pernah terpalit dengan isu seperti ini.

Dengan itu, mana-mana individu dan syarikat mestilah belajar mengambil pengajaran ke atas apa yang berlaku dalam isu Panama Papers.

5 pengajaran yang kita boleh ambil adalah :-

  1. Tiada industri atau perniagaan yang selamat
    Isu ini sepatutnya menjadi satu 'wake up call' kepada mana-mana syarikat mahupun organisasi yang tidak mengamalkan prosedur keselamatan maklumat yang tinggi. Sistem dan infrastruktur di firma guaman Mossack Fonseca adalah ketinggalan dan tidak dikemaskini secara tersusun.Setiap perniagaan juga mestilah peka dan maklum di manakah lokasi maklumat dan pengkalan data mereka berada; samada di premis atau di luar premis.

  2. Pengkhianat pihak dalaman adalah serius
    Pada awal isu ini sensasi, Mossack Fonseca mengumumkan bahawa pelayan emel (email server) mereka telah dicereboh dan spekulasi bercambah mengatakan maklumat telah dibocorkan oleh oleh pihak dalaman atau pekerja mereka sendiri.

    Tidak semua organisasi mempunyai kelemahan daripada jenis ancaman yang sama, tetapi semuanya berkongsi kelemahan yang sama iaitu :- sumber manusia seperti staf, kontraktor, pekerja tetap mahupun tidak tetap dan seumpama dengannya.Sama ada serangan berpunca daripada dalam mahupun luar, hasil tetap sama dan kesannya besar. Namun demikian, bagaimana jika pernah berlaku situasi di mana ada pihak yang tidak berpuas hati dengan organisasi kita seperti bekas rakan kerjasama perniagaan atau pekerja.Misalnya, mekanisma mengurus ancaman daripada luar adalah lebih mudah kerana garis pemisah yang cukup jelas dan lebih mudah untuk diambil tindakan manakala ancaman daripada dalam adalah sukar untuk dikenalpasti dan dilindungi.

    Pihak dalaman seperti staf dan kontraktor, telah diberi kepercayaan untuk akses kepada sistem dan aplikasi di dalam jaringan organisasi (corporate network). Adalah penting kepada Unit Teknologi Maklumat untuk memastikan semua pihak menjalankan kerja mereka mengikut skop yang telah ditetapkan untuk mengelakkan sebarang niat jahat daripada pihak yang berkepentingan.

    Hasil daripada itu, sumber tenaga kerja organisasi akan fokus kepada mengenalpasti dan menangani ancaman dalaman sahaja.

    Mana-mana organisasi sepatutnya mengambil langkah pengurusan keselamatan  contohnya siapa yang ada akses kepada sistem atau pengkalan data syarikat.

    Walau bagaimanapun, Mossack Fonseca telah menegaskan bahawa kejadian yang berlaku bukanlah berpunca daripada pihak dalaman namun mereka masih tidak menemui sebarang jawapan siapakah yang menjadi dalang kepada kejadian ini.

  3. Setiap tanda walaupun kecil adalah penting
    Jika berlaku situasi di mana sejumlah data yang besar diambil daripada syarikat anda, anda sepatutnya menyedari keadaan ini.Adalah lebih malang apabila anda diserang dan anda tidak menyedarinya langsung dalam tempoh yang panjang dan lebih teruk lagi anda tidak tahu apakah tindakan lanjut yang perlu diambil dalam menangani keadaan tersebut.Malangnya, tidak banyak organisasi yang bersedia menghadapi ancaman siber seperti ini dan mampu mengesan pencerobohan.

    Selalunya, unit teknologi maklumat hanya memantau keadaan trafik jaringan (network traffic) semata-mata tanpa melihat pada aspek keselamatan infrastruktur yang lebih luas.

