A 2019 Citrix Security leak is the likely cause of the ransomware attack on the University Hospital of Düsseldorf earlier this month. Paramedics were forced to rush a patient to another hospital, delaying her treatment, which sadly resulted in her death. The hospital said it had patched the leak in January. Prosecutors in the German city of Cologne have launched an investigation.
Bungled Ransomware Attack Leads to Patient’s Death
On September 10, a ransomware attack hampered emergency services at the University Hospital of Düsseldorf (UKD). A female patient was scheduled to undergo critical care while the attack unfolded. Paramedics rushed her to another hospital 32 kilometers (20 miles) away. This delayed her treatment by approximately an hour. Sadly, the patient then passed away.
The ransomware attack crippled 30 of the hospital’s servers. Strangely, an extortion note left by the cybercriminals on one of the servers was addressed to Heinrich Heine University, also in Düsseldorf. The note demanded that the university get in touch. It did not list any further demands.
Local police eventually made contact with the attackers. They informed the perpetrators that they had attacked the university hospital, not the university, and endangered a patient’s life in the process. Once they realized their mistake, the cybercriminals immediately ceased the attack and provided a decryption key to unlock all servers.
A Leak in Citrix VPN Software the Likely Cause
German press reported that the attackers exploited a Citrix Security Leak. The critical vulnerability in Citrix VPN appliances, known as CVE-2019-19781, was discovered on 17 December 2019. Mid-January, Citrix released a patch. Around the same time, the German Cybersecurity Agency (BSI) also sent out a warning, including mitigation steps.
The University Hospital reported that they had installed the patch released by Citrix in January, on the day of its release. This presumably means that the hospital’s system had been infiltrated before the security update. This is a common occurrence, according to the BSI. It is indeed possible that intruders compromised the systems before January, and secretly kept the access, even after the security gap had been closed.
Last Wednesday, the US Department of Homeland Security released a security alert that mentioned CVE-2019-19781. The Cybersecurity and Infrastructure Security Agency (CISA) had observed threat actors attempting to discover vulnerable Citrix VPN Appliances. This enabled Beijing-based hackers to attack gaming and software companies. The same vulnerability was also exploited by the Iranian hacker group Pioneer Kitten.
Attack Treated as a Homicide
The attack is under investigation in Germany. Currently, the case is being treated as a homicide, as the attack may have resulted in a person’s death. Detectives have brought in cybersecurity experts to assist with the investigation. The German Cybersecurity Agency is on site at the hospital, helping them to rectify the failure and rebuild their systems.
A warning on UKD’s homepage, dated 14 September, said e-mails and some systems were still down. Telephones are working again, with the exception of a few branch offices. Patients with appointments are asked to contact the respective clinic or outpatient department via telephone. However, all emergency care is currently still canceled. The hospital expects to resume emergency care within the next week.
Early on during the pandemic, cybercriminals promised that they would not target hospitals. Nonetheless, reoccurring cyberattacks on hospitals prompted Interpol to issue a warning. “Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths”, Interpol said in April. If the Düsseldorf investigation establishes a connection, this could be one of the first deaths directly linked to a ransomware attack.