Ransomware & HSE

bren2002

James.. wrote: »

Out of curiosity what could happen if someone hacked coinbase

Could they transfer billions in crypto ,?

Read up on MT Gox

Fantomas9mm

BattleCorp wrote: »

You don't think a State wouldn't like a slush fund to carry out covert operations?

Whats a slush fund sorry ?

I guess my point is , i dont think people should assume that getting a few quid in Bitcoin is the definite motivation here.

BattleCorp

Fantomas9mm wrote: »

Whats a slush fund sorry ?

I guess my point is , i dont think people should assume that getting a few quid in Bitcoin is the definite motivation here.

slush fund: a reserve of money used for illicit purposes, especially political bribery.

Governments do dodgy things. Having a fund that can't be traced back to you to finance those dodgy things comes in handy.

That's if it's a country doing the hacking. Could just as easily be someone in their bedroom or a more sophisticated criminal enterprise.

I can't see what other motivation that anybody could have other than getting their hands on a few bob.

riclad

I think in most cases where ransomware is involved from russia
It's private hacker groups simply looking for money
China and North Korea have government hackers to get acess to
data eg on military data eg info on planes weapons and military
staff
I think russan hacker groups are free to attack anyone as long as they
do not attack Russian company's or the soviet state
And there's plenty of wealthy company's in Europe or America
which are vulnerable to skilled professional hackers

Donald Trump

Can any network security people tell me how 700Gb of data being uploaded isn't automatically flagged? Are they not constantly running packet sniffers etc? I know that the hackers can probably reshape the packets to try to avoid detection but surely that volume would have to be flagged. Would the hackers break it up into much smaller chunks and then send the different chunks to different destinations?

Surely the network traffic is or could be monitored by separate servers? So that any hackers wouldn't be able to jump from the regular network to the monitoring servers?

swampgas

Donald Trump wrote: »

Can any network security people tell me how 700Gb of data being uploaded isn't automatically flagged? Are they not constantly running packet sniffers etc? I know that the hackers can probably reshape the packets to try to avoid detection but surely that volume would have to be flagged. Would the hackers break it up into much smaller chunks and then send the different chunks to different destinations?

Surely the network traffic is or could be monitored by separate servers? So that any hackers wouldn't be able to jump from the regular network to the monitoring servers?

No idea, but if medical images (e.g. MRI scans, Xrays, etc) are routinely passed into and out of the network, 700 GB of additional data might not be so obvious.

(And I repeat, I've no idea how much data typically goes in and out of the HSE network, just saying that it might be a lot more than we might guess.)

gctest50

I can see it now


Have you been affected by the HSE DATA LEAK ?

You may be entitled to compensation

Call us at HSEDATALEAK-MONEY-4-U.com

rf1980

Axa’s Asian operations hit in ransomware attack
https://www.ft.com/content/4443da60-6d90-4d27-b300-b0896425f99f Could be a taste of things to come

The post said the data were taken from its units in Thailand, the Philippines, Hong Kong and Malaysia, and included customers’ personally identifiable information, medical records and claims, as well as data from hospitals and doctors.

hmmm

Donald Trump wrote: »

Can any network security people tell me how 700Gb of data being uploaded isn't automatically flagged? Are they not constantly running packet sniffers etc?

700GB isn't a lot on a big network.

There might be some sort of weekly report produced on a firewall which some junior analyst gets to review, but they've a million other things to be doing and won't spend much time chasing down data transfers.

A ransomware gang like this will be careful to transfer the data to servers located in non-obvious locations i.e. it will probably be a 700GB transfer to somewhere like Amazon over a period of days or weeks, not something obviously fishy like a big dump to Russia.

This stuff is difficult to detect, and very few can afford teams of people sitting around reviewing logs day-in day-out. After the fact it's very easy to say what would have detected it, but that's not much good when you've literally hundreds of "unusual" things happening every week and you only have the resources to investigate a few of them.

ineedeuro

hmmm wrote: »

700GB isn't a lot on a big network.

There might be some sort of weekly report produced on a firewall which some junior analyst gets to review, but they've a million other things to be doing and won't spend much time chasing down data transfers.