  4. Keselamatan maklumat bukanlah perkara main-main
    Penguatkuasaan undang-undang melindungi data pengguna masih mempunyai ruang pembaikan yang besar, dan organisasi semestinya menguruskan maklumat syarikat pada kadar keutumaan yang tinggi.Amalan keselamatan maklumat yang lemah akan menyebabkan mana-mana organisasi berisiko untuk diserang dengan mencuri maklumat atau maklumat tersebut dihapuskan.

  5. Bersikap responsif mengurangkan kadar impak serangan
    Mana-mana organisasi mestilah berkebolehan menguruskan situasi pengkalan data dipecah masuk secepat mungkin. Kegagalan  memilih orang yang betul untuk menguruskan situasi ini dan respon dengan jelas  serta teratur kepada semua pihak berkepentingan adalah kegagalan terbesar organisasi.Pengurusan pencerobahan adalah suatu proses yang kompleks. Sumber manusia sesebuah syarikat mestilah mempunyai program latihan keselamatan siber yang komprehensif.Ini termasuklah seperti pelan respon insiden yang akan memberi panduan kepada mana-mana pihak yang terlibat dalam situasi sukar seperti ini.

    Di dalam pelan ini juga, peranan setiap pasukan telah digariskan dengan jelas seperti pengurusan pasukan dan peranan individu serta tanggungjawab pasukan menguruskan pencerobohan supaya mampu bertindak dengan cepat dan tepat terhadap pelanggan disamping mengurangkan kesan godaman.

Disediakan oleh : Azril Hanafi, Definite Security
Sumber :-







Hacking Team Hacked, Explained !

19 Apr 2016

Back in July of last year, the controversial government spying and hacking tool seller Hacking Team was hacked itself by an outside attacker. The breach made headlines worldwide, but no one knew much about the perpetrator or how he did it.

That mystery has finally been revealed.

After eight months of almost complete silence, the pseudonymous digital vigilante behind the hack has resurfaced, publishing a detailed explanation of how he broke into the company’s systems and laid bare its most closely guarded secrets.

The write-up breaks down not only how the hacker, who calls himself Phineas Fisher, sneaked into Hacking Team’s network and quietly exfiltrated more than 400 gigabytes of data, but also serves as a manifesto of his political ideals and the motives behind the hack.

“And that's all it takes to take down a company and stop its abuses against human rights,” the hacker proclaimed at the end of his guide, which Motherboard has seen in advance. “That’s the beauty and asymmetry of hacking: with just 100 hours of work, one person can undo years of a multimillion dollar company’s work. Hacking gives the underdog a chance to fight and win.“

“And that's all it takes to take down a company and stop its abuses against human rights.”

Phineas Fisher argued that leaking documents to show corruption and abuse of power is real “ethical hacking,” as opposed to doing consulting work for companies who are often the ones that actually deserve to be hacked.

Hacking Team is a Italian company that sells spyware and hacking services to police and intelligence agencies across the world. Through the years, researchers have documented several cases where Hacking Team’s tools were used against journalists, dissidents, or activists.

“I see [Hacking Team’s CEO David] Vincenzetti, his company, and his friends in the police, military and governments, as part of a long tradition of Italian fascists,” Phineas Fisher continued, writing in Spanish. (Vincenzetti often signs his emails with the fascist motto “Boia chi molla“)

Last year, the hacker, who’s been only known as Phineas Fisher, though his Twitter account’s handle is now “Hack Back,” broke into the corporate servers of Hacking Team, going seemingly unnoticed for weeks.

In early July of 2015, the hacker culminated his intrusion by leaking online a massive treasure trove of files containing thousands of internal documents, emails, and even the source code of the company’s hacking tools—in other words, Phineas Fisher took everything there was to take, laying bare all the company’s secrets, including its once closely-held list of customers.

On the night the hacker published the data, he revealed himself to be the same person who in 2014 breached Gamma International, a Hacking Team’s competitor that sells spyware called FinFisher. For months, however, one big question has remained unanswered: how did the hacker manage to embarrass and completely own a company whose whole business model depended exactly on hacking other people?

