Jump to content

BRFCS

BY THE FANS, FOR THE FANS
SINCE 1996
Proudly partnered with TheTerraceStore.com

[Archived] NHS Ransomware attacks - Multiple hospitals now trying to operate with zero IT facility


Recommended Posts

  • Replies 81
  • Created
  • Last Reply
Just now, Glenn said:

Will respond to some of the posts, but in the mean time, people has just twigged this is about to get a whole lot WORSE.

Firstly, infections slowed because the worm portion had a kill switch preventing new infections that was triggered late yesterday afternoon, this explains the low infection rate in the US. However it's believed there are now three variants circulating with the kill switch removed!

Secondly. as Biddy points out, virtually all corporate firewalls will stop infection via a corporate network, but how many people currently have work laptops connected to their local coffee shop or other free wifi provider that are now being silently infected, only to connect that device to their corporate network (inside the firewall perimeter) on Monday morning!

 

Not in the NHS I hope?

Here's a story on the kill switch fella:-

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Link to comment
Share on other sites

Just now, blueboy3333 said:

Not sure about that. All the 'experts' are saying it's unprotected XP that has caused this.

https://www.theguardian.com/society/live/2017/may/12/england-hospitals-cyber-attack-nhs-live-updates

 

Erm, it's a bit true and a bit not.

There are two parts to consider, the worm, which spreads the infection and the actual ransom malware that locks on the machine and demands payment.

The worm is spreading on all unpatched OSs prior to Win 10, as long as the network they are on supports the SMB v1 protocol AND they haven't been patched to prevent this attack.

Normally, these days there are only 2 reason for keeping SMB v1 enabled on the network, firstly you have machines running XP or Server 2003 (they don't support the newer SMB v2), the second is the people responsible for the network don't have the knowledge, understanding, time, resources, priority, budget, or freedom to make the necessary changes to turn SMB v1 off. So yes, XP is on of the reasons SMB v1 may be enabled, but it's not actually the cause (and interesting aside, the ransom part in the initial version of the malware won't run on XP, but I expect that to change in newer variants)

Additionally, Microsoft have muddied the water (in a good way) by releasing a patch for XP (which they officially no longer support) which stops the method of infection working, even on SMB v1. The same patch they released for newer versions of Windows in March.

However in 99% of cases, machine aren't getting infected because their was no patch available (i.e. XP), it's because the patch hadn't been applied (all other versions up Win 10) and there was no other mitigation in place.


 

Link to comment
Share on other sites

Just now, blueboy3333 said:

Nope, not just the NHS, it's now impacting anyone that has unpatched windows systems connected to networks allowing smb v1. 

I'd be a bit annoyed at the press if I was @MalwareTechBlog . He's a serious, highly skilled malware researcher, there was nothing "accidental" about it. He read the code, understood it, and realised that regsitering the right domain name would stop the spread. He then had the bright idea of hooking it up to a sinkhole, so not only did it stop new infections, it also provided data on the systems that were infected. "Accidental" is rather unfair.

 

Link to comment
Share on other sites

Just now, Glenn said:

Nope, not just the NHS, it's now impacting anyone that has unpatched windows systems connected to networks allowing smb v1. 

I'd be a bit annoyed at the press if I was @MalwareTechBlog . He's a serious, highly skilled malware researcher, there was nothing "accidental" about it. He read the code, understood it, and realised that regsitering the right domain name would stop the spread. He then had the bright idea of hooking it up to a sinkhole, so not only did it stop new infections, it also provided data on the systems that were infected. "Accidental" is rather unfair.

 

i5sWZGEr_normal.jpg MalwareTech @MalwareTechBlog

'I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental'

I think they only got the 'accidental' bit from what he tweeted

He's written a blog on it. It's in the Guardian 'live' thing you quoted earlier if you haven't read it.

Link to comment
Share on other sites

Yeah, I just read his blog and was heading back here to edit my post before anyone read it  :D

It still took some skill to find that domain, even if he didn't real the importance of it at first! 

Link to comment
Share on other sites

My son is due at Wrightington on Monday 09.00 for pre-op prior to his hip replacement on the 22nd. We've waited 18 months for this.

Barstewards

Link to comment
Share on other sites

Going off personal experience it doesn't surprise me at all that the NHS has been hit, most of the NHS IT staff I've come across are arrogant lazy swines living in some sort of cocoon of their own self importance.

Just last week I was informed that the NHS team on one particular site 'didn't have time to upgrade IE8', which is a major security risk, and if I was running that team I'd have sacked the IT manager on the spot.

