Cyber attack on the NHS

ceadaoin.

Just saw this in the news. Many NHS hospitals and GP surgeries have been denied access to all their patient files and are being asked to pay money or the files will be deleted. This has the potential to result in deaths as all patient medical history, scans, X-rays, treatments, prescriptions, appointment etc are contained in these files.

I don't know much about cyber security but you'd think that the such sensitive information would be unhackable, if that's possible? I wonder who is responsible...Is this the new face of terrorism?

Apparently it is happening in other countries too

http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/

Winterlong

Seems to be a global ransomware attack. The vulnerability was patched in March but I guess these machines were not patched.
The attack started this morning in Spain. Someone is getting rich.

bluewizard

ceadaoin. wrote: »

would be unhackable, if that's possible?

Not possible.

ceadaoin.

ceadaoin. wrote: »

Just saw this in the news. Many NHS hospitals and GP surgeries have been denied access to all their patient files and are being asked to pay money or the files will be deleted. This has the potential to result in deaths as all patient medical history, scans, X-rays, treatments, prescriptions, appointment etc are contained in these files.

I don't know much about cyber security but you'd think that the such sensitive information would be unhackable, if that's possible? I wonder who is responsible...Is this the new face of terrorism?

Apparently it is happening in other countries too

http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/

Just takes the right couple of fools in the right place in the "network" for **** like that to propagate, likely wasn't a targeted attack.

alchemist33

bluewizard wrote: »

Not possible.

It is if we do what's necessary to protect against the cylons - go back to pen, paper, stagecoaches and carrier pigeons!

ceadaoin.

Deleted User wrote: »

Just takes the right couple of fools in the right place in the "network" for **** like that to propagate, likely wasn't a targeted attack.

Yeah I've just been reading that. Possibly someone on the network clicked on a link in a dodgy email and started the whole thing. Hate to be that person right now!

osarusan

Have they tried turning it off and then on again?

uck51js9zml2yt

osarusan wrote: »

Have they tried turning it off and then on again?

Yes ...but it didn't work.

Harry Palmr

alchemist33 wrote: »

It is if we do what's necessary to protect against the cylons - go back to pen, paper, stagecoaches and carrier pigeons!

No just go back to phones, telex machines, and LANs

pjohnson

This was an actual CSI Cyber episode.

Beyondgone

My mate Dave fixes computers in the evenings. Last time we got a ransomware virus I dropped the pc around to him and he sorted it in an hour. Didn't have to pay any ransom. Up yours hacker boy.

If the NHS want Daves number, I think he might have gone out on the beer with the lads, but he'll be back at it Monday - though he's usually not himself till Tuesday if it was a heavy weekend - just PM me and I'll text ye his number. The mans a genius. He only does Dells tho.

wylo

This same attack happened me but thankfully everything was on Dropbox so I was able to roll back . Other than that it was gone.

Happened to an accountant I know and after a week or two of panic and IT help her only option was to pay it.

Lessons learned: just don't open files that are strange , even word files. And turn on system restore.

Specialun

Its very big news this. A& e department have been shut down. Whether they paid is unknown.

Specialun

wylo wrote: »

This same attack happened me but thankfully everything was on Dropbox so I was able to roll back . Other than that it was gone.

Happened to an accountant I know and after a week or two of panic and IT help her only option was to pay it.

Lessons learned: just don't open files that are strange , even word files. And turn on system restore.

The best protection you can have is to have back up, latest updates of av.

Gone Drinking

Yes, there will be probably data loss. Local data to the machines affected will be fcuked unless they pay the ransom (granted, it's real ransomware and the data is really encrypted).

Important data like xrays, patient files etc will be stored in shared, redundant storage, which is backed up. If things are set up correctly, worst case scenario would mean that there's 12 or 24 hours worth of some of that data affected that will be lost.

Best case scenario, it's not real encryption or they're taking more granular backups and will have a more valid restore point to work off than 12/24 hours.

Either way, this can only happen if the machines are not patched up and running the latest virus updates, which is scary. Although there's a slight chance this is a brand new virus, in which case, there would have been very little they could have done.

Slydice

ceadaoin. wrote: »

you'd think that the such sensitive information would be unhackable, if that's possible

I suppose.. if it helps bring ya back down to earth..

think about how much money we like giving to health services, how much money we like to pay the staff in the health service etc..

bluewizard

Specialun wrote: »

latest updates of av.

