2 days Ago
Enable 2FA as time-traveling hackers strike. Update, March 30, 2025: This story, originally published March 29, has been updated with further Medusa mitigation advice from the FBI as well as additional comment from Boris Cipot. There have been plenty of headlines generated by the recent Medusa ransomware attacks that have run riot, provoking the Federal Bureau of Investigation into issuing a critical security advisory, and adding to the massive surge in ransomware during the first quarter of 2025.
One that I didn’t see coming, let alone think I would be writing myself, was a warning about time-traveling hackers on the back of the FBI warning. But here we are. Let’s start with a quick recap of the Medusa ransomware attacks at the heart of this story.
Medusa, which is known to have impacted at least 300 critical infrastructure targets, uses social engineering and unpatched software vulnerabilities as part of the exploit campaign. As we are about to discover, that’s not all it uses. For the FBI outline of tactics, techniques and procedures, indicators of compromise, and detection methods associated with the Medusa attacks, refer to FBI cybersecurity advisory AA25-071A .
Quite a lot of technical information regarding the Medusa malware has come to light since that FBI alert was raised, however, including methods used to disable anti-malware protections as I reported March 22 . Now, that technical detail has taken an unexpected twist: time travel. Boris Cipot, a senior security engineer at Black Duck, told me how Medusa attackers are creatively abusing system misconfigurations in their efforts to bypass security controls.
“In this case,” Cipot said, “the issue lies with the date or the possibility to change it.” This time travel hacking technique is as simple as it is ingenious. The attackers in question have, Cipot explained, a security certificate that is used to sign a driver, but that certificate was valid back in 2012, not now.
Expired drivers from 13 years ago are of little use to anyone trying to infiltrate a system today unless that is, you can act like Cher and turn back time. “The malware is effectively changing the system date to a time when the certificate,” Cipot continued, “which signed a certain driver, was still valid.” Because the system date has been changed and has effectively gone back in time, that expired driver is now seen as being perfectly valid, accepted as such and loaded like any other.
To mitigate this kind of time travel hackery, Cipot said, “organizations need a combination of best-in-class endpoint protection, strict policy enforcement, and proactive monitoring.” The detection of system configuration changes is also essential, as it’s the system time changes that proved central to the failure of security protections in the case of the Medusa attacks. “Additionally,” Cipot said, “Windows should be configured to enforce strict revocation checks for signed drivers, blocking the expired certificates.
” Cipot also warned that many Microsoft out-of-the-box security features are not enabled because they have been switched off. Something that is most commonly done for convenience or to allow older software and drivers to run without concern. The problem is that attackers are far from stupid and already know this.
“If the software is blocked because it is old, and the certificates with which it has been signed have expired,” Cipot said, “then this software cannot run on a production system.” Cipot told me that he highly recommends users do not switch the security features off, and furthermore don’t avoid patching just to keep old vulnerable software running. “In the end,” Cipot concluded, “the risk potential simply is not worth it.
” Meanwhile, the FBI has stated that two-factor authentication for all services should be enabled where possible, but in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems. The FBI has also advised users to employ long passwords on all accounts that require them and recommended that administrators refrain from imposing a requirement for frequent password changes, as these can do more harm than good. The FBI said all operating systems must be kept up to date alongside software and firmware updates.
Patching should be prioritized when it comes to those internet-facing systems where a known vulnerability is concerned. Further Medusa mitigation advice from the FBI included: The identification, detection, and investigation of any abnormal activity that could indicate a potential network traversal of the ransomware. The monitoring of systems for unauthorized scanning and access attempts.
Filtering of network traffic to prevent unknown or untrusted actors from accessing remote services on internal systems. The auditing of all user accounts that have administrative privileges configuring all access controls according to the principle of least privilege. And, finally, the disabling of command-line and scripting activities and permissions along with all unused ports.
My advice? Listen to both the FBI and Boris, as they know what they are talking about. Ooh, and don’t wait for Medusa to strike, act today, or your systems could get attacked by hackers from 2012..
