German hospital became infected with ransomware via Citrix leak

The ransomware that hit the systems of the German hospital in Dusseldorf last week was able to enter through the Citrix leak discovered at the end of last year. The hospital claims to have implemented the patch on the day of publication, in January.

According to the Bundesamt für Sicherheit in der Informationstechnik, or BSI, there are more incidents where Citrix systems were already compromised before the installation of the security updates in January 2020. The department of the German Ministry of the Interior does not say it in so many words, but insinuates that this was the case at the University Hospital Düsseldorf, which was hit by ransomware last week. As a result, a life-threatening patient had to go to another hospital, where she died. The German police are investigating the case and the influence of the delay in the treatment.

When the Citrix leak came to light in December last year, the hospital said it followed the instructions of the BSI and installed the patch on the day of its release. According to the BSI, it may therefore be that the contamination took place before that time. As a result, attackers could still gain access to the system and networks even after the security vulnerability was fixed. “This opportunity is currently being increasingly exploited to launch attacks on affected organizations,” the security agency said.

The BSI advises users of Citrix Gateway, formerly NetScalerGateway, and Citrix Application Delivery Controller to check their network infrastructure and systems for potential anomalies and adjust their security measures accordingly. The hospital in Dusseldorf reports that in the past year two specialized companies had ordered to check the system, but that this did not reveal any risks. In addition, an external penetration test was conducted in the summer of 2020, which also showed nothing. It seems that the criminals behind the ransomware were targeting Heinrich Heine University in Düsseldorf and not the hospital.