Did the exploitation of a known Citrix ADC vulnerability cause the death of a hospital patient?
May 3, 2021

Last year, we posted an article alerting people to a Citrix ADC vulnerability, that if exploited could allow an unauthenticated attacker to perform arbitrary code execution. In other words, your system could be hacked.

Sadly, a 78-year-old woman may have died as a consequence of a ransomware attack that took advantage of the self-same vulnerability (CVE-2019-19781).

The patient in question was en route to the University Hospital of Düsseldorf (UKD) when hackers disabled its IT systems. As a result she had to be transferred to another hospital some 35 km away.

In an AP News article published a few weeks after the tragic incident occurred, Germany’s senior public prosecutor was quoted as saying that she may have died due to the delay in emergency care.

Cybersecurity experts were immediately drafted in order to determine if there is a definitive link between the ransomware attack and the patient’s death, with the hospital also expected to be investigated.

Some reports suggest that the attack was misdirected and was originally intended for the nearby Heinrich Heine University. After law enforcement contacted the hackers and informed them that they had encrypted a hospital by mistake, the people behind the attack withdrew their ransom demand and provided the decryption key.

This in no way exonerates the actions of the criminal perpetrators and prosecutors have officially launched a negligent homicide case, stating that the hackers could be held responsible for the death.

Although there has been a huge rise in ransomware attacks during the global lockdown, this disturbing incident marks the very first recorded casualty of unscrupulous hackers targeting critical healthcare IT infrastructure.

It also highlights the extreme consequences that can occur if organisations fail to maintain the highest level of vigilance when it comes to safeguarding the security of their IT systems.

Failure to patch vulnerabilities opens a gateway to ransomware attacks.

Despite ransomware gangs stating early on in the pandemic that they wouldn’t deliberately target medical facilities, a series of attacks resulted in Interpol issuing warnings to all hospitals about the dangers of ransomware.

The fact is that failing to address vulnerabilities and weak credentials have provided threat actors with the opportunity to access the internal networks of many thousands of organisations across the world.

Cybersecurity agencies have become increasingly aware of incidents where Citrix systems were compromised before the security updates were made available and installed.

As a result, hackers still have access to many organisations’ systems and networks even after the security gap has been filled, leading to attacks many months after the vulnerability was first identified.

How to ensure your system hasn’t been compromised by the Citrix CVE-2019-19781 vulnerability.

To help identify compromised systems associated with CVE-2019-19781, FireEye and Citrix worked closely together to release a tool that searches for indicators of compromise (IoC) associated with attacker activity. (This tool is freely accessible in both the Citrix and FireEyeGitHub repositories.)

The free tool will allow you to run it locally on your Citrix instances and receive a rapid assessment of any potential indications of compromise in the system based on known attacks and exploits.

In addition to applying the previously released mitigation steps and installing the permanent updates, Citrix and Firefox strongly recommend that all Citrix customers run this tool immediately. This will increase your overall level of awareness of potential compromise and help you to take the appropriate steps to protect your organisation.

Note: If you do detect any suspected exploitation, you should report it to the NCSC via the website.

Worried about the security of your organisation’s IT systems? Don’t worry, help is at hand.  

If for any reason you are concerned about the implications of this Citrix vulnerability, or the wider implications of security breaches that could leave your organisation at the mercy of hackers, don’t hesitate to contact us.

For immediate help and advice contact Peter Grayson by calling 0161 537 4980 or sending an email to peter.grayson@quadris.co.uk

More Articles