Ransomware & HSE

igCorcaigh

Oh damn, the department of health affected too.

Deliverance XXV

igCorcaigh wrote: »

Oh damn, the department of health affected too.

Yep...

"The Department of Health has been the victim of a cyber attack similar to the ransomware attack on the Health Service Executive.

The Department has also shut down its systems and it is working to safely restore its data."

https://www.rte.ie/news/ireland/2021/0516/1221933-dept-of-health/

suicide_circus

What would they do with patient info?

Donald Trump

suicide_circus wrote: »

What would they do with patient info?

Blackmail. Extortion. Anything you can think of

markgb

irishgeo wrote: »

This is why we need to get rid of passwords.

Well I don't know my password which helped here. I would have had to fire up keepass to copy whatever random gibberish my password is and when chrome didn't autofill that was a red flag.

Most of our internal servers are SSH key only, no passwords accepted.

irishgeo

suicide_circus wrote: »

What would they do with patient info?

identity theft.

Ger Roe

I bet the tech bods at revenue.ie are keeping their fingers crossed. :eek:

SEPT 23 1989

It would be terrible if they went after Revenue next

Really terrible

Denny61

This is been helped by people working in the hse or acess to their computers ..all they do is open links or up load a piece of software from within to let in the big boys . ..like leaving the alarm off or turning the key on the door to open.

Galwayguy35

Would the 2 big banks here be a target for these guys?

Infini

Badly fukt wrote: »

Security key or biometrics are far more secure than passwords

OTP authentications are passwords but they're alot more secure because they expire after a minute or 2. It was rolled out to the likes of WoW and FFXI/FFXIV to mitigate account jacking by chinese currency farmers and drastically reduced this.

Denny61 wrote: »

This is been helped by people working in the hse or acess to their computers ..all they do is open links or up load a piece of software from within to let in the big boys . ..like leaving the alarm off or turning the key on the door to open.

In all honesty what it requires in this day and age is that people need to be trained and educated to be able to recognise these attacks early on. On the company side of things it means these companies need to invest in secure and robust verification and authentication software/hardware so outside actors cannot get into a system easily.

Pandiculation

Financially focused organisations generally have good IT security and awareness of it. These guys are more likely to pick off low hanging fruit.

Wombatman

Joanna Yellow Racer wrote: »

Fresh attack on Dept of Health. Good news for bitcoin!

Fresh attack or spread from HSE due to obvious close relationship?

Pandiculation

Wombatman wrote: »

Fresh attack or spread from HSE due to obvious close relationship?

Seems likely as the two organisations are heavily overlapping.

Doesn’t sound like it’s been contained though.

BrianD3

Infini wrote:

In all honesty what it requires in this day and age is that people need to be trained and educated to be able to recognise these attacks early on. On the company side of things it means these companies need to invest in secure and robust verification and authentication software/hardware so outside actors cannot get into a system easily.

Even with spearfishing/phishing emails and messages being much more sophisticated than in the past, IME there are always very obvious alarm bells that should ring if people are paying attention to/engaged with their work.

The problem is, they're not. If there was a financial penalty for these type of user errors, that would focus their minds on what they're doing. Good thing they're not driving HGVs, operating dangerous machinery etc. where "ooops I don't know why I did that" doesn't cut it.

A few years ago I heard of a phishing simulation which was run post training, Email with a "click here to enlarge your penis!" which pointed to a strange .ru URL. Caught a few people, including some women. Jesus wept.

whippet

BrianD3 wrote: »

A few years ago I heard of a phishing simulation which was run post training, Email with a "click here to enlarge your penis!" which pointed to a strange .ru URL. Caught a few people, including some women. Jesus wept.

I’d say that is a bit of a porkie pie … I’ve never seen simulation phishing emails with content like that

Hurrache

jams100 wrote: »

Does anyone know what IT company the hse works with? It's not SAP anyway afaik

Read they use DXC for financial management/ procurement.

Is it a case of they cheaped out of the bigger companies here? (Not saying this ransomware attack wouldn't have happened if they were working with a particular IT company). Just interested to know who they actually work with? I'm going to hazard a guess and say multiple companies for different functional areas.

DXC is one of the top 5 biggest IT companies in the world, has been for decades. And systems this size tend to use a variety of companies.

Wombatman

schrodinger wrote: »

This wasn't a case of the HSE had some Windows NT, ME (Remember ME? ) or even XP systems exposed to the Internet, winking suggestively at ransomware operators. You could be operating a network of systems all running the absolute latest of supported operating system version and patched to the hilt and still get ransomware. People don't understand that. The question is really "What was the initial compromise that allowed the ransomware operators to establish a foothold in the HSE network?" This is usually a well crafted phishing email that in the end was someone, innocently and mistakenly, executing on their system.

