Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

reddog

NHS CyberAttack!

Recommended Posts

How could this happen to 'the world's greatest health service' (TM). ??!!

Hope no one is affected, but I was working for a major CONsultancy in 2004-2006 when they were implementing that NHS spine computer system.  They really got took for a ride then by Accenture, CSC, BT etc.  

But to be fair there were so many people inside the organisation that didn't have a clue, so it is hardly surprising this has happened.

Share this post


Link to post
Share on other sites

This forecast in the film Die Hard 4 and Sneakers. The problem though is that it is a malware - so it is infecting and causing damage all by itself rather than some villain.

Share this post


Link to post
Share on other sites

Appears to be a ransomware attack. Multiple hospitals affected. Some directly, but others hit by knock on effects.

E.g. NHS England have shut down the N3 network, which is the network which connects hospitals and GPs together. This means any IT services not hosted locally are inaccessible, including cross site VOIP telephony, e-mail, cloud based medical records systems (e.g. GP systems), inter-hospital data links (e.g. medical record sharing, etc.).

The attack was noticed early this morning, at several hospitals in the NW, with main file servers being infected and having hard drives encrypted. Some hospitals had lost access to electronic records software, electronic prescribing, X-ray/CT scan images, appointments management, VOIP systems (presumably because the control server was compromised) and other systems. 

Work was disrupted for me because of the loss of network connectivity. Shared systems have become quite common as increasing amounts of telemedicine are done between specialist centres and general hospitals. In practice, it has proved cheaper and more effective to buy a single application as a regional consortium, than for each hospital to purchase their own copy of the application and try to tie them together with various types of middleware.

Some mixed information about the technical aspects at present, so not known for sure. Current favourite idea going around is that this is a brand new variant of ransomware software but which uses an existing, well known (and patched) vulnerability in windows servers, and that if systems had been up-to-date with critical security updates, this attack should not have got a foothold. We'll have to wait and see what the formal investigation shows.

Appears to be an opportunistic attack, as the ransom request is small ($300 in bitcoin).

Share this post


Link to post
Share on other sites
27 minutes ago, Bossybabe said:

Gulp!  And I'm on this weekend. I wonder if they'll have the quills and parchment ready...

Isn't that a normal working day on the Isle of Wight?  :P

Share this post


Link to post
Share on other sites

This is looking like a major world-wide problem. It seems that this is a particularly nasty self-replicating "worm", which is able to bypass normal user-access security in order to rapidly encrypt files on multiple servers.

 

See map of recently reported infections:

 

C_pR2jEXcAAWiP5.jpg:large

 

Multiple companies affected, including several national telco companies, Russian ministry of the interior affected.

https://twitter.com/malwrhunterteam/with_replies

Share this post


Link to post
Share on other sites

I suspect those behind this may now be regretting the magnitude of it. It's probably just supposed to be a nice little earner, not crime of the century.

This will bring them very unwanted attention

Share this post


Link to post
Share on other sites
44 minutes ago, casual_squash said:

I suspect those behind this may now be regretting the magnitude of it. It's probably just supposed to be a nice little earner, not crime of the century.

This will bring them very unwanted attention

Yeah, if they were infecting 100s people, no one would give a monkeys.

 

By ingesting 100 of thousands, they are likely to get caught

Share this post


Link to post
Share on other sites

Is it still possible to track bitcoin users by sending them 1 satoshi? If so I imagine they're going to be getting about 300 dollars worth coming in...

It's a pretty ludicrous piece of ransomware if you ask me, do they seriously think that people who aren't IT savvy enough to turn on auto updates will know how to buy and transfer bitcoins?

Share this post


Link to post
Share on other sites

When I did some basic preliminary work to apply for work for cybersecurity for the government, I found that the weakest link in any system, is not the computer, but the human USER. Hackers have moved on from hacking the operating system, and have moved on to tricking people, as people are the weakest link. The crime gangs have even tracked down high net worth individuals in charge of major corporations and used targetted attacks.

Why are people the weakest link? You can tell by the popularity of clickbait, memes, buzz type articles and even newspaper headlines. Huge money has been made through legitimate means each day through exploiting our human nature.