A ransomware gang like this will be careful to transfer the data to servers located in non-obvious locations i.e. it will probably be a 700GB transfer to somewhere like Amazon over a period of days or weeks, not something obviously fishy like a big dump to Russia.

This stuff is difficult to detect, and very few can afford teams of people sitting around reviewing logs day-in day-out. After the fact it's very easy to say what would have detected it, but that's not much good when you've literally hundreds of "unusual" things happening every week and you only have the resources to investigate a few of them.

I would hope the HSE have a SOC and SIEM. They don't need a huge team of people sitting around reviewing. The SIEM technology once set up with the correct rules will notify the analysis's to abnormal behaviour. This is not difficult to detect, the software does it for you, of course once setup correctly.

Nobody in this day & age should have a junior analyst reviewing millions and millions of events.

Donald Trump

hmmm wrote: »

700GB isn't a lot on a big network.

There might be some sort of weekly report produced on a firewall which some junior analyst gets to review, but they've a million other things to be doing and won't spend much time chasing down data transfers.

A ransomware gang like this will be careful to transfer the data to servers located in non-obvious locations i.e. it will probably be a 700GB transfer to somewhere like Amazon over a period of days or weeks, not something obviously fishy like a big dump to Russia.

This stuff is difficult to detect, and very few can afford teams of people sitting around reviewing logs day-in day-out. After the fact it's very easy to say what would have detected it, but that's not much good when you've literally hundreds of "unusual" things happening every week and you only have the resources to investigate a few of them.

I'd imagine that ML could easily be leveraged to detect and flag unusual traffic and transfers. One would imagine that the data is pulled on-the-fly from DBs for the regular use? That the users aren't actively saving copies of that onto local machines. It's probably cached on the server side alright for efficiency purposes.



Surely a lot of their front end programs in user space are just calling certain stored procedures over and over again. I'd imagine that the end user doesn't have direct access to the underlying DB structure. Then how many users have roles set up to access this data? More likely done via a service account. Surely that application layer can then be monitored automatically too. So that if a user/application has an unusual pattern of queries that something is automatically flagged.


I understand these things would be irrelevant in terms of preventing an attack and that the priority needs to be on keeping them out. But from a laymans point of view, surely there are things that could trigger alarms. Or at least make extraction of data more complicated and slower.



Could they not set up some kind of DMZ between the general network and the storage then to prevent hackers jumping to the machines monitoring that access?


I'm not a network security person at all. Just a layman for this stuff. Possibly asking stupid questions.

MrMusician18

James.. wrote: »

Out of curiosity what could happen if someone hacked coinbase

Could they transfer billions in crypto ,?

Coinbase and the like claim that the vast majority of crypto they hold are in cold wallets, which as far as I understand are not connected to the internet. Think of this as a vault.

If you're buying or selling you're trading with a small amount of coins that are effectively float. Think of this as the money in the till or as it's known, the hot wallet. If they need more coins they transfer these from the cold wallet. If the site is hacked then only the hot wallet can be stolen. That's the theory anyway.

Fantomas9mm

BattleCorp wrote: »

I can't see what other motivation that anybody could have other than getting their hands on a few bob.

Not saying you are right or wrong but i wouldn’t rule out other motivations.

How much people actually pay the ransom ?

The data stolen is worth a lot more.

James..

MrMusician18 wrote: »

Coinbase and the like claim that the vast majority of crypto they hold are in cold wallets, which as far as I understand are not connected to the internet. Think of this as a vault.

If you're buying or selling you're trading with a small amount of coins that are effectively float. Think of this as the money in the till or as it's known, the hot wallet. If they need more coins they transfer these from the cold wallet. If the site is hacked then only the hot wallet can be stolen. That's the theory anyway.

How does the cold wallet transfer to the hot wallet then ?

dublinbando

James.. wrote: »

How does the cold wallet transfer to the hot wallet then ?

Manual transfer, so hot wallet usually has enough coins to float the day to day transactions and if more coins are needed the hot wallet is manually topped up from cold storage funds. The hot wallet usually has a limit to how many coins it can hold before automatically transferring excess coins to cold storage.

