Jump to content

BRFCS

BY THE FANS, FOR THE FANS
SINCE 1996
Proudly partnered with TheTerraceStore.com

[Archived] NHS Ransomware attacks - Multiple hospitals now trying to operate with zero IT facility


Recommended Posts

I don't talk about my day job on here as 99.9% of the world find IT security monumentally tedious (if only it were all like Mr Robot), but UK hospitals are currently in the grip of a massive ransomware attack, with all IT facilities in multiple hospitals inoperable until a ransom is paid. It's reported that some A&Es are only accepting life threatening cases

The worst part is .... the entire industry knew this day was coming, but getting funding to protect against hypothetical attacks is very hard

Link to comment
Share on other sites

  • Replies 81
  • Created
  • Last Reply
1 hour ago, Glenn said:

I don't talk about my day job on here as 99.9% of the world find IT security monumentally tedious (if only it were all like Mr Robot), but UK hospitals are currently in the grip of a massive ransomware attack, with all IT facilities in multiple hospitals inoperable until a ransom is paid. It's reported that some A&Es are only accepting life threatening cases

The worst part is .... the entire industry knew this day was coming, but getting funding to protect against hypothetical attacks is very hard

This is Government inaction at its worse.

Link to comment
Share on other sites

The East Lancashire Trust is one of those hit. I have friends working in Blackburn today and apparently it has been absolute chaos.

I'm honestly not surprised though that it has happened though. I work in IT myself (public sector) and it is so far behind where it needs to be.

Link to comment
Share on other sites

It's not just the UK, it's now 74 countries at least.

Mixed reports within the InfoSec world. It's either the RDP exploit in the latest shadow brokers dump (really, a hospital has RDP open to the outside world!) and some specific third party application that's common in hospitals.

 

 

Link to comment
Share on other sites

The screens hot I saw on twitter was asking for bit coins to the value of $800, if so, the hacker is more than likely some Russian or Chinese kid who has bought the ransomware on TOR, and has no idea what data he's encrypted.

 

 

Link to comment
Share on other sites

Just now, Baz said:

The screens hot I saw on twitter was asking for bit coins to the value of $800, if so, the hacker is more than likely some Russian or Chinese kid who has bought the ransomware on TOR, and has no idea what data he's encrypted.

 

 

Most likely. 

Link to comment
Share on other sites

I know nothing of this kind of stuff but was reading that this was a known weakness and Microsoft issued a patch to fix it weeks ago and basically orgs and people haven't.

Anyway, I got ransomwared (req bitcoin) last year and they destroyed my huge iTunes files the b'stsrds. My computer busted about a month later. It was a dell desktop i'd had since 2004 - ish. I was running on vista! Good times!!

Whatever happened to Lulzsec. Those cats were krazy

 

Link to comment
Share on other sites

If anyone wants tech info

The ransomware part is a variant of WannaCry, a fairly common malware variant.
The infection method is the same as EternalBlue used in the Shadow Brokers dump a couple of weeks ago. /  https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
The is a worm portion to the payload which explains the rapid propagation.
The worm spreads using SMB, well done to all those admins who didn't segment their networks and allowed SMB everywhere inside the perimeter
It seems from the initial infection points that the instigator is solely targeting European healthcare.
Telefonica and Fedex reportedly hit too, whats the betting they have peering with the NHS that's allowing SMB.
Current tally is 45,000 infections and growing.
Windows XP isn't vulnerable! The NHS' embrassingly slow adoption of tech may actually help them here
For the first time ever, we're confident NHS patient data is securely encrypted (too soon?)
 

Link to comment
Share on other sites

FT reporting that the hackers used "super-charged NSA tools", smoe sort of US developed system, to carry out the attack. Means nothing to me but demonstrates why the internet is potentially very dangerous and why it needs to be more secure and better  regulated. NHS also saying their system is old and vulnerable to attack - another example of lack of govt investment in the health service. Attack is spread around the world but UK has been particulalrly badly affected.

Link to comment
Share on other sites

42 minutes ago, jim mk2 said:

FT reporting that the hackers used "super-charged NSA tools", smoe sort of US developed system, to carry out the attack. Means nothing to me but demonstrates why the internet is potentially very dangerous and why it needs to be more secure and better  regulated. NHS also saying their system is old and vulnerable to attack - another example of lack of govt investment in the health service. Attack is spread around the world but UK has been particulalrly badly affected.

Well to be fair, consecutive governments have pumped a LOT of money into various IT projects attempting to modernise and join them up.

Unfortunately, there are usually too many vested interests all wanting their own thing for their own interests within the sector itself, the government and the outsourced provider that costs spiral and nothing ever works the way it should. Then the project fails. 

Its not for want of trying.