Queue the hordes of experts who want to talk about user education. (yawn)

Now, an effective AV or an endpoint agent should have caught this and prevented it - 100% This should be reviewed and hopefully will be, post-incident-response, during the remediation phase and lessons learned phase.

Queue someone with another hot take and asking who's first against the wall when the accountability police show up.

Now once inside a network, yeah, there was probably some systems that need patching and the model of trust is in place because "the Internet can't reach those" A common mistake, the perimeter doesn't really exist nor protect you anymore. Also, having been on both sides of the defensive and offensive infosec fence, the way Windows networks operates - once you're on them, oh my - it's fingers in the pie and who's your sister territory.

Mistakes happen and the information security industry exists because these things happens and it isn't the Olympic Destroyer of the HSE. Would proper firewalls policies and content scanning proxies have worked? Probably - another thing on the Todo Scroll for the HSE and the teams they have in place to perform the incident response investigation and remediation.

This is a solid post. So you are talking about layers of infrastructure and networking that need to be protected. The less protection across the layers, the higher the probability of a successful attack, right? Going to stick it here as a backdrop to what follows. Yes mistakes happen, but how many mistakes have to happen before it is unacceptable?

OK. Lets address the zero day claim.
- It was made hours after the attack, when people could have no idea of the nature or scale of the attack.
- For an attack of this scale to be successful, it relies on exploiting a chain of vulnerabilities (see above post). Were all these vulnerabilities then zero day?
- With Conti, it can take days or weeks, from the initial breach, to the day of shutdown, to lay the groundwork for the attack i.e. time to plan, time to encrypt and time to spread. Again this does not go along with the zero day claim.

Organizations and individuals are constantly under attack. Bots, port sniffers, spurious emails etc etc are constantly running and being sent out in the hope of spotting a chink in the cybersecurity armor. Once a chink is found, dedicated resources are applied to the attack to see if more exploits can be found. The more exploits found the more people in the hacking group get to work on the attack. While all this is going on the hackers are hoping to remain undetected.

The most venerable usually end up being the most likely victims of successful attacks. This come down to negligence or ignorance most cases, often willful.

The fact zero day claims were made on public radio, targeted at Joe public, hours after the attack tells you all you need to know about where HSE management are going on this. Nothing to see here, nothing we could have done, we did our best, you don't know what you are talking about anyway because you are not a cybersecurity expert.

Seeing as we are dealing with the HSE think about the history of medical negligence in the country and how it was dealt with. Nothing to see here, nothing we could have done, we did our best, you don't know what you are talking about anyway because you are not a medical expert. Think Vicky Phelan et al.

From experience, I expect in 6 months or a year, when all of the details come out about the nature of this attack, we will see a shocking degree of willful negligence from top management, for whatever reason, budgets or brains.

Fully expecting a few "This is the dumbest post I've ever read on boards." or "I bet you were an expert on the pandemic too." cowboys to respond to this, without addressing my points in any way, but hay that's life on the interwebs.

magicbastarder

markgb wrote: »

I'm decades in the game and I nearly fell for this one.

i used to know a poor bastard who pulled really long shifts during a virus outbreak, while going home and looking after a very poorly wife and kid, and was utterly exhausted from all the toing and froing, who after a couple of days accidentally opened a mail he shouldn't have and reintroduced the virus. poor sod was marched off site.

i *think* it was Melissa, was a long time ago.

Wombatman

Pandiculation wrote: »

Seems likely as the two organisations are heavily overlapping.

Doesn’t sound like it’s been contained though.

Next Social Welfare, then Revenue?

ressem

BrianD3 wrote: »

Even with spearfishing/phishing emails and messages being much more sophisticated than in the past, IME there are always very obvious alarm bells that should ring if people are paying attention to/engaged with their work.

99% maybe. 1% ish are targeted. The attackers have spent money registering a domain visually similar to your own. They have got the certs purchased for it. They have it hosted on infrastructure like Azure, shared by your own company. They register it with the security companies,to get it past the "newly observed domain" checks on the firewall. The 365 MFA page is a copy of your company's customised one. If your company's settings aren't done well, the SMS request code can be passed through.

BrianD3 wrote: »

The problem is, they're not. If there was a financial penalty for these type of user errors, that would focus their minds on what they're doing. Good thing they're not driving HGVs, operating dangerous machinery etc. where "ooops I don't know why I did that" doesn't cut it.