Oh yesss... This ^
But surely fear no stupid admins who set no restrictions on root logon, has no ideas of VLANs, firewalls, switches, SQL injections and may others... Antivirus is your cure :rolleyes:

There are so many ways to fuk/steal things up...

Corruptedmorals

Slydice wrote: »

I suppose.. if it helps bring ya back down to earth..

think about how much money we like giving to health services, how much money we like to pay the staff in the health service etc..

Don't worry, the HSE is built on paper, paper results, physical charts and more paper.

stimpson

My money is on the Tories just trying to speed up the inenvitable.

wil

alchemist33 wrote: »

It is if we do what's necessary to protect against the cylons - go back to pen, paper, stagecoaches and carrier pigeons!

Sunlight, Fire, mould, highwaymen and hawks.

If you see flames, masked men or sharp talons, backup, backup, backup and take a different route.

Fr_Dougal

They were warned, many, many times before.

https://www.scmagazineuk.com/inadequate-cyber-security-budgets-putting-nhs-patients-at-risk/article/573932/

hmmm

Don't blame the techies, usually they want to patch their systems ASAP - usually this sort of thing is caused by management not paying for Operating System upgrades, or someone insisting the techies maintain some piece of crap software which only runs on some ancient unpatchable operating system.

100 grand for an NHS trust is nothing on security - they need to be spending multiples of that.

wil

Fr_Dougal wrote: »

They were warned, many, many times before.

https://www.scmagazineuk.com/inadequate-cyber-security-budgets-putting-nhs-patients-at-risk/article/573932/

Costs very little to warn, and yes it is naive or reckless not to allocate resources but it is becoming an unending indeterminable tail chase as the increasing demand to make things easier makes the criminal exploitation more so.
There is also an onus on the systems providers to make critical systems more secure in light of the internet.

WhiteMemento9

Winterlong wrote: »

Seems to be a global ransomware attack. The vulnerability was patched in March but I guess these machines were not patched.
The attack started this morning in Spain. Someone is getting rich.

Ransomware utilising an SMB exploit (EternalBlue vulnerability) which was discovered by the NSA and then leaked by a group called the Shadow Brokers just over a month ago. This exploit as you say was patched by MS recently.

Windows XP was end of life in April 2014 which means no more security patches from MS.

In many companies they still use very old software for applications which they have never been updated so they simply don't run on later versions of windows which in turn means they never upgraded many computer from XP. It seems this practice is particularly prevalent in the NHS.

highgiant1985

i keep reading this malware is exploiting a known issue but that a patch was available that would have prevented this if it had been updated. any one able to share details of what that patch is?

WhiteMemento9

highgiant1985 wrote: »

i keep reading this malware is exploiting a known issue but that a patch was available that would have prevented this if it had been updated. any one able to share details of what that patch is?

Read my post above for more details. This is the patch.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Infini

Ransomware is only effective if noone has backups. Its completely ineffective on people with backups expecially if they're backed up regularly with multiple backups as the virus can be nuked and an older copy restored over it and then patched.

These attacks are lowlifes just looking for easy cash usually criminals as well who do this. Just goes to show you why its best to keep your system up to date with antivirus as well as back up all your important things to external drives etc.

BBDBB

NHS in Wales are reporting that they are unaffected by the malware attack, all their leeches are fine and normal service is continuing

by8auj6csd3ioq

On TV an expert said it would go through the network and to backups. is this true and why are the backups not firewalled off or protected in some way?

Beyondgone

Elle Slow Lizard wrote: »

On TV an expert said it would go through the network and to backups. is this true and why are the backups not firewalled off or protected in some way?

Put your back-up HD into an old van. I read this on another thread. The Hackers can't get into old metal vans. You learn unreal useful stuff on the internet. Just passing on the knowledge.

WhiteMemento9

Some back story in fairness.

http://www.telegraph.co.uk/news/2017/05/12/russian-linked-cyber-gang-shadow-brokers-blamed-nhs-computer/

The_Valeyard

Here are the attacks in real time


https://intel.malwaretech.com/WannaCrypt.html

WhiteMemento9

Beyondgone wrote: »

Put your back-up HD into an old van. I read this on another thread. The Hackers can't get into old metal vans. You learn unreal useful stuff on the internet. Just passing on the knowledge.

Brightly colored vans are susceptible to the XJ-43JK SM tool. Red, yellow and pink are most at risk. Dark ones particularly black should be fine. Repainting them is your only option to protect yourself.