People also slagging of the IT providers or the government for failing to patch the systems really need to understand how slow the whole process can be. I hear the patch came out only a month ago, no chance that would ever have been installed in time. Patching cycles at most places are only every quarter usually due to testing and change periods. Then actually getting access to the systems where most users don't want you to touch it as it's "working and they need it". 

 

Link to comment
Share on other sites

42 minutes ago, jim mk2 said:

FT reporting that the hackers used "super-charged NSA tools", smoe sort of US developed system, to carry out the attack. Means nothing to me but demonstrates why the internet is potentially very dangerous and why it needs to be more secure and better  regulated. NHS also saying their system is old and vulnerable to attack - another example of lack of govt investment in the health service. Attack is spread around the world but UK has been particulalrly badly affected.

You want to legislate against something you admit you have no understanding of? There is a place for people like you, but sadly that place seems to be the cabinet office.

What we have is an American Spy Agency, develop a bunch of spying tools, for spying.  You then have a bunch of state-sponsored Russian hackers who find these tools and at the behest of the Russian government leak them through a Russian propaganda machine hiding in the Ecuadorian embassy.

Thankfully the American Spy Agency, once they learned they;d been hacked, worked with the vendors whose software they had hacked to patch the holes before the accused rapist hiding in the embassy made them public.

Which part of that scenario is legislation going to fix?  

 

Link to comment
Share on other sites

Just now, Biddy said:

Well to be fair, consecutive governments have pumped a LOT of money into various IT projects attempting to modernise and join them up.

Unfortunately, there are usually too many vested interests all wanting their own thing for their own interests within the sector itself, the government and the outsourced provider that costs spiral and nothing ever works the way it should. Then the project fails. 

Its not for want of trying.

People also slagging of the IT providers or the government for failing to patch the systems really need to understand how slow the whole process can be. I hear the patch came out only a month ago, no chance that would ever have been installed in time. Patching cycles at most places are only every quarter usually due to testing and change periods. Then actually getting access to the systems where most users don't want you to touch it as it's "working and they need it". 

Glenn's off hand comment about admins not segregating smb traffic is also a little strange as we are talking about normal file shares here, something every single company will do for share file stores or user home directories. I would doubt many companies would ever explicitly block smb traffic internally. Completely different if the idiots have left anything open to the internet though. 

Whilst I agree with your comments on patching (it's not right, but it's how it is), on SMB, well shodan currently lists  2,327,795 hosts responding on 445. So that's a LOT of idiots :P

Seriously though, network segmentation is something not enough places put enough time and effort into. Yes, I agree SMB is a very useful local thing, but why should the patients record people have access to the same hosts the surgeons use, or radiology, or other NHS trusts. I appreciate data needs to flow between teams, but not over SMB and not between every bloody host. Hell, windows firewall is easy enough to configure so that the only place it can talk to is the server, no end point to end point, that alone would have slowed things down. 

The thinking around perimeter firewalls and hard outter shells / soft chewy centre networks has been flawed for decades. In these day of IOT, BYOD and users that click on every damn thing they're emailed, you're always going to get infected in the soft chewy center, rather than through the firewall. Segmentation, into the smallest segments you can manage, is the way to go.

 

Link to comment
Share on other sites

1 hour ago, Glenn said:

The bit coin wallet the ransoms are being paid into just hit  figures, so people ARE paying it seems.

There's no real other option. The encryption is virtually uncrackable without the key.

We got hit at work a little while ago, and got told to pay by the police and experts, or lose the data. There's a possibility after several months someone will break the code, but if your a functioning business you probably cannot afford to wait.

The biggest problem the NHS may have is that even with the key, they will have files that don't decrypt - especially larger files. God knows how important some of that data will be. 

Some kid in Russia or China with a bulging bank account is probably scared stiff now.

 

 

 

Link to comment
Share on other sites

Just now, Baz said:

There's no real other option. The encryption is virtually uncrackable without the key.

We got hit at work a little while ago, and got told to pay, or lose the data. There's a possibility after several months someone will break the code, but if your a functioning business you probably cannot afford to wait.

The biggest problem the NHS may have is that even with the key, they will have files that don't decrypt - especially larger files. God knows how important some of that data will be. 

Some kid in Russia or China with a bulging bank account is probably scared stiff now.

 

 

 

I agree, lives are at stake, it's the only sensible option.

The good news is, on Monday morning, there are going to be a lot of IT Managers stood in front of boards smugly saying "So, that £300k I asked for for a better backup solution, to allow us to recover from just this type of thing .... I assume you're going to authorise it now ?"