 

 

Link to comment
Share on other sites

  • Backroom
1 hour ago, Gav said:

Going off personal experience it doesn't surprise me at all that the NHS has been hit, most of the NHS IT staff I've come across are arrogant lazy swines living in some sort of cocoon of their own self importance.

Just last week I was informed that the NHS team on one particular site 'didn't have time to upgrade IE8', which is a major security risk, and if I was running that team I'd have sacked the IT manager on the spot.

Unfortunately you'll find this in most big organisations, not just the NHS. It's easy for IT managers to get away with it, because the majority of other staff don't have a clue how systems work at a more complex level and therefore automatically trust whatever IT management say.  

The company I work for only upgraded from IE6 a short time ago. They claimed it was due to legacy programs using IE6 but the truth is they just didn't want the hassle of going through the preparation/rollout phase. It went without a hitch when we finally did it.

Link to comment
Share on other sites

Just now, DE. said:

Unfortunately you'll find this in most big organisations, not just the NHS. It's easy for IT managers to get away with it, because the majority of other staff don't have a clue how systems work at a more complex level and therefore automatically trust whatever IT management say.  

The company I work for only upgraded from IE6 a short time ago. They claimed it was due to legacy programs using IE6 but the truth is they just didn't want the hassle of going through the preparation/rollout phase. It went without a hitch when we finally did it.

I can understand it in the private sector, but not in the public.

Organisations such as the NHS have a duty of care which goes beyond patient care in the traditional sense of the word. Public money should ensure we have protection against cyber attacks, and not carrying out the basic IT maintenance such as upgrading IE8 and Windows XP, which are both unsupported and a major security risk, is incompetence of the highest order.

The NHS will blame lack of funding, I blame lack lazy IT depts, heads should roll.

 

Link to comment
Share on other sites

Part of the problem is not just the technical risk, but the fact that failed government IT projects are a favourite headliner maker in the Daily Mail. Few was to risk a "£1bn spent botched IT upgrade process, whilst patients die in corridors" when inaction can easily be explained as "too risky". It's not "right" but it's how it is.

Then you have stupid vendor-lockins. When you've just spent £10m on a piece of medical equipment, won by tender and signed off by by senior management, only to find it using outdated software with no upgrade process, requires a domain admin account and has to have every port opened to the internet ... because the vendor tells you it how it's designed to work and will pull your support if you try and remediate any of that.

Also, keep in mind the government stopped paying Microsoft for out-of-lifetime support on XP because the process of upgrading away from it was almost done (not that I think XP is the main problem here, I think the press have got the wrong end of the stick as I've seen zero proof that XP is any more to blame than unpatched Win 7/8)

Link to comment
Share on other sites

31 minutes ago, DE. said:

Unfortunately you'll find this in most big organisations, not just the NHS. It's easy for IT managers to get away with it, because the majority of other staff don't have a clue how systems work at a more complex level and therefore automatically trust whatever IT management say.  

The company I work for only upgraded from IE6 a short time ago. They claimed it was due to legacy programs using IE6 but the truth is they just didn't want the hassle of going through the preparation/rollout phase. It went without a hitch when we finally did it.

Ooh, I can beat that. I use a system that if you try and log on in anything other than IE Compatibility Mode, it says 'this website requires IE5 to be installed. Please upgrade your browser' FFS!! It's actually a really useful system, and it being so old makes it really easy and quick to use, but that line always makes me smile. 

I think part of the problem is the people who often decide on buying new software for whatever purpose have too little technical knowledge and don't involve any techies until it is too late, vendors put on the big sell and tell you what you need, rather than you telling them what you want and seeing if they can do it. Then you end up with a system that doesn't exactly do what you want it to do, and you've got to shoehorn things in to make it work at all because you've just paid for it. 

Link to comment
Share on other sites

45 minutes ago, cn174 said:

I think part of the problem is the people who often decide on buying new software for whatever purpose have too little technical knowledge and don't involve any techies until it is too late, vendors put on the big sell and tell you what you need, rather than you telling them what you want and seeing if they can do it. 

This, this a thousand times this. Management's question to the vendors is "what problem is this going to solve for me", never "... and what additional problems is it going to create for me".

 

Link to comment
Share on other sites

No excuse for NHS IT depts up and down the country to still be running IE8, its got nothing to do with cost, and everything to do with a 'can't be arsed' attitude that runs through the IT teams I've dealt with.

As always we have politicians trying to talk with great authority about something they know absolutely nothing about, Fallon was on Andrew Marr this morning and called XP "The windows Xp"

Now wonder Emily Thornberry told him he was talking b0llox soon after :lol:

Link to comment
Share on other sites

I'm playing devils advocate here (as I pretty much agree) but even something a simple and essential as a browser upgrade comes with significant risks and costs.