If you see on the internet a link to the possible secret to "one simple trick to lose tummy fat", you're going to click it at least once - it's human nature. And no amount of software updates can stop the human frailty of the system. People also spend much more time on the internet and share links on social media. Even with the best training, time is not on our side. It's like the "do not laugh" challenges that you see on youtube, but the challenge lasts forever.

Another example - imagine a man falling into 1000 mousetraps in 4k slow motion. You're going to click to watch this aren't you? 9m people watched it in 2 days.

---

The large organisation problem stems from the large amount of people with access to the main system. Ideally more senior people should only have access to the core system, those that are better trained and are aware of malware but even then that may not be the answer.

One other answer is to make all computers become "virtual machines" so the infection is at least limited to that session.

Share this post


Link to post
Share on other sites

The recent rise of bitcoin may also be linked to the rise of ransomware. Some people are going to buy bitcoin, so they could save their computer. So now this virtual currency that people have not heard of, or can see, or has much value, now has some value in rescuing their valuable data.

How many people back up their computers? Back up regularly, and store important information offline, unconnected to the internet. Do not click on links or open emails attachments or links from unfamiliar sources.

Check email addresses before opening emails too - they can hack into your address book and use a slight variation of the address too. E.g. Mike_Smith@outlook.com becomes Mike_Smith@0utlook.com. Notice the difference?

Stay safe - if you are going to click a link, hover over it before clicking on it. Where does it go? If you are not sure it is safe, don't click it. If it is a main corporate website, does it have a padlock or https in the address? Stick to a small core of websites to visit that you can trust. If you like videos, go to the secure Youtube website (for example) by typing the address into the address bar, and THEN search for the video using the sites search engine.

Share this post


Link to post
Share on other sites

Additionally, people aren't as careful with WORK computers as opposed to their HOME computers. It's not their personal loss at the end of the day if the computer goes down at work. However people don't think of the consequences - they may think it is trivial but as we have seen, this has been disastrous.

Share this post


Link to post
Share on other sites
Guest

I'm non techy... have a windows laptop and Mac desktop at home. I have the free built in anti virus etc. Are the paid for versions (McAfee etc) worth it? Or do they just pray on people's insecurity?

As you can tell this worldwide attack has triggered some paranoia!

Share this post


Link to post
Share on other sites
3 hours ago, Grab_Some_Popcorn said:

I'm non techy... have a windows laptop and Mac desktop at home. I have the free built in anti virus etc. Are the paid for versions (McAfee etc) worth it? Or do they just pray on people's insecurity?

As you can tell this worldwide attack has triggered some paranoia!

 

Recent versions of windows for home use will keep themselves updated with security updates. On windows 10, this cannot be turned off on home versions. It will always download and install the most important security updates, as long as it can get an internet connection.

Windows defender is OK, and includes "real-time" protection (which scans files as you click on them, or as they download). However, it doesn't recognise quite as much as other software, and has a higher false positive rate. 

The paid for products extend this by having a larger library of detected malware, and some have more frequent updates (e.g. some vendors don't release updates on a set schedule, but immediately when they confirm a new threat, so may push out updates on an hourly basis during fast evolving conditions). Other features which may or may not be useful are things like :

special browser with hardened security (use this for high value activities),

web site screening (which will check every URL you click on with a list of sites known to contain malware and block malicious sites),

software whitelisting (prevents any program running on your computer unless it is on a whitelist supplied by the antivirus vendor, useful if you have kids who like to install random stuff),

vulnerability scanner (keeps track of the software installed on your computer - office stuff, apps, etc. - and makes sure that you are up to date with security updates for all of these).

 

To technically experienced people, the value of some of these added features is low or even negative. But if your computer is used, even part of the time, by someone inexperienced, then these products add value.

Share this post


Link to post
Share on other sites
1 hour ago, ChumpusRex said:

 

Recent versions of windows for home use will keep themselves updated with security updates. On windows 10, this cannot be turned off on home versions. It will always download and install the most important security updates, as long as it can get an internet connection.

Windows defender is OK, and includes "real-time" protection (which scans files as you click on them, or as they download). However, it doesn't recognise quite as much as other software, and has a higher false positive rate. 