 

Link to comment
Share on other sites

Just now, Glenn said:

Whilst I agree with your comments on patching (it's not right, but it's how it is), on SMB, well shodan currently lists  2,327,795 hosts responding on 445. So that's a LOT of idiots :P

Seriously though, network segmentation is something not enough places put enough time and effort into. Yes, I agree SMB is a very useful local thing, but why should the patients record people have access to the same hosts the surgeons use, or radiology, or other NHS trusts. I appreciate data needs to flow between teams, but not over SMB and not between every bloody host. Hell, windows firewall is easy enough to configure so that the only place it can talk to is the server, no end point to end point, that alone would have slowed things down. 

The thinking around perimeter firewalls and hard outter shells / soft chewy centre networks has been flawed for decades. In these day of IOT, BYOD and users that click on every damn thing they're emailed, you're always going to get infected in the soft chewy center, rather than through the firewall. Segmentation, into the smallest segments you can manage, is the way to go.

 

Do we know some of this is the case? The bit about the whole network being open? 

Personally i doubt patient records themselves are held on shares, they will be in some form of client / sever database application. The issues are that windows clients appear to have been taken over with that overbearing message, not necessarily that important data itself was encrypted. I guess that is why they are saying that patient records haven't been breached.

With regards to network segregation, you can go too far. At Egg, we won awards for network design as every single type of device had its own subnet which ran through firewalls. It was an absolute ball ache to work with and firewall rules became unmanageable (and slow). Firewall pushes would start to take minutes which sometimes could lead to outages. And windows firewall might be "easy" to manage, possibly on an individual basis or via group policies for departments but you are talking about the NHS, hundreds of of thousands of clients that need individually tweaking to allow certain devices to talk to another certain device. One small error and nothing talks and it takes weeks to diagnose.

Link to comment
Share on other sites

Just now, Glenn said:

I agree, lives are at stake, it's the only sensible option.

The good news is, on Monday morning, there are going to be a lot of IT Managers stood in front of boards smugly saying "So, that £300k I asked for for a better backup solution, to allow us to recover from just this type of thing .... I assume you're going to authorise it now ?"

 

Indeed, they *should* be able to recover. It may take time but i wouldn't pay. Should be able to reimage the PC and restore any affected network files.

With storage devices these days, I would expect most to run nightly snapshots so easy rollback.

Anyone who has production data not backed up and off device deserves all they get.

Link to comment
Share on other sites

Just now, Biddy said:

Do we know some of this is the case? The bit about the whole network being open? 

Personally i doubt patient records themselves are held on shares, they will be in some form of client / sever database application. The issues are that windows clients appear to have been taken over with that overbearing message, not necessarily that important data itself was encrypted. I guess that is why they are saying that patient records haven't been breached.

With regards to network segregation, you can go too far. At Egg, we won awards for network design as every single type of device had its own subnet which ran through firewalls. It was an absolute ball ache to work with and firewall rules became unmanageable (and slow). Firewall pushes would start to take minutes which sometimes could lead to outages. And windows firewall might be "easy" to manage, possibly on an individual basis or via group policies for departments but you are talking about the NHS, hundreds of of thousands of clients that need individually tweaking to allow certain devices to talk to another certain device. One small error and nothing talks and it takes weeks to diagnose.

Early reports are point to 6 initially infections (not the usual mass-email campaign) originating in France, so yes, it is looking that interconnected (though perhaps my example of patient records with a bad one, I was just trying to think of different parts of a hospital that shouldn't be sharing data over SMB). Remember it only needs one Ops guy to have made life easy by mapping ALL the drives IT are responsible for, or one shell script writer to be iterating though all the shares to infect everything. It is looking like Telefonica getting infected is a large part of spreading through and beyond he NHS.

It sounds like Egg were ahead of the curve, 7 years ago it would have been an utter nightmare, these days, modern devops tools make it much easier/faster/more reliable. That said, no, of course I don't expect the NHS to be on the cutting edge of devops, any I'm very aware uptime is their key concern, not security (which is why it's essential you get the design right).


 

Link to comment
Share on other sites

Just now, Biddy said:

Indeed, they *should* be able to recover. It may take time but i wouldn't pay. Should be able to reimage the PC and restore any affected network files.

With storage devices these days, I would expect most to run nightly snapshots so easy rollback.

Anyone who has production data not backed up and off device deserves all they get.

But how many places impose a "if it's important, keep it on a network share so it gets backed up" policy, only for users to ignore it until they get pwned and lose everything? I'm not saying it's right, but it IS common.

Link to comment
Share on other sites

  • Backroom

Anybody who works in IT knows that big organisations in particular are way behind the curve when it comes to cyber security. The bloat of bigger companies makes IT infrastructure upgrades an absolute nightmare. Combine that with user reluctance to any form of change and a lack of funding for the right solutions and a disaster was bound to happen sooner rather than later. I'd be surprised if a major bank isn't hit badly in the next year or two.

I don't know where you even start with securing the NHS. It's not a project I'd want to be a part of.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Announcements

  • You can now add BlueSky, Mastodon and X accounts to your BRFCS Profile.



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.