Dempo1

Corruptedmorals wrote: »

I wonder how much of a problem it is now that HSE hospitals use many different programmes and software with very little integration. There are many different EMR's and scanning archives in use. One system for radiology (which is common across most public hospitals), another for bloods, another for pathology and all hospitals use varying types of admin systems. By contrast, private hospitals tend to use fully integrated systems. Some hospitals are faring better than others depending on who is using EMR but all radiology, labs and other critical services are crippled.

Hopefully everything can resume on Monday at the latest.

I'm curious about why MRI scans are being cancelled given the Hospital I'm due to attend for a long awaited MRI does not run the MRI equipment, it's run by a private company and I believe in a number of other hospitals . Whilst I assume the issue might be to do with Doctors getting access to results, it just seems odd this IT systems attack would also be affecting a private companies operations. Surely Scans could be done with a slight delay in accessing results? I'm keeping my fingers crossed my appointment won't be cancelled on the 25th

Donald Trump

Dempo1 wrote: »

I'm curious about why MRI scans are being cancelled given the Hospital I'm due to attend for a long awaited MRI does not run the MRI equipment, it's run by a private company and I believe in a number of other hospitals . Whilst I assume the issue might be to do with Doctors getting access to results, it just seems odd this IT systems attack would also be affecting a private companies operations. Surely Scans could be done with a slight delay in accessing results? I'm keeping my fingers crossed my appointment won't be cancelled on the 25th

They likely don't want any systems on that network turned on at all until they know how to deal with the issue. They might be trying to clean each one in isolation and only reconnecting them when they think they have everything fully cleaned.

dubrov

dublinbando wrote: »

Manual transfer, so hot wallet usually has enough coins to float the day to day transactions and if more coins are needed the hot wallet is manually topped up from cold storage funds. The hot wallet usually has a limit to how many coins it can hold before automatically transferring excess coins to cold storage.

I can't see that offering much protection.
It would obviously highlight a one-off massive withdrawal but Bitcoin is a public ledger anyway so something like that would likely be traced and caught anyway.

It wouldn't protect against a slow bleed of coins being siphoned off that would be long sold and withdrawn from the banking system before alarms are raised.

Donald Trump

dubrov wrote: »

I can't see that offering much protection.
It would obviously highlight a one-off massive withdrawal but Bitcoin is a public ledger anyway so something like that would likely be traced and caught anyway.

It wouldn't protect against a slow bleed of coins being siphoned off that would be long sold and withdrawn from the banking system before alarms are raised.

You need access to the cold wallet to transfer from it I'd say. If it is software but stored on a machine that isn't accessible remotely at all (as in completely airgapped) then nobody from outside can get to it.


I don't do anything with bitcoin or other cryptocurrency. It's just my understanding which may be incorrect

dublinbando

dubrov wrote: »

I can't see that offering much protection.
It would obviously highlight a one-off massive withdrawal but Bitcoin is a public ledger anyway so something like that would likely be traced and caught anyway.

It wouldn't protect against a slow bleed of coins being siphoned off that would be long sold and withdrawn from the banking system before alarms are raised.

It offer's massive protection, and just because Bitcoin is a public ledger doesn't mean that stolen coins can be easily traced. Maybe if the thief was an idiot and tried to cash out stolen bitcoin directly to their own bank account.

Edit: Also there have been plenty of huge bitcoin heist's, this is why the hot/cold storage system exists.

Dempo1

Donald Trump wrote: »

They likely don't want any systems on that network turned on at all until they know how to deal with the issue. They might be trying to clean each one in isolation and only reconnecting them when they think they have everything fully cleaned.

Thanks, I'm beginning to feel this issue far worse than being reported on

dubrov

Donald Trump wrote:

You need access to the cold wallet to transfer from it I'd say. If it is software but stored on a machine that isn't accessible remotely at all (as in completely airgapped) then nobody from outside can get to it.

Yes, but at the end of the day, there would be a daily requirement to transfer money to/from the cold wallet. It would be hard to identify a problem if only a small amount is siphoned off daily

Donald Trump

dubrov wrote: »

Yes, but at the end of the day, there would be a daily requirement to transfer money to/from the cold wallet. It would be hard to identify a problem if only a small amount is siphoned off daily

They'd know as soon as it was gone.