The paid for products extend this by having a larger library of detected malware, and some have more frequent updates (e.g. some vendors don't release updates on a set schedule, but immediately when they confirm a new threat, so may push out updates on an hourly basis during fast evolving conditions). Other features which may or may not be useful are things like :

special browser with hardened security (use this for high value activities),

web site screening (which will check every URL you click on with a list of sites known to contain malware and block malicious sites),

software whitelisting (prevents any program running on your computer unless it is on a whitelist supplied by the antivirus vendor, useful if you have kids who like to install random stuff),

vulnerability scanner (keeps track of the software installed on your computer - office stuff, apps, etc. - and makes sure that you are up to date with security updates for all of these).

 

To technically experienced people, the value of some of these added features is low or even negative. But if your computer is used, even part of the time, by someone inexperienced, then these products add value.

I have been advising people for sometime that they don't need anti virus, because defender is good enough.

 

Would this attack have been stopped by anti virus?

 

I am from more of a Unix background, but wouldn't a good way of stopping this sort of thing, be to use accounts with limited privileges.

 

Probably another important thing is to stop users clicking on any old file or link they are emailed.

 

But even with a screw up, if everything is backed up there should be no worries. (Unless the backup also got encrypted!)

Share this post


Link to post
Share on other sites
3 minutes ago, reddog said:

I have been advising people for sometime that they don't need anti virus, because defender is good enough.

 

Would this attack have been stopped by anti virus?

 

I am from more of a Unix background, but wouldn't a good way of stopping this sort of thing, be to use accounts with limited privileges.

 

Probably another important thing is to stop users clicking on any old file or link they are emailed.

 

But even with a screw up, if everything is backed up there should be no worries.

Windows defender is good enough. However, there are (slightly) better solutions if you want to pay for them.  For example, in browser blocking of suspected malicious web sites, phishing filters to warn you when clicking on a dodgy email, etc. 

Antivirus might not have stopped the onset of this type of attack, but once it had been detected, commercial AV companies were pushing out updates to detect and remove it.

Normally, running with limited privilegs is a good way to mitigate this type of attack. However, this particular attack is a very sophisticated piece of malware which uses a remote code execution exploit to spread autonomously over a LAN/WAN, and uses a kernel injection exploit to gain kernel privileges on any affected machine. These exploits work on Windows XP through to Windows 10, as well as Windows Server 2003 to 2016. As a result, any random user running the executable, even on a heavily restricted account, could result in all servers in the enterprise being compromised within minutes.

The cryptolocker part of the malware is also sophisticated, in that it disables volume snapshotting at the kernel level before beginning encryption, and then scans for and deletes any snapshots.

Because this is an autonomously replicating remote code execution exploit, if you are running an online D2D backup then you risk the backup server getting compromised as well. You would need an offline backup solution (e.g. nightly tapes) to be sure. 

The main mitigation, however, was that the main exploits (known as "eternalblue" and "doublepulsar") were patched in windows vista and up, and windows 2008 and up in March. Computers with the relevant update would have been resistant to the autonomous spread, and the privilege escalation would not have been possible, even on the local machine.

A windows XP patch is not available, unless extended support had been negotiated with MS, which had been done nationwide by the NHS for 1 year, but later allowed to lapse. I've read (but don't know for sure) that several of the most severely affected sites were still running a number of systems with XP and windows server 2003, for which patches were not available. 

For my understanding of this attack is that it was time delayed. The malware had installed several days before, and then triggered on a timer, which was why it appeared to spread worldwide so fast, even with the antivirus vendors chasing it (it had actually done its spreading under the radar, not attracting any attention). I had noticed a ton of spam emails coming in at work recently containing very dodgy looking links; so much so, that i even took to forwarding them to IT, as they were looking so professional and just begging someone to click on the links.

Share this post


Link to post
Share on other sites

There is so much misinformation about this:

90% of NHS trusts are completely unaffected

It's nothing to do with Windows XP

I'm not going to speculate on the exact cause, but most of whats being written in the press is nonesense.

Share this post


Link to post
Share on other sites
17 hours ago, Will! said:

Isn't that a normal working day on the Isle of Wight?  :P

Amazingly, we do use computers - but then the contract I work on is owned by a mainland trust. ?