Beyondgone

WhiteMemento9 wrote: »

Some back story in fairness.

http://www.telegraph.co.uk/news/2017/05/12/russian-linked-cyber-gang-shadow-brokers-blamed-nhs-computer/

I'm afraid to click on that in case it's "The Infection". Even with the HD in the transit. Can you get this by going on DD? I want to start buying up Caddies. I reckon they're gonna shoot up in value once word gets out. I wonder will Seat Incas go up too?

Beyondgone

WhiteMemento9 wrote: »

Brightly colored vans are susceptible to the XJ-43JK SM tool. Red, yellow and pink are most at risk. Dark ones particularly black should be fine. Repainting them is your only option to protect yourself.

Ah here. you're only messing with that ^ surely? Like the colour matters lad. Metal is metal. Mine isn't even a Caddy and someone said it would be fine. I think you're overthinking this one. Be grand.

Wanderer78

Beyondgone wrote: »

Ah here. you're only messing with that ^ surely? Like the colour matters lad. Metal is metal. Mine isn't even a Caddy and someone said it would be fine. I think you're overthinking this one. Be grand.

famous last words, dont take the chance!

Wanderer78

any idea where it originated from?

Beyondgone

Wanderer78 wrote: »

any idea where it originated from?

Someone said Trump had the NHS develop a hack into NASA and then the Russians got it and dumped it onto Facebook where a dark shadowy crowd robbed bits of it and used it to hack into the AIB looking for money. I think.

Another Poster mentioned Worms.

I'm looking at the dog now. He looks quite shifty.

whoopsadoodles

WhiteMemento9 wrote: »

Ransomware utilising an SMB exploit (EternalBlue vulnerability) which was discovered by the NSA and then leaked by a group called the Shadow Brokers just over a month ago. This exploit as you say was patched by MS recently.

Windows XP was end of life in April 2014 which means no more security patches from MS.

In many companies they still use very old software for applications which they have never been updated so they simply don't run on later versions of windows which in turn means they never upgraded many computer from XP. It seems this practice is particularly prevalent in the NHS.

The issue with healthcare specifically is legacy systems which as you say, simply do not work on newer servers.

Upgrading 'seemingly' perfectly functioning patient management systems at huge costs, man hours and down time is not something you can convince any non technical "head of decison making" to do.

Vendors of healthcare equipment ans software are shockingly bad at keeping their own systems up to date also, but it's a niche market, and so organisations aren't left with many options.

The bottom line is that IT in hospitals costs money, and makes none, so spending is reduced to the bare minimum.

And then IT get the blame when bad things happen

WhiteMemento9

whoopsadoodles wrote: »

The issue with healthcare specifically is legacy systems which as you say, simply do not work on newer servers.

Upgrading 'seemingly' perfectly functioning patient management systems at huge costs, man hours and down time is not something you can convince any non technical "head of decison making" to do.

Vendors of healthcare equipment ans software are shockingly bad at keeping their own systems up to date also, but it's a niche market, and so organisations aren't left with many options.

The bottom line is that IT in hospitals costs money, and makes none, so spending is reduced to the bare minimum.

And then IT get the blame when bad things happen

Hopefully if anything good comes from this it will be that non-tech people maybe don't roll their eyes when someone is trying to explain the dangers of using such systems on a network.

"The Long Night is coming, and the dead come with it. No clan can stop them, the Free Folk can't stop, the Night's Watch can't stop them, and all the southern kings can't stop them. Only together, all of us. And even then it might not be enough, but at least we'll give the fu**ers a fight". - SysAdmin

heroics

We have the issue in our place as well. Only just got rid of some legacy software that only ran on xp. Still have to keep a couple of vms turned off with xp just in case. Also software that will only run on ie8 or ancient versions of Java etc. These are always business critical but as they work no one will sign off on the cost of the upgrade.

Makes it very frustrating when you know it's vulnerable.

I see Microsoft released an xp patch for this vulnerability today. http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=9e189800-f354-4dc8-8170-7bd0ad7ca09a


According to this the NHS was running xp on 90% of its PCs in 2016.
https://www.infosecurity-magazine.com/news/microsoft-xp-patch-wannacry/

scamalert

anyone that worked as desktop support or sys admin would know it takes few tools who shouldn't even have access to pc in the first place for such crap to happen.

obtaining emails is quite easy from public services since usually its name.surname@nhs.gov.uk put right story in and attach executable link or file and someone out of thousands will click without thinking twice to execute it.