The time to check every bit of software in use works with the new browser, then finding the shadow-IT projects where people have started using software IT weren't aware of. The updating of process and policy docs that describe how to do things using the old browser, producing idiot proof documentation explaining how to cope now that thing they've clicked on for years has gone, the hit on your help desk because you underestimated the stupidity of users who are now calling up because 'you deleted their internet'. The renegotiating with the vendor who slipped a clause into the contract that would invalidate the support contract if you dared use a browser than wasn't the on you first tested against...... the list is endless 

There are many reasons I got out of IT management and back to being a pure techie, but that last paragraph covers quite a bit of it. I'm like you, to me it's a simple thing that needs fixing quickly and not being perpetually delayed because of the risk. But I do get why that attitude persists

Link to comment
Share on other sites

Just now, Glenn said:

I'm playing devils advocate here (as I pretty much agree) but even something a simple and essential as a browser upgrade comes with significant risks and costs.

The time to check every bit of software in use works with the new browser, then finding the shadow-IT projects where people have started using software IT weren't aware of. The updating of process and policy docs that describe how to do things using the old browser, producing idiot proof documentation explaining how to cope now that thing they've clicked on for years has gone, the hit on your help desk because you underestimated the stupidity of users who are now calling up because 'you deleted their internet'. The renegotiating with the vendor who slipped a clause into the contract that would invalidate the support contract if you dared use a browser than wasn't the on you first tested against...... the list is endless 

There are many reasons I got out of IT management and back to being a pure techie, but that last paragraph covers quite a bit of it. I'm like you, to me it's a simple thing that needs fixing quickly and not being perpetually delayed because of the risk. But I do get why that attitude persists

You've got more excuses than an NHS IT department :D

Everything you say above is correct of course, but come on, its been out of support for 18 months and everyone has had years to get ready for the change over. I was on a site recently that had Chrome, IE11 and firefox, the following day a different site with IE8 only and no ability to upgrade or pull down Chrome or firefox for a demo! each trust is different, no joined up approach/thinking whatsoever. 

 

 

Link to comment
Share on other sites

We all laugh, because as devastating as this was, it bears all the hallmarks of an utterly amateur attack. I'd hope a nation state could do much much better than this (hell, I could do much better).

I agree that it shares code very similar to the Sony hack (which I never believed was the North Koreans anyway), but it shared code from all over the place, that's one of its most defining features, it's a bunch of existing reused code, bolted together with no finesse 

Attribution for attacks is hard, but this is much more likely a kid in his bedroom who wrote something that worked far better than he ever expected, that a state sponsored attack.

 

Link to comment
Share on other sites

Just now, Glenn said:

We all laugh, because as devastating as this was, it bears all the hallmarks of an utterly amateur attack. I'd hope a nation state could do much much better than this (hell, I could do much better).

I agree that it shares code very similar to the Sony hack (which I never believed was the North Koreans anyway), but it shared code from all over the place, that's one of its most defining features, it's a bunch of existing reused code, bolted together with no finesse 

Attribution for attacks is hard, but this is much more likely a kid in his bedroom who wrote something that worked far better than he ever expected, that a state sponsored attack.

 

Yeah but if I was organising a state sponsored attack I'd want it to look like it was done by an amateur.

Link to comment
Share on other sites

10 hours ago, Tyrone Shoelaces said:

Yeah but if I was organising a state sponsored attack I'd want it to look like it was done by an amateur.

If you were doing it in a 'state' way you wouldn't include the kill switch - that's some old code that is probably there by error than design. My guess - someone did as described by Glenn, but then sold the code on TOR to several other users / or did it as a group of hackers - I just don't think a one man band has the capacity to hit as much as quickly as they did.

Yesterday 7 NHS trusts we work with had issues, today 3 still had. The clean up isn't as easy as people think, even if you have the encryption key you will have locked data. Your rollback position may be too far in the past (imagine a hospital with weekly backups on a Sunday that got hit Friday afternoon). That's a lot of critical data to lose. Yes in some ways if you haven't prepared enough you have to shoulder some blame, but on the other hand people only see the value after a thing like this.

Link to comment
Share on other sites

You also have a mirai botnet hammering the killswitch domain in an attempt to reactive the worm

We're in an age where your toaster and fridge are attempting to enable cyber weapons against MRI scanners to hold hospitals for ransom. Even reading all that William Gibson, Arthur C Clarke and Isaac Asimov as a kid didnt prepare me for this! 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Announcements

  • You can now add BlueSky, Mastodon and X accounts to your BRFCS Profile.



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.