Ransomware & HSE

markgb

mcsean2163 wrote: »

Format or dump the windows 7 computers. All terminals should be dumb and only interfacing with the systems meaning only the servers need to be reviewed.

Fully agree with the second bit but why is everyone blaming Windows 7? If a HSE server allowed someone to install a random executable that can access and encrypt a whole database just because they were on the same network as you then isn't the server at fault?

Blaming nurse Mary for running Windows 7 just sounds like victim blaming to me. Surely locking down a dozen servers has to be easier than upgrade 65,000 laptops and realistically expecting 100,000 employees to never ever click a dodgy link.

I don't work in IT but it seems arseways to me from here.

frozenfrozen

FileNotFound wrote: »

In the limited once i have seen it happen where i worked it was pretty fast acting once opened.

Sounds like Dublinwriter had similar experience.


2 Experiences of fast acting v never heard of a slow acting scenario. Have you?

Well clearly by the fact they extracted 700GB of data before starting encryption yes it was "slow acting"


and even if it wasn't you can't just chance it and restore without knowing for sure.

FileNotFound

markgb wrote: »

Fully agree with the second bit but why is everyone blaming Windows 7? If a HSE server allowed someone to install a random executable that can access and encrypt a whole database just because they were on the same network as you then isn't the server at fault?

Blaming nurse Mary for running Windows 7 just sounds like victim blaming to me. Surely locking down a dozen servers has to be easier than upgrade 65,000 laptops and realistically expecting 100,000 employees to never ever click a dodgy link.

I don't work in IT but it seems arseways to me from here.

Companies upgrade this many systems all the time and train this many and more employees.

Its very reasonable that the first line fo defense is up to date systems and training.

Of course it seems there are plenty of other potential steps (just from reading here) and I agree anything extra should be considered.

Keyzer

FileNotFound wrote: »

In fairness HSE should have looked at the 2017 NHS problem.

For me, this is the unforgivable part.

One of the things I strongly advocate in this game is learning from others mistakes. Highly detailed report findings on major breaches/security incidents are few and far between, companies just don't publicly release this information and rightly so.

But every once in a while, a case comes along, a case like Equifax - an utter disaster from start to finish and a prime example of how not to deal with a security breach.

The US House of Representatives Committee on Oversight and Government Reform called the incident “entirely preventable,” while US Senate Permanent Subcommittee on Investigations accused the company of a “neglect of cybersecurity.” The report was released and the findings are damning. Makes for great reading if you're into this stuff. Its openly available on the net.

The cost of the incident is estimated to be $1.35 billion.

Both CISO Susan Mauldin (had a degree in music but had no Information Security qualifications to her name) and CIO David Webb left the company in the weeks after the breach. Equifax CEO Richard Smith also retired in the wake of the breach.

Dyr

DublinWriter wrote: »

I saw this up close and personal in a public body of similar size with the "Wannacry" virus in 2017.

A user had opened up and ran an attachment from an email that looked like an Eircom bill.

The virus proceeded to encrypt any file it could on network shares that the user had open and left a text file ransom note in each subdirectory.

Thankfully, the organisation were running nightly enterprise backups, so only a day's work was lost at worst.

Weren't the HSE running any daily backups?

wannacry different kettle of fish its fire and forget, these guys gain access to an environment and then investigate it for a while to see whats there before a they act.

Donald Trump

Cuddlesworth wrote: »

Its new so there isn't exactly a lot of info on it and whats in the HSE is described as a variant. From what is available, Conti will first infect and spread. It does so via infecting files and maybe using a known SMBv1 vulnerability.

Then it encrypts the files(fast) and transfers data outbound if it can.

The issue with this you can't restore backups unless you know those backups don't contain infected files. Which means you have to be sure that you can spot those files. Otherwise it will just start again.

They are in the position where they can trust nothing and a single slip up puts them back at step 1 again.

Don't know anything about how the HSE network runs or how they manage shares but from comments on this thread it seems to be organisation/location dependant with a managing body, so basically exactly how they operate medically. So a hospital in Thurles might have nothing happen to them because they had a well run IT setup but a hospital in Drogheda might have had been hit hard because they were wide open to it.

Why would they not automatically have outgoing connections blocked? A jump box then for any holes they needed to open up (with strict rules)?

seamus

FileNotFound wrote: »

You'd have to be storing the backups on the same drives for that - surely not good practice...

Not necessarily. I was discussing this as a concern in a meeting this morning.

It's one thing when an attack is fully automated. You store different types of backups in different locations; one on a local file server, another on Amazon S3, another in a remote site, etc. Thus even if the automated attack manages to kill your local backups, you have at least two other copies that work.

When you have an active attacker, they may track down those other backups and delete/corrupt them too. When you have automation looking after your backups, that means storing credentials somewhere, which means any active attacker may find them and use them.