If right measures were in place it will be only headache for IT department to restore from images and backups those affected, and grilling everyone on how to use computer, since many people in such professions could be expert MD's but when it comes to computers or internet any kid past 12 would have more knowledge and common sense.

LordSutch

How come Wales & NI escaped with their NHS computers intact?

WhiteMemento9

scamalert wrote: »

anyone that worked as desktop support or sys admin would know it takes few tools who shouldn't even have access to pc in the first place for such crap to happen.

obtaining emails is quite easy from public services since usually its name.surname@nhs.gov.uk put right story in and attach executable link or file and someone out of thousands will click without thinking twice to execute it.

If right measures were in place it will be only headache for IT department to restore from images and backups those affected, and grilling everyone on how to use computer, since many people in such professions could be expert MD's but when it comes to computers or internet any kid past 12 would have more knowledge and common sense.

That isn't how this worm is spreading. This thing looks for unpatched systems and spreads itself. No click required.

To infect a network it has to find an open port or a forwarded port (445 in this case) to a unpatched machine. It then infects that machine and then scans the local network (inside the firewall) and infects any unpatched machines.

Another part of the problem is that unique to this malware is that it can spread to new machines through cloud sync. Online backup is ineffective against this attack, as any uninfected machine that tries to access the online backup would immediately become infected.

Hard backups for information as large as the NHS data set are going to be huge, time consuming etc. I am not even sure they would be practical unless doing it over set periods of time which doesn't make sense considering the ever changing nature of the data in a health system.

Obviously keeping up to date machines running security is what should be happening.

WhiteMemento9

Random IT guy hits the kill switch.

How to Accidentally Stop a Global Cyber Attacks

Son Of A Vidic

ceadaoin. wrote: »

Apparently it is happening in other countries too

http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/

And it's all an inevitable consequence of NSA and CIA clowns, losing control of the hacking tools they created to spy on everybody.

Stheno

LordSutch wrote: »

How come Wales & NI escaped with their NHS computers intact?

NI have very few xp machines if any

jca

heroics wrote: »

We have the issue in our place as well. Only just got rid of some legacy software that only ran on xp. Still have to keep a couple of vms turned off with xp just in case. Also software that will only run on ie8 or ancient versions of Java etc. These are always business critical but as they work no one will sign off on the cost of the upgrade.

Makes it very frustrating when you know it's vulnerable.

I see Microsoft released an xp patch for this vulnerability today. http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=9e189800-f354-4dc8-8170-7bd0ad7ca09a


According to this the NHS was running xp on 90% of its PCs in 2016.
https://www.infosecurity-magazine.com/news/microsoft-xp-patch-wannacry/

Hark!! Is that the sound of horses hooves travelling away in the distance? One must bolt the stable door immediately...

scamalert

WhiteMemento9 very good description ,tbf didnt read was it virus or anything else.

That said given port 445 and how long its well known could it be that some branches were running win xp and the likes thus someone putting port 445 on access list as permitted to let other services run,since most routers automatically will drop port that isnt specified in acl when creating WAN networks.technical question

Firefox11

jca wrote: »

Hark!! Is that the sound of horses hooves travelling away in the distance? One must bolt the stable door immediately...

You would be probably shocked of the amount of legacy systems and operating systems that are out there running critical pieces of equipment that can't be upgraded that easily.

Running custom applications that were developed maybe 10-15 years ago costing thousands maybe millions to develop at the time.

These systems need to be kept far away for the internet as possable.

Infini

Firefox11 wrote: »

You would be probably shocked of the amount of legacy systems and operating systems that are out there running critical pieces of equipment that can't be upgraded that easily.

Running custom applications that were developed maybe 10-15 years ago costing thousands maybe millions to develop at the time.

These systems need to be kept far away for the internet as possable.

To be honest its not that suprising, any hardware from the last 10 to 15 years is usually using XP as it was the prevalent OS at the time. The problem is software from that far back wont work on newer OS's and hardware as they're not compatable. As such any of these systems would need to be closed off entirely from any connection to the internet or restricted to a completely internal intranet only.

Really something like this was due to happen at some point it just exposes how so much hardware is stuck on older software and the reason why stuff needs to be upgraded or built on platforms that will still be supported a decade from now. Its why MS kinda pushed W10 so hard as they intend to support as much hardware as possible on a single platform that can be upgraded regularly.