At the time, the hacker promised he’d soon tell the world. He just wanted to wait a little time, he said on Twitter, until Hacking Team “had some time to fail at figuring out what happened and go out of business.”


More than eight months later, Hacking Team is still in business. That’s why Phineas Fisher decided to come out with the blow-by-blow account of what happened, “so we can laugh them off the internet for good,” he tweeted.

In his guide, published on Friday, the hacker explained how he used an unknown vulnerability, or zero day, to get the first foothold into Hacking Team’s internal network. Given that the bug has still not been patched, however, Phineas Fisher didn’t provide any details on what the vulnerability is exactly, or where he found it. (The hacker also declined to comment for this story.)

After getting in, the hacker said he moved around carefully, first downloading emails, then gaining access to other servers and parts of the network. Having gained administrative privileges inside the company’s main Windows network, Phineas Fisher said he spied on the system administrators, particularly Christian Pozzi, given that they usually have access to the whole network. Having stolen Pozzi’s passwords by recording his keystrokes, the hacker said he accessed and exfiltrated all the company’s source code, which was hosted on a separate isolated network.

At that point, he reset Hacking Team’s Twitter password using the “forgot password” function, and on the late evening of July 5, he announced the hack using the company’s own Twitter account.

Twitter Hacking Team

The hacker said that he was inside Hacking Team’s network for six weeks, and that it took him roughly 100 hours of work to move around and get all the data. Judging from his words, it’s clear Phineas Fisher had a strong political motivation to attack Hacking Team.

“I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and all those who had their blood spilled by Italian fascists,” he added, referring to the bloody raid on the Italian school in Genoa in 2001, where police forces stormed a school where anti G-8 activists of the Genao Social Forum were housed, resulting in the arrest of 93 activists. The methods of the raid and subsequent detention, however, were so controversial that 125 policemen were brought to trial, accused of beating and torturing the detainees.

The hacker also rejected being defined as a vigilante, and chose a more political definition.

“I would characterize myself as an anarchist revolutionary, not as a vigilante,“ he told me in an email. “Vigilantes act outside the system but intend to carry out the work of the police and judicial system, neither of which I'm a fan of. I'm clearly a criminal, it's unclear whether Hacking Team did anything illegal. If anyone, Hacking Team are the vigilantes, acting in the margins in pursuit of their love for authority and law and order.“
“Hacking gives the underdog a chance to fight and win.“

In the guide, Phineas Fisher encourages others to follow his example.

“Hacking is a powerful tool. Let’s learn and fight!” he wrote, quoting the anarcho-syndicalist labor union Comision Nacional de Trabajo, or CNT. After Phineas Fisher hacked Gamma Group in 2014, the CNT said that it was clear technology was just another front in class warfare, and that it was time to “take a step forward” with “new forms of fighting.”

It’s impossible to verify whether all the details in the guide are true, given that neither Hacking Team nor the Italian authorities have disclosed anything related to the hack.

“Any comment should come from the Italian police authorities who have been investigating the attack on Hacking Team, so no comment from the company,” Hacking Team’s spokesperson Eric Rabe said in an email. The Italian prosecutor’s office could not be reached for comment.


Hacking Team 2

It’s unclear how the investigation is going, but Phineas Fisher doesn’t seem too worried he’ll get caught. In another section of his guide, he described Hacking Team as a company that helped governments spy on activists, journalists, political opponents, and “very occasionally” criminals and terrorists. The hacker also referred to Hacking Team’s claims that it was developing tech to track criminals using the Tor network and on the dark web.

“But considering I’m still free,” he wrote snarkily, “I have doubts about its effectiveness.”

After sharing a contact email address, in case anyone wants to send “spear phishing attempts, death threats in Italian, or to gift him zero days or access inside banks, corporations or governments,” the hacker concludes with a call to arms.

“If not you, who?” He wrote. “If not now, when?”

