Ransomware & HSE

Miharo

Floppybits wrote: »

Having my first taste of dealing with Public Services in an IT capacity and all I can see it is Technological desert. I knew the Public Services wasn't the best of IT but it is shocking just how bad it is.

Agree with this - the lack of security, access controls and change controls in some Government Depts IT Depts is truly shocking. Speaking from experience having worked in two major government IT Depts. I'm surprised this kind of attack isnt happening more often, I think even the most basic attack would have a good chance of succeeding on some systems I've seen.

Fantomas9mm

The malware could have been there months/years also.

Darkglasses

penny piper wrote: »

Seems strange that the topic of salary is not coming up.........if you are expecting a salary this week and work for the hse you won't be getting paid quite simple....doctors/nurses/clerical staff/admin/health workers etc anyone who is due this week...unless this is sorted.

Might be handled by the PSSC?

Pandiculation

JibJabWibWab wrote: »

The unions would have demanded training, and of course extra money, for their members to use the systems. Trained staff should be held responsible...

To a point. If you’ve a system with large holes in it, a bit of rudimentary trending is just that. The duty of care would weigh on the design and maintenance of the system.

I mean a medical staff person opening an email has a reasonable expectation that the underlying systems are secure.

This is getting into a scenario like: “but we told you the wires in the canteen were bare and live and that the petrol is stored in open buckets.”

magicbastarder

Darkglasses wrote: »

Might be handled by the PSSC?

i think the HSE use Core for their payroll?

Pussyhands

Paying the ransom doesn't set a precedent. The only deterrent is security.

So what if we don't pay the ransom, we've already shown we're vulnerable.

If we paid the ransom and then upgraded security, then attacks would be pointless anyways.

Donald Trump

Potatoeman wrote: »

They’re years behind. Last time it was laptops with unencrypted harddrives. Probably not working off a backed up NAS so can’t just do a rollback restore. Doubt they had a firewall to stop this before it started.

I'd doubt that. I'd be surprised if they don't have off site disaster recovery etc. Not only for this kind of criminal threat but they'd need it for business continuity reasons in case of natural disaster etc.
You average employee might not be aware of these things but I'd be very surprised if they didn't. They probably also have periodic tape archives too. Any real-time or intermittent point-in-time replication could potentially be also attacked by the intruders I'd imagine but the tapes shouldn't be accessible.




As for network attacks, their network people are dealing with those constantly. Maybe not to the same degree of sophistication but I'd say they are being hit dozens of times per week by various actors in China/Russia/Korea etc. It can not be the case that this is the first time they became aware of potential threats.

Potatoeman

Potatoeman wrote: »

They’re years behind. Last time it was laptops with unencrypted harddrives. Probably not working off a backed up NAS so can’t just do a rollback restore. Doubt they had a firewall to stop this before it started.

Or you doubt it do you?

36,000 servers in a datacentre and you doubt they had 'a' firewall?

cee_jay

Darkglasses wrote: »

Might be handled by the PSSC?

Unfortunately not - Health Business Services is the shared services for HSE.

magicbastarder

if you google 'HSE corepay' you get a core portal for their self service (which is not responding) - don't core host their own systems?

VinLieger

Pussyhands wrote: »

If we paid the ransom and then upgraded security, then attacks would be pointless anyways.

It was a zero day exploit, there is no defense against that because its never been seen before therefore you don't know what to look for. Also there is no such thing as a completely secure computer system no matter how much you spend on it so stop talking about things you quite obviously know nothing about.

FileNotFound

Currently the HSE has staff working from home on personal computers not controlled in anyway by internal IT staff.

They have provided pretty unrestricted access to Shared drives out of necessity to support the WFH.


A pharma company i worked for got caught with ransomware attack a few years back, some dinosaur downloaded a dodgy attachment and even followed its instruction to save to the company servers haha.

just over 24hrs later every machine and server was restored with a pre file backup. Clean and efficient, meant a days work had to be redone but that wasn't too bad.


Its probably time the Gov set out an IT upgrade plan for all departments, pricey but if we are seen as n easy target may be cheaper in the long run.

magicbastarder

magicbastarder wrote: »

if you google 'HSE corepay' you get a core portal for their self service (which is not responding) - don't core host their own systems?

Not always. They have a self host option.

JibJabWibWab

Pandiculation wrote: »

To a point. If you’ve a system with large holes in it, a bit of rudimentary trending is just that. The duty of care would weigh on the design and maintenance of the system.

I mean a medical staff person opening an email has a reasonable expectation that the underlying systems are secure.

This is getting into a scenario like: “but we told you the wires in the canteen were bare and live and that the petrol is stored in open buckets.”

https://www.irishexaminer.com/news/arid-40187691.html

HSE staff are to get cybersecurity training as they continue to work remotely due to the impact of the Covid-19 pandemic.

More than 120,000 HSE employees will get access to classes including Introduction to Cybersecurity, Cyber Security Essentials, and Introduction to the Internet of Things. Run by technology company Cisco, the courses are online only.

davo2001

VinLieger wrote: »

It was a zero day exploit,

They say it was a zero day exploit, there is no evidence (that I've seen anyways) to verify this yet.
It is quite possible that it's just the HSE trying to cover their arse by saying it's a zero day exploit.

kippy

Pussyhands wrote: »

Paying the ransom doesn't set a precedent. The only deterrent is security.

So what if we don't pay the ransom, we've already shown we're vulnerable.

If we paid the ransom and then upgraded security, then attacks would be pointless anyways.

That makes no sense.

"Security" is not a detterent - surely you can see that.

seamus

VinLieger wrote: »

How naive are these people? Paying the ransom MIGHT get the data back but theres no guarantee they wont just leave it encrypted or even just release anything they have publicly just for the craic. Also the entire HSE IT system may still need to be replaced depending on how severely compromised its been so paying the ransom might really not solve anything at all in the short term.

Sure, it's a gamble, but there's a certain reputational thing in this.

Taking the ransom and not decrypting the data means that the next time your hacker group does this, you are absolutely guaranteed that you won't get your ransom because you are now known for taking the money and running.

Sure, these groups can rename themselves to avoid a reputation, but you've still got diminishing returns. Every time a "new" hacker group appears demanding a ransom, the experts will know that they're probably not going to unlock the data and will advise that paying the ransom is pointless.

As you rightly point out though, paying the ransom isn't the end of it either way. Your data is unlocked but you can be certain that keys, credentials and malware have been strategically left behind so the group can come back and take another bite of the cherry and/or continue to steal data for future blackmail.
So you would still need to keep your systems completely offline while you forensically comb them and clear them.

In effect, paying the ransom only gets you back up and running if you *don't* have sufficient backups. You won't be back in business any quicker unless you're happy to put compromised systems online without checking them out.

Alun

Donald Trump wrote: »

As for network attacks, their network people are dealing with those constantly. Maybe not to the same degree of sophistication but I'd say they are being hit dozens of times per week by various actors in China/Russia/Korea etc. It can not be the case that this is the first time they became aware of potential threats.

Even my home router is being targeted daily by systems with IP addresses in Russia, China, Ukraine and N. Korea. I have a firewall rule to deny all traffic from those countries just for monitoring purposes and the hit count is through the roof.

L1011

magicbastarder wrote: »

if you google 'HSE corepay' you get a core portal for their self service (which is not responding) - don't core host their own systems?

Core is available for on-premises install too.

Cuddlesworth

seamus wrote: »

As you rightly point out though, paying the ransom isn't the end of it either way. Your data is unlocked but you can be certain that keys, credentials and malware have been strategically left behind so the group can come back and take another bite of the cherry and/or continue to steal data for future blackmail.
So you would still need to keep your systems completely offline while you forensically comb them and clear them.

Which is where they are at now. Huge interconnected networks which had been thoroughly comprised, a single infected machine would just start the process off again.

Flinty997

Fantomas9mm wrote: »

The malware could have been there months/years also.

Yes but it won't be activated. So they can clean it up and be left with good data.

topdecko

Realistically how long will this take to resolve do people think. We will have to pay the ransom to get some sort of functionality back in the system. Can then flesh out a long term response but for now we have hospitals with no internal communications, no appointment system, no notes and about a 10% lab service and a seriously curtailed radiology service - its a disaster and will lead to significant harm if it continues.

Flinty997

topdecko wrote: »

Realistically how long will this take to resolve do people think. We will have to pay the ransom to get some sort of functionality back in the system. Can then flesh out a long term response but for now we have hospitals with no internal communications, no appointment system, no notes and about a 10% lab service and a seriously curtailed radiology service - its a disaster and will lead to significant harm if it continues.

I expect they'll get systems up first so new activity can proceed. You might not access to old records for a while. So they may have to redo a lot of tests.

JibJabWibWab

Flinty997 wrote: »

Yes but it won't be activated. So they can clean it up and be left with good data.

The HSE have already confirmed it's Conti ransomeware...

https://www.thejournal.ie/hse-it-system-ransomware-attack-explained-5437064-May2021/

Cuddlesworth

topdecko wrote: »

Realistically how long will this take to resolve do people think. We will have to pay the ransom to get some sort of functionality back in the system. Can then flesh out a long term response but for now we have hospitals with no internal communications, no appointment system, no notes and about a 10% lab service and a seriously curtailed radiology service - its a disaster and will lead to significant harm if it continues.

How long have the HSE or other Irish public service orgs been treating IT as a cost that has to be reduced? Considering they have "just" implemented cyber training for all staff, I'm going to take a guess and say a very long time.

I've been contacted a few times by recruiters(networking) and I have laughed at the wages being offered. Think less then 50% of the private pay.

Donald Trump

Alun wrote: »

Even my home router is being targeted daily by systems with IP addresses in Russia, China, Ukraine and N. Korea. I have a firewall rule to deny all traffic from those countries just for monitoring purposes and the hit count is through the roof.

And they can have all the hardware and software firewalls they like. But then someone on the inside does something they shouldn't do and introduces a threat inadvertently. We don't know if that is what happened here but I think that happens more often that an actual vulnerability being directly exploited externally. Although if these attackers are that sophisticated, they probably capable of the latter.

FileNotFound

Pandiculation wrote: »

From what I’m reading the advantage is that it’s not one system. They shut down systems as a precaution to prevent spread.

I would guess they’ll get a lot of things up and running - cloud systems and more modern systems, isolated systems etc or systems they can be confident aren’t likely to be impacted could be returned to service fairly rapidly.

The issue might be older systems and also potentially firing up individual PCs mightn’t be that easy and could mean a lot of work visiting sites and wiping PCs without connecting them to networks etc

The big issue they would have is a very geographically spread network.

Even worse i think many HSE staff have been using personal comps while WFH.

That could be a right pain as ow can they really check and wipe them.

Donald Trump

FileNotFound wrote: »

Even worse i think many HSE staff have been using personal comps while WFH.

That could be a right pain as ow can they really check and wipe them.

Appropriate username for thread

Dempo1

Donald Trump wrote: »

Appropriate username for thread

I was just about to commend the poster on there user name

FileNotFound

Donald Trump wrote: »

Appropriate username for thread

Haha fits alright