2 days Ago
Enable 2FA as time-traveling hackers strike. There have been plenty of headlines generated by the recent Medusa ransomware attacks that have run riot, provoking the Federal Bureau of Investigation into issuing a critical security advisory, and adding to the massive surge in ransomware during the first quarter of 2025. One that I didn’t see coming, let alone think I would be writing myself, was a warning about time-traveling hackers on the back of the FBI warning.
But here we are. Let’s start with a quick recap of the Medusa ransomware attacks at the heart of this story. Medusa, which is known to have impacted at least 300 critical infrastructure targets, uses social engineering and unpatched software vulnerabilities as part of the exploit campaign.
As we are about to discover, that’s not all it uses. For the FBI outline of tactics, techniques and procedures, indicators of compromise, and detection methods associated with the Medusa attacks, refer to FBI cybersecurity advisory AA25-071A . Quite a lot of technical information regarding the Medusa malware has come to light since that FBI alert was raised, however, including methods used to disable anti-malware protections as I reported March 22 .
Now, that technical detail has taken an unexpected twist: time travel. Boris Cipot, a senior security engineer at Black Duck, told me how Medusa attackers are creatively abusing system misconfigurations in their efforts to bypass security controls. “In this case,” Cipot said, “the issue lies with the date or the possibility to change it.
” This time travel hacking technique is as simple as it is ingenious. The attackers in question have, Cipot explained, a security certificate that is used to sign a driver, but that certificate was valid back in 2012, not now. Expired drivers from 13 years ago are of little use to anyone trying to infiltrate a system today unless that is, you can act like Cher and turn back time.
“The malware is effectively changing the system date to a time when the certificate,” Cipot continued, “which signed a certain driver, was still valid.” Because the system date has been changed and has effectively gone back in time, that expired driver is now seen as being perfectly valid, accepted as such and loaded like any other. To mitigate this kind of time travel hackery, Cipot said, “organizations need a combination of best-in-class endpoint protection, strict policy enforcement, and proactive monitoring.
” The detection of system configuration changes is also essential, as it’s the system time changes that proved central to the failure of security protections in the case of the Medusa attacks. “Additionally,” Cipot concluded, “Windows should be configured to enforce strict revocation checks for signed drivers, blocking the expired certificates.” Meanwhile, the FBI has stated that two-factor authentication for all services should be enabled where possible, but in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems.
My advice? Listen to both the FBI and Boris, as they know what they are talking about. Ooh, and don’t wait for Medusa to strike, act today, or your systems could get attacked by hackers from 2012..