This story has been updated to include Phineas Fisher's comment on the term “vigilante.“


Source : Motherboard

Ransomware attack hits MedStar Health, network offline

28 Mar 2016

MedStar Health, which calls itself the largest healthcare provider in Maryland and Washington, D.C., was forced to disable their network on Monday after an alleged Ransomware attack infected several systems.

threat intelligence
CSO Threat Intelligence Survival Guide
If enterprises want to understand how they can better invest in security defenses, build the necessary
According to a statement from MedStar, early Monday morning, their network was "affected by a virus" preventing certain users from logging-in to their systems.

MedStar operates 10 hospitals and more than 200 outpatient offices in the Maryland and Washington, D.C. area.

How to respond to ransomware threats

"MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and Cyber-security partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning. We have no evidence that information has been compromised. The organization has moved to back-up systems [and] paper transactions where necessary," the MedStar statement concluded.

The FBI is said to be looking into the incident.

Last week, the FBI asked the public for assistance in an industry Flash Advisory. The advisory asked for victims of the MSIL/Samas Ransomware families to contact the agency's CYWATCH center if they believe they've been attacked or have additional information to share. This particular family of Ransomware targets JBOSS installations, and was first referenced by the FBI earlier this year.

It isn't clear if Samas is the malware that forced MedStar offline, but comments made by the medical group's staff point to a Ransomware infection.

Speaking on the condition that their name not be used, a hospital staffer relayed a story from another employee about a pop-up that appeared on a computer warning of infection and demanding payment.

Similar anonymous comments were given to the Washington Post by an employee who stated the pop-ups demanded a ransom in "some kind of internet currency."

Officially, MedStar has not confirmed a Ransomware infection, nor have they responded to comments seeking clarification. This story will be updated if they confirm or deny a Ransomware infection.

"Even though it has not been officially acknowledged by MedStar Health, chances are high that they had been infected by ransomware, the 2016 plague which seems to be targeting a lot of critical infrastructure like hospitals recently," commented David Melamed, Senior Research Engineer at CloudLock.

In the last few weeks, Ransomware has hit a number of medical organizations including the Hollywood Presbyterian Medical Center, the Chino Valley Medical Center, the Desert Valley Hospital, and Methodist Hospital in Henderson, Kentucky.

"Such targets are particularly vulnerable because they cannot afford to be paralyzed for a long time (either because their data has been encrypted or because they shut down the system to avoid spreading the infection) and prefer to pay the ransom," Melamed added.

In the case of Hollywood Presbyterian, the organization paid $17,000 in ransom in order to restore their systems.

Methodist Hospital refused to pay ransom and restored systems from backups. It isn't clear how the other two hospitals (owned by Prime Healthcare Services Inc.) recovered from their incidents.

For now, MedStar is using paper to process patients, and staff report that they're having trouble accessing patient records. Communication between staff is either face-to-face or via phone.

In addition to delays in record searches, it's also possible that appointments and surgeries will have to be delayed too, as will lab results, one medical professional told the Washington Post.

Source : CSO Online


Ontario hospital website may have infected visitors with ransomware

25 Mar 2016

The website of an Ontario hospital may have infected the computers of patients and staff with ransomware planted on the site during a hack attack, the internet security company Malwarebytes warns.

Norfolk General Hospital, located in Simcoe, Ont., confirms its website was hacked by cybercriminals, but denies that visitors were ever at risk.

The attack appears to be part of a trend of cybercriminals targeting hospitals, including one on the Ottawa Hospital in March and another in February that hit the Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom to have its systems restored. Three more U.S. hospitals were reportedly hit recently.

Jérôme Segura, a senior security researcher with Malwarebytes, reported in a blog post this week that in late February, Norfolk General Hospital's website was observed pushing ransomware called Teslacrypt to computers that visited the website.

Teslacrypt locks your files and makes them inaccessible using encryption, then demands a ransom of $500 US to restore access.