Share this post


Link to post
Share on other sites
1 hour ago, ChumpusRex said:

Windows defender is good enough. However, there are (slightly) better solutions if you want to pay for them.  For example, in browser blocking of suspected malicious web sites, phishing filters to warn you when clicking on a dodgy email, etc. 

Antivirus might not have stopped the onset of this type of attack, but once it had been detected, commercial AV companies were pushing out updates to detect and remove it.

Normally, running with limited privilegs is a good way to mitigate this type of attack. However, this particular attack is a very sophisticated piece of malware which uses a remote code execution exploit to spread autonomously over a LAN/WAN, and uses a kernel injection exploit to gain kernel privileges on any affected machine. These exploits work on Windows XP through to Windows 10, as well as Windows Server 2003 to 2016. As a result, any random user running the executable, even on a heavily restricted account, could result in all servers in the enterprise being compromised within minutes.

The cryptolocker part of the malware is also sophisticated, in that it disables volume snapshotting at the kernel level before beginning encryption, and then scans for and deletes any snapshots.

Because this is an autonomously replicating remote code execution exploit, if you are running an online D2D backup then you risk the backup server getting compromised as well. You would need an offline backup solution (e.g. nightly tapes) to be sure. 

The main mitigation, however, was that the main exploits (known as "eternalblue" and "doublepulsar") were patched in windows vista and up, and windows 2008 and up in March. Computers with the relevant update would have been resistant to the autonomous spread, and the privilege escalation would not have been possible, even on the local machine.

A windows XP patch is not available, unless extended support had been negotiated with MS, which had been done nationwide by the NHS for 1 year, but later allowed to lapse. I've read (but don't know for sure) that several of the most severely affected sites were still running a number of systems with XP and windows server 2003, for which patches were not available. 

For my understanding of this attack is that it was time delayed. The malware had installed several days before, and then triggered on a timer, which was why it appeared to spread worldwide so fast, even with the antivirus vendors chasing it (it had actually done its spreading under the radar, not attracting any attention). I had noticed a ton of spam emails coming in at work recently containing very dodgy looking links; so much so, that i even took to forwarding them to IT, as they were looking so professional and just begging someone to click on the links.

In my NHS experience there are many trusts who still run Server 2003 even now. 

Share this post


Link to post
Share on other sites

I had a GP appointment yesterday and they had no computer access. The machines for logging people into appointments weren't working but instead of putting a sign on them they were merely blank. It would have been so easy to put even a sticky label on them to explain the problem but nothing.  No one there to help at all. 

The GP's are on the 1st floor and there are normally staffed reception desks on the ground and first floors. Most patients go up to floor 1, check-in and wait for their GP there. No one on the 1st floor at all to explain. 2 staff on the ground floor not even bothering to tell patients the problem as they walk in.

My actual GP appointment was a breeze. He was writing notes on a piece of paper. Didn't have to stop and type things into the screen. For once, the appointment was on time. Hand written prescription.

I've noticed the problems with NHS systems before as an ordinary patient. My Oncologist says she needs to physically login to several screens to check different test results or my patient notes, meaning that a lot of the appointment time is spent with her frantically typing away. When I go for chemo or a blood tests it's  not uncommon to find that no one in that clinic can log in. 

It's been noticable with the GP for a while now that they find typing in a record of the consultation hard. Rather than a face-to-face meeting it's more like watching him type as I speak. I don't mind this so much as long as the end result is OK but with the Oncologist I've having to limit my questions a lot.

 

 

Share this post


Link to post
Share on other sites

I think my solution to this sort of thing would be to just let user have a screen that is a web browser that acts as a terminal for all of their applications.

 

Then do the security at the back end.

 

This concept has been blocked in the past by people insisting they need a full personal computer because they are a very important user.

 

This would also save a fortune in managing PC's, the only thing you would have to worry about on the hardware side is plugging in a network cable, and swapping a screen of keyboard if they break.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Next General Election   94 members have voted

    1. 1. When do you predict the next general election will be held?


      • 2019
      • 2020
      • 2021
      • 2022

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.