Based on the number of times that industrial operators try personally endangering actions to get around small obstacles, I suspect that a financial penalty would only improve a small percentage of mistakes.

For industrial equipment, there's guard rails and barriers, and signs and training, big red emergency stop buttons and alarms.
Industry wide lessons learned and communicated.

In the IT industry, there's a token, minimum business inconvenience effort in comparison.

fly_agaric

SEPT 23 1989 wrote: »

It would be terrible if they went after Revenue next

Really terrible

Ha am sensing sarcasm there, so guessing you're not on some Covid-19 support scheme or waiting for a VAT (edit: or other tax I suppose...) refund! :eek:

Itssoeasy

Wombatman wrote: »

Fresh attack or spread from HSE due to obvious close relationship?

Well the rte headline seems to suggest it was a separate attack.

And there’s the cyber attack on the pipeline in the US.

SEPT 23 1989

fly_agaric wrote: »

Ha am sensing sarcasm there, so guessing you're not on some Covid-19 support scheme or waiting for a VAT (edit: or other tax I suppose...) refund! :eek:

No refunds for me I have to give them a few bob next week

irishgeo

Itssoeasy wrote: »

Well the rte headline seems to suggest it was a separate attack.

And there’s the cyber attack on the pipeline in the US.

The cyber attack on the pipeline is over. They paid the ransom and got the systems back up slowly.

Then the authorities traced back the bitcoin. Emptied the account. The got hosting companies to close their blog and website.

The hackers disbanded. Now they probably just gone away for a while or deeper under ground but thats how that attack ended.

nazmoalex

If both the HSE and the Department of Health spotted their issues on Thursday, why has it taken until today to announce the attack on the DoH?

TomOnBoard

irishgeo wrote: »

The cyber attack on the pipeline is over. They paid the ransom and got the systems back up slowly.

Then the authorities traced back the bitcoin. Emptied the account. The got hosting companies to close their blog and website.

The hackers disbanded. Now they probably just gone away for a while or deeper under ground but thats how that attack ended.

Its interesting that DarkSide appears to have suffered a fairly immediate counter-attack just after Biden signed an Executive Order targeting Cyber Criminality, probably triggered by the Colonial pipeline attack.

This is now extending to the removal of ransomware- related posts/chats from a number of online forum sites, as well as some moves by pirating tool sellers (REvil) to limit their toolset usage against Healthcare, Education and Government..

I suspect that US Cyber-crime fighting agensies have been building their own capabilities against these gangs for some time and now have enough deep knowledge to declare all-out cyber- war on them. I'm hoping for some serious wound-infliction to be visited on all these gangs of thugs imminently!

irishgeo

TomOnBoard wrote: »

Its interesting that DarkSide appears to have suffered a fairly immediate counter-attack just after Biden signed an Executive Order targeting Cyber Criminality, probably triggered by the Colonial pipeline attack.

This is now extending to the removal of ransomware- related posts/chats from a number of online forum sites, as well as some moves by pirating tool sellers (REvil) to limit their toolset usage against Healthcare, Education and Government..

I suspect that US Cyber-crime fighting agensies have been building their own capabilities against these gangs for some time and now have enough deep knowledge to declare all-out cyber- war on them. I'm hoping for some serious wound-infliction to be visited on all these gangs of thugs imminently!

Taking their bitcoin must have hurt.

Random should be paid and then build up security. Paying it doesn't increase the amount of attacks like a normal blackmail demand where they still have you hostage.

The people who do these attacks always "do right" when paid so they get paid by others in the future.

riclad

They have acess to the hse system for 2 weeks, they have had a chance to copy all user medical data on any hse customer ,familys, employees etc
if the ransom is not paid this data could be released on the web,just
like happened with 500k facebook users personal data in the last year.
i,d be suprised if the hse is not using some pcs running windows 7.of course they will say its a zero day exploit /hack otherwise they have to admit their it system was maybe running old software or software that was not updated or running the latest security updates, patch,s
it makes no difference if we could track down the hackers, they seem to be a soviet union hacker group.
the chances of them being punished is close to zero,
what might happen is maybe the websites they use might be shut down by hosting companys.
of course hackers will be interested in hacking irish companys or banks,they will attack anyone that has a network of pcs and has the finance to pay million dollar ransoms.
Very few people rob banks in person anymore ,its alot easier to run malware and attack companys and hack the network and demand a ransom.
the chances of being caught or arrested is very low,
theres a reason why most hackers are located in russia , eastern europe.
in the 70s robbing banks in person was common before extra security measures were put in place .