Drive-by download

The file was served in a "drive-by download" attack, Segura said, meaning you don't have to click on anything on the page.

"You just go to the site that's compromised, and within a few seconds, malware is downloaded onto your computer and that's it," he told CBC News.

In this case, visitors to the site would have included patients, their families and staff who accessed a staff portal with schedules and an internal directory via the website.

Visiting Windows computers would have been vulnerable if they were running Internet Explorer or older versions of the Adobe Flash or Microsoft Silverlight players.

Segura said hospitals are in many ways the "perfect victim" for cyberattacks. "Their systems are out of date, they have a lot of confidential information and patient files. If those get locked up, they can't just ignore it."

Segura said Malwarebytes detected an attack from the Norfolk General Hospital website via a user of Malwarebytes anti-exploit software. The free software detects and blocks web-based attacks, then sends a report back to Malwarebytes.

The attack caught Segura's eye because he's based in Canada and the attack came from a site with a .ca domain name.

Outdated software

He set up a virtual machine, used it to visit the hospital's website himself, and recorded the attack, confirming that it originated from malware on the website itself.

It appeared that the site was running a very outdated version of the web content management software Joomla. The old software contains a lot of security vulnerabilities that cybercriminals had apparently exploited in order to hide malware in the website's source code.


Segura contacted the hospital with his findings multiple times, but didn't hear back for two weeks.

During that time, he said, "a lot more people may have visited the site."

He also thinks the site may have been serving malware for some time before Malwarebytes detected it. Simcoe, Ont., has a population of just 14,777, so the chance of a Malwarebytes software user visiting the site is relatively small.

Dennis Saunders, the IT lead and systems administrator for the Norfolk General Hospital, said he didn't get back to Segura initially because Segura's first email sounded like a sales pitch, and his web hosting company, Kwic Internet, thought the second email was a phishing attempt by cybercriminals.

Saunders said the hospital first got a report of ransomware on a hospital computer on Feb. 22, four days before Segura's first attempt to contact the hospital.

Security breach

Saunders asked Kwic Internet to have a look. It confirmed that there had been a "security breach" and replaced some files that appeared to have been compromised, he said.

Saunders requested more details after hearing from Segura, and was told the hospital website had been redirecting visitors to other sites that host malware, but there was nothing on the hospital's website itself.

Jim Carroll, business developer for Kwik Internet, told CBC News that his company does nothing but host the site.

"It's usually the website developer that would deal with issues of security," he said.

Saunders said the hospital's web software has now been updated by a web developer not affiliated with the hospital or Kwic Internet.

In the end, three hospital computers were infected with ransomware, but the hospital doesn't believe its own website was the source. The infected computers were restored from backups and no ransom was paid.

Saunders added that staff and the public were not notified about the situation because "it was addressed quickly, so there wasn't a concern for staff."

Segura confirmed that as of this week, the hospital site appears to be clean of malware, but both his own research and independent sites such as Sucuri sitecheck confirmed that the website was still using an old and vulnerable version of Joomla. In fact, he said, the Joomla version that the site is running is even older than the previous version, suggesting that the problem had been fixed by rolling the site back to an earlier version.

"If they don't update it quickly, it will happen again," he said, adding that leaving the website in an outdated state is "just very irresponsible."

How to protect yourself

Segura recommends that organizations protect themselves from similar attacks by:

  • Keeping their website software up to date to minimize security holes that could be exploited.

  • Minimizing the number of people with administrative privileges, as it's particularly damaging if their account info is stolen.

  • Using strong passwords.

Meanwhile, users can protect themselves by:

  • Using an up-to-date browser. Note that most versions of Internet Explorer are no longer even supported by Microsoft.

  • Uninstalling software you're not using (such as Flash and Silverlight), as it may be used in an attack.

  • Installing security software such as anti-exploit software that detects and blocks suspicious behavior from websites.

Source : CBC News