Think of it as totting up the float at the end of the day. If someone has come in and raided the till while your back was turned, you'll spot the discrepancy. But they'll only have been able to take maximum of what was in the till. The rest is in the safe out the back

dubrov

dublinbando wrote:

It offer's massive protection, and just because Bitcoin is a public ledger doesn't mean that stolen coins can be easily traced. Maybe if the thief was an idiot and tried to cash out stolen bitcoin directly to their own bank account.

So how do you spend bitcoins from a dodgy wallet that the authorities are aware of?

I'd imagine the large Bitcoin heists had cashed out the coins using phony/mule bank accounts long before the fraud was detected.

Wombatman

Donald Trump wrote: »

Can any network security people tell me how 700Gb of data being uploaded isn't automatically flagged? Are they not constantly running packet sniffers etc? I know that the hackers can probably reshape the packets to try to avoid detection but surely that volume would have to be flagged. Would the hackers break it up into much smaller chunks and then send the different chunks to different destinations?

Surely the network traffic is or could be monitored by separate servers? So that any hackers wouldn't be able to jump from the regular network to the monitoring servers?

Probably using a variant of this. 700GB compressed not a lot over two weeks.

In early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created anchor_dns, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

anchor_dns is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. anchor_dns uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string anchor_dns can be found in the DNS request traffic.

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Donald Trump

dubrov wrote: »

So how do you spend bitcoins from a dodgy wallet that the authorities are aware of?

I'd imagine the large Bitcoin heists had cashed out the coins using phony/mule bank accounts long before the fraud was detected.

I don't think so.


The FBI seized 1bn USD worth of bitcoin from a hacker last year.


He had stolen it in a hack of the silk road website before it was closed down. The US authorities tracked him down eventually and he handed it over. They tracked him down due to a very small fraction that was moved out a few years back



I also think that one of the major early bitcoin hacks - could have been Mt Gox, was transferred to a single wallet and has been sitting there since.

kippy

Government departments/government networks have massive amounts of attempted hacks against them on a daily basis. Whether it is DDOS hitting email/egress points, attempted phishing attempts on staff, and all manner of other types of attempts.
It really isn't that much of a surprise that something has been successfuly enough to cause an impact such as this. The best security advise is to make the assumtion that something like this will eventually happen - how do you deal with it when it does/what have you been doing to make sure you can deal with it?

As with a lot of security incidents, the incident itself isn't the biggest issue - it's the fallout from dealing with the incident - in a very similiar way as the past 15 months in dealing with Covid. The biggest incovenience are the mitigation measures - not necessarily the virus itself.

Things have gotten much better in recent years, but from a security standpoint, the HSE is a significant organisation, with diverse end users, endpoints and internal and external systems.
Lots of people "looking in" don't really fathom the complexity of what is involved on it's internal networks.

That doesn't excuse any major security breaches however, but perhaps it might provide a kick up the backside to those in charge of the purse strings how much IT security and security awareness amoungst users is a core requirement.

I look forward with interest to see what has happened here and what the egress point was/how long the hack has been going on for and any learning that can happen for other departments.
It's possible that it's been a relatively "simple" hack - using social engineering to get to the people/person with the relevant access - as these things usually turn out to be.

dublinbando

dubrov wrote: »

So how do you spend bitcoins from a dodgy wallet that the authorities are aware of?

I'd imagine the large Bitcoin heists had cashed out the coins using phony/mule bank accounts long before the fraud was detected.

One way would be to use an exchange that only does crypto to crypto with no KYC and using a VPN to exchange the bitcoin into monero or other privacy coin, then just cash out the privacy coin.

FintanMcluskey

Jack Chambers is saying on the week in politics that no ransom will be paid

Is that possible?

I thought this was a non negotiable problem, either pay up or your doomed?

Not something to try and play the big man with

kippy

FintanMcluskey wrote: »

Jack Chambers is saying on the week in politics that no ransom will be paid

Is that possible?

I thought this was a non negotiable problem, either pay up or your doomed?

Not something to try and play the big man with

It all depends on the specifics of what has happened.
If there is limited data and it has been encrypted but there is a relatively straightforward method of retrieving that data then there's no need for any ransom payment. Maybe they still don't know the extent of the issue?
So far the disruption isn't necessarily from the attack itself but mitigation/containment of the attack.