It is possible to defend against, but it requires meticulous planning; potentially even making it impossible for *anyone* to delete part of your backups, ever.

Traditional tape backups may have been an absolute pain in the hoop, but one of the big benefits is that no matter how many accounts a hacker has compromised, they're not going to get their hands on your tapes.

gilberto_eire wrote: »

I'm sure this has been asked or pondered already.

But why in any instance would you pay the ransom?.

Its akin to someone having a DVD you made of yourself which compromises you, they demand you pay for it back.
But theres no reason to believe they didnt copy it.

If that's the only copy that you have of the DVD, then you're going to pay because you want it back. Whether they've made a copy of it is secondary.

If you're a business who needs that DVD to operate, then it's a matter of figuring out if your business can survive while you recreate the DVD from scratch, or if you absolutely have to just pay the ransom to get back up and running.

storker

cnocbui wrote: »

My son was telling me there are some notorious hackers in Russia who's names and addresses are known. The possibility of certain old style responses spring to mind.

Maybe when the Israelis get finished in Gaza...

In all seriousness, the world needs to start treating hacks like this as acts of war/terrorism. I'm not saying a military response, but it might help to send a message that there's a price to be paid for facilitating/protecting/encouraging/enabling these scum.

FileNotFound

storker wrote: »

Maybe when the Israelis get finished in Gaza...

In all seriousness, the world needs to start treating hacks like this as acts of war/terrorism. I'm not saying a military response, but it might help to send a message that there's a price to be paid for facilitating/protecting/encouraging/enabling these scum.

If a nation defends or even refuses to punish them.

An international effort is needed to force their hand. Sanctions etc. to the value or greater than the loss might be a start

DublinWriter

FileNotFound wrote: »

In the limited once i have seen it happen where i worked it was pretty fast acting once opened.

Sounds like Dublinwriter had similar experience.

Yes, it tore through network shares, even with the infected client on a 10Mb WAN connection. It was only initially detected when one of the network guys monitoring the national network in real-time noticed the throttled traffic coming from the remote office.

Donald Trump

seamus wrote: »

Traditional tape backups may have been an absolute pain in the hoop, but one of the big benefits is that no matter how many accounts a hacker has compromised, they're not going to get their hands on your tapes.

There are machines that somewhat "automate" tape backups. They take the backup and then store the tape. But then if you want to recover them, they go and take that tape and recover from it - I think almost in the sense like you'd see the old style jukebox record players almost - "I want backup from 12/31" and the machine picks that out, connects it and then reads from it.



So I think those machines can also be remoted into!

Deliverance XXV

Cuddlesworth wrote: »

From what is available, Conti will first infect and spread. It does so via infecting files and maybe using a known SMBv1 vulnerability.

They don't even need vulnerabilities if they have an AD admin account and remote powershell, psexec or crackmapexec.

Larbre34

storker wrote: »

Maybe when the Israelis get finished in Gaza...

In all seriousness, the world needs to start treating hacks like this as acts of war/terrorism. I'm not saying a military response, but it might help to send a message that there's a price to be paid for facilitating/protecting/encouraging/enabling these scum.

Couldn't agree more.

And you're right, it shouldn't be a military response, it should be a shadow intelligence and black ops response.

Literally the only way they will get the idea is for foreign agents to go after them physically, bomb their homes and cars, assassinate them in the streets.

The Russians surely aren't going to do anything to help and as Paul Reynolds reported on the lunchtime news, they never leave Russia and they never carry out attacks within Russia.

The only solution is the Mossad solution.

cnocbui

storker wrote: »

Maybe when the Israelis get finished in Gaza...

In all seriousness, the world needs to start treating hacks like this as acts of war/terrorism. I'm not saying a military response, but it might help to send a message that there's a price to be paid for facilitating/protecting/encouraging/enabling these scum.

I think there should be a military response. The Chinese recently hacked the Indian power grid, knocking out swathes of the country. People are said to have died. That is an act of war and I think they should have retaliated militarily. Some level of hot military engagement with China is inevitable, IMO. Might as well get the west together in a coordinated way now and have at them on our terms.

Donald Trump

10000maniacs wrote: »

If a multinational like Maersk weren't doing nightly backups, that would be very surprising.

I'd imagine that if they had real time replication that they were also taking periodic snapshots. Probably daily.

cnocbui

Donald Trump wrote: »

There are machines that somewhat "automate" tape backups. They take the backup and then store the tape. But then if you want to recover them, they go and take that tape and recover from it - I think almost in the sense like you'd see the old style jukebox record players almost - "I want backup from 12/31" and the machine picks that out, connects it and then reads from it.

So I think those machines can also be remoted into!

A place I worked, we did a backup to DAT tapes and a courier took those tapes off site to a secure location regularly. Off site physical backups that are not network accessable are what is needed.

Timistry

I work with a company who were attacked by Randomware a few years back. It took 2 months to get everything back up and running again fully. Every PC OP had to be rebuilt and the cloud content redownloaded. The HSE are facing a similar or worse situation. This will drag on for weeks-months.

Donald Trump

cnocbui wrote: »

A place I worked, we did a backup to DAT tapes and a courier took those tapes off site to a secure location regularly. Off site physical backups that are not network accessable are what is needed.

A place I worked had a complete (supposedly secret) disaster recovery centre about 30 miles away. I never visited it but occasionally one or two people had to go out to check for business continuity reasons. My team would have had desks out in it. Some lived close to it so they would just go and do a very odd day in it. Maybe like once a year.



Occasionally they'd fail over DB servers etc. to the DRC for testing purposes. So traffic would be coming from there to the normal office. I think they were supposed to have real time replication there. Everything was in 4s. Replicated onsite and then two offsite in DRC. The reason for it was more so that we could continue to operate for natural disaster or terrorist attack etc. rather thay cyber - although there were network attacks coming in daily from China. Everything was ultimately backed up to tape also. I don't know the logistics. They probably took two copies - one for one site and one kept off site. They'd do incremental backups I'd imagine but probably take full standalone ones from time to time as well.

Dempo1

Donnelly suggesting 146,000 HSE staff unlikely to be paid this Thursday, that will certainly expedite matters, this just beggar's belief

gaming_needs90

Anyone have a link to the dump site used? Am going through a few known ones now to see if I can find any leak

xckjoo

notAMember wrote: »

Validated interfaces between segregated networks.

This is the standard across industry with legacy systems they need to protect.

The data can move in a very tightly controlled way, as an xml file or json payload on a specific port, encrypted. All other ports and access methods are closed.

There's still the problem that if the parent network is hacked then the legacy systems just exist in isolation and you've lost the benefits of that parent system (e.g. your x-ray machine still works but you've lost patient scheduling and managing, data transmission, etc.). At the very least this will bottleneck everything and bring it to a crawl.

For the people advocating for military responses, have ye forgotten about the invention of nuclear weapons? Even without them how do you propose a military response in Russia, China or North Korea without massive loss of life?

Donald Trump

gaming_needs90 wrote: »

Anyone have a link to the dump site used? Am going through a few known ones now to see if I can find any leak

www.clickhereforcontiinfection.com and download the exe. It will take you there

DecTenToo

Donald Trump wrote: »

www.clickhereforcontiinfection.com and download the exe. It will take you there

It said that my credit card details may be available on the internet and asked me to enter them.

It reported back that I was safe.

Pheww, thank goodness

Hurrache

Donald Trump wrote: »

A place I worked had a complete (supposedly secret) disaster recovery centre about 30 miles away. I never visited it but occasionally one or two people had to go out to check for business continuity reasons. My team would have had desks out in it. Some lived close to it so they would just go and do a very odd day in it. Maybe like once a year.
.

I've been in a few of them, they're quite nicely spec'd and maintained, but I've never seen one actually in use. But that's the point I suppose, like your insurance, it's good to have their but you never want to have to go near it.

Companies lease them out, they don't have their own, unless they're a particularly huge company, but even at that it tends to be third party's premises, and like you say, the disaster is for physical disaster, anything like a flood, fire etc in their own premises.

Hurrache

BTW, anyone hearing of a glut of spam phone calls trying to make hay on the back of this? I've had someone receive a couple from an Irish mobile number with an automated message saying their details have been exposed in the HSE and something long the lines of a warrant and the usual crap?

Wombatman

Dempo1 wrote: »

Donnelly suggesting 146,000 HSE staff unlikely to be paid this Thursday, that will certainly expedite matters, this just beggar's belief

Basically pay them an average of what they were paid for every pay period for the year. Not going to be accurate. Major reconciliation will be required when the systems come back online. Will be far from perfect but probably the best they can do at this point to get some dosh out to people who have to pay bills etc.

This is the worst possible way to save a mere sixteen million euro. It's pure stubbornness.

Wombatman

Donald Trump wrote: »

I'd imagine that if they had real time replication that they were also taking periodic snapshots. Probably daily.

Mighty altogether if you are replicating compromised, infected or corrupt data.

Denny61

Back to the biro and notepad...way safer

We back up daily and do a huge DR exercise once a year along with some other intermittent test stuff. I've never really thought much of it as it just happens although planning for the DR exercise starts 2 months in advance with everything ran off a run book and people roles and responsibilities clear as daylight. Nothing is left to chance.

This has certainly focused minds though to identify where we still could have gaps.

Prevention is the cure.