Ransomware & HSE

zom

seamus wrote: »

Blacknight were also the victim of a huge directed DDOS yesterday. A single customer was targetted and when Blacknight began mitigation the DDOS redirected to attack their entire infrastructure.

I wonder if it's related; were the HSE the customer being targetted?

Number of Blackingt customers were affected. I was called by some yesterday but lucky Blacknight have great health reporting website that saved me looking for issues myself:
https://www.blacknight.com/support/

Pandiculation wrote: »

Some of the medical IT systems are shockingly obsolete - you get obