Cyber Attack on NHS

Infosec85Infosec85 Member Posts: 192 ■■■□□□□□□□
«1

Comments

  • Infosec85Infosec85 Member Posts: 192 ■■■□□□□□□□
    From what I gather it's a major ransomeware attack.
  • JasminLandryJasminLandry Member Posts: 601 ■■■□□□□□□□
    I was just reading about it on Twitter, apprently they got in the machines using the EternalBlue exploit.
  • Infosec85Infosec85 Member Posts: 192 ■■■□□□□□□□
    Yeah I also hear Spain has been hit, I wonder if it's the same group.
  • JasminLandryJasminLandry Member Posts: 601 ■■■□□□□□□□
    Ransomware attacks reported in Europe - BBC News

    Across Europe now (apparently it hit organizations from 11 different countries in 2 hours).

    It has too be the same group.. it would be quite the coincidence if it was done by different groups.
  • UKIkarusUKIkarus Member Posts: 26 ■□□□□□□□□□
    This isn't the first time either, do they have sufficient backups to recover from this I wonder?
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    I like how they say "Oops!", like it's a syntax error of a command you typed incorrectly. Can't say I ever been hit with Ransom ware, but if I do, it's a DOD wipe, reformat, reinstall OP system, restore from last backup. NHS stands for National Health Services, I had to look at several websites before one of them spelled out what it stood for.
    Still searching for the corner in a round room.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    This has been escalated to over 100 different countries right now. It uses the 0-d day SMBv1 exploit. Better block those part 445s on your systems.
    More info here https://blog.varonis.com/massive-ransomware-outbreak-what-you-need-to-know/
  • greg9891greg9891 Member Posts: 1,189 ■■■■■■■□□□
    UKIkarus wrote: »
    This isn't the first time either, do they have sufficient backups to recover from this I wonder?

    I agree I'm wondering the same thing. Hope they have some nice daily backups with file level recovery if needed. Their Disaster recovery plan will be tested today.
    :
    Upcoming Certs: VCA-DCV 7.0, VCP-DCV 7.0, Oracle Database 1Z0-071, PMP, Server +, CCNP

    Proverbs 6:6-11Go to the ant, you sluggard! Consider her ways and be wise, Which, having no captain, Overseer or ruler, Provides her supplies in the summer, And gathers her food in the harvest. How long will you slumber, O sluggard?
    When will you rise from your sleep? A little sleep, a little slumber, A little folding of the hands to sleep, So shall your poverty come on you like a prowler And your need like an armed man.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    England got hit pretty bad, their hospital reportedly have shut down and not accepting patients, and even surgeries have been postponed.
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    We got hit with ransomware at my last job. Our QA Manager clicked on a LinkedIn invite in his email. Luckily he called me right away and I told him to just unplug everything from it and shut it off ASAP. It was contained to that one laptop and he only lost a few things as we had daily backups. I left there and found out he did the same thing again. I heard it shut down that whole side of the building but not sure how that would happen unless it hit all other workstations over there before they reacted. Funny thing is I lectured him after the first time and explained to him what and how it happens. My manager at the time was clueless. We had no A/V on servers. When I questioned this he said 'well we don't surf the internet with servers'. No wonder it hit that whole side of the building that second time.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    dhay13 wrote: »
    I heard it shut down that whole side of the building but not sure how that would happen unless it hit all other workstations over there before they reacted.

    Probably emailed everyone in his address book LinkedIn invites. :) I recall this happening at the FAA after I left. Someone received an email with an infected file and they clicked on it and it infected there computer, which it turn emailed everyone in the building. something like 80% of the people clicked on the same email and infected their PC's in turn. They were effectively down for over a week while the IT staff re-imaged computers. Most of the staff is computer savvy, including engineers, so it's not like it was a bunch of clueless office clerks working there.
    Still searching for the corner in a round room.
  • Santa_Santa_ Member Posts: 131 ■■■□□□□□□□
    Been tackling this for the last few hours. And by tackling I mean patching all of our servers - around 100 of them. Preventative measures so we do not run into any problems. *knocks on wood*

    Backups are key. Best of luck to those who are experiencing this first hand.

    If you're running 2008 Servers.
    Within Admin Powershell Windows:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force[FONT=&quot]

    [/FONT]



    https://support.microsoft.com/en-us/help/4013389/title

    https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012


  • xxxkaliboyxxxxxxkaliboyxxx Member Posts: 466
    And just like that, an unsung hero registered the kill switch domain and stops WannaCry in it's track. Still good to patch, but I wish I would of known before I spent late hours into this lol.
    Studying: GPEN
    Reading
    : SANS SEC560
    Upcoming Exam: GPEN
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

    I hope that they are not infected, and that this will make them consider upgrading soon...
  • Santa_Santa_ Member Posts: 131 ■■■□□□□□□□
    Still good to patch, but I wish I would of known before I spent late hours into this lol.


    Agreed. Even though we're wrapping up now, this is a peace of mind for our organization and our IT team.
  • xxxkaliboyxxxxxxkaliboyxxx Member Posts: 466
    Santa_ wrote: »
    Agreed. Even though we're wrapping up now, this is a peace of mind for our organization and our IT team.

    ^^^^^ AGREE 100 percent, good time to ask for some additional security controls. Scare the bejesus out of them lol
    Studying: GPEN
    Reading
    : SANS SEC560
    Upcoming Exam: GPEN
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    wd40 wrote: »
    I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

    I hope that they are not infected, and that this will make them consider upgrading soon...

    XP, Server 2003 and Windows 8 has EOL. Credit to Microsoft for releasing a patch.
    https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    wd40 wrote: »
    I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

    Cost money to rewrite software, which is often in short supply. Were I work, we have an XP machine that runs a machine that tests respirators for compliance. Upgraded software to run on Win 7 would cost us 50k, we simply disconnected it from the network, it still works perfectly fine today.
    Still searching for the corner in a round room.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    wd40 wrote: »
    I know for a fact that some local hospitals are still using windows XP, probably because there ancient system does not work on newer OS for some reason.

    I hope that they are not infected, and that this will make them consider upgrading soon...

    I never understood this logic. If your main OS is EOL and you have a critical software on it, start in advance your migration plan. If your vendor is not supporting a new OS version, then drop them, see how they react when you tell them we going to use a competitors software.
  • UncleBUncleB Member Posts: 417
    TheFORCE wrote: »
    I never understood this logic. If your main OS is EOL and you have a critical software on it, start in advance your migration plan. If your vendor is not supporting a new OS version, then drop them, see how they react when you tell them we going to use a competitors software.

    The reason is that the cost to the company is often perceived as not worth it - or the software is so proprietary that the only solution is to rewrite it ad significant cost which there is no budget for.

    I've worked for a lot of companies with this mentality and it often took some fairly creative thinking to come up with a change in the way the company approached the need to get them weaned off the legacy systems.

    I don't know if anyone from overseas (the NHS is the health service in the UK) knows much about the finances of the NHS, but it is a free health service for the public for pretty much anything non-elective (ie anything from a nasty cut to cancer, childbirth and mental care is covered but not enhancing plastic surgery or gender reassignment, although these sometimes happen when there are other factors involved). As such it is paid for by the government through taxation and their budgets have been cut annually for about a decade so are having to do more with an awful lot less money.

    They also have a history of really badly run IT projects (being government funded this is the norm unfortunately) so they have their funds for IT spent on badly managed projects rather than fixing legacy systems that can be left ticking over.

    I know it is a false economy but I'm not the decision maker for them.

    I hope that puts in context why they are in the rubbish state they are - as for backups, I wouldn't hold my breath. It does remind me of a recent episode of Chicago Med where a doctor ended up paying the ransom...
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    Sometimes it is almost difficult to migrate. When I once worked, we had HR payroll software that only runs on XP and business owner refused to upgrade. We re-installed the software on XP VM and closed all ports except RDP. If it gets infected, we can restore from VM image backups.


    Now the UK government is under pressure. Ransomware is not new, the question is does the NHS have any backups? What is their DRP procedure? What are the RTO or RPO requirements? The vulnerability was patched 2 months ago. Does NHS have a patch management policy?
  • JockVSJockJockVSJock Member Posts: 1,118
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    UncleB wrote: »
    I hope that puts in context why they are in the rubbish state they are - as for backups, I wouldn't hold my breath. It does remind me of a recent episode of Chicago Med where a doctor ended up paying the ransom...

    Just is just sad, Patching and daily backup is Disaster Recovery 101. If everyone did this, ransomware would be pointless, no one would pay. Sadly far too many pay, and even after they pay once, they do not learn the lesson. and will likely pay again.
    Still searching for the corner in a round room.
  • UncleBUncleB Member Posts: 417
    If they can't sort out upgrading their client OS then you can be sure they have lots of physical servers, different platforms and no cohesive backup solution so a backup solution probably involves differing tape formats, manual changing of tapes and the reliability issues of the software and tape drives running the backups.

    The NHS trusts are individually run so there are hundreds of them around the country, each doing their own thing and in desperate need to find a cohesive strategy and investment to get their IT sorted out, but the owners are prioritising what cash they have towards patient care in what is becoming a death choke hold on their IT.
  • rob42rob42 Member Posts: 423
    It looks as if even XP has now been patched

    Microsoft Releases XP Patch for WannaCry Ransomware
    No longer an active member
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    rob42 wrote: »
    It looks as if even XP has now been patched

    This is a little surprising, but it's nice to see Microsoft didn't say tough to users, upgrade. I guess it's good PR for no real effort, since I'm sure they developed a patch for companies that continue to pay for extended support.
    Still searching for the corner in a round room.
  • MrXpertMrXpert Member Posts: 586 ■■■□□□□□□□
    I work for the NHS unfortunately. Our trust has got hit by ransomware more than once. A lot of money is spent on IT within our Trust and in fact we are over-staffed and usually spend a fair amount of time with "horse play". Many other NHS trusts IT departments operate this way too. Sadly it is normal. When bad things happen though we're slow to respond. Fire fighting rather than prevention
    I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.
  • Chivalry1Chivalry1 Member Posts: 569
    Unfortunately I am not surprised by the impact of this ransomware. Many companies completely ignore patch management/disaster recovery/backups. The people ignoring the obvious are Senior Level Management CEO, CIO, CISO and Information Security Directors. HIPAA/PCI/SDN environments completely ignored and nor compliant, although being "signed-off" by the CISO as compliant. I am hoping this is a wake up call that companies should take information security serious!

    I anticipate a increase in Cyber Security positions soon.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • ande0255ande0255 Banned Posts: 1,178
    I have a feeling that Ransomware thing from Friday is going to make tomorrow morning at my job a f'ing nightmare, I work with SMB customers who like to put backups of their servers on the back burner if its too much money / inconvenient / they don't report its messing up.

    Good time to use mass Ransomware attacks though if your a thieving piece of ****, btc has been skyrocketing until it recently seems to have level between $1750-1800 per coin, if you don't go after government servers I bet you could bake millions in a global cyber heist like that.

    I'm starting to reconsider my occupation after typing that and reading it a few times.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    ande0255 wrote: »
    Good time to use mass Ransomware attacks though if your a thieving piece of ****, btc has been skyrocketing until it recently seems to have level between $1750-1800 per coin, if you don't go after government servers I bet you could bake millions in a global cyber heist like that.

    I'm starting to reconsider my occupation after typing that and reading it a few times.

    22 Bitcoins and USD $39K payment so far
    How Much Wannacry Paid the hacker
Sign In or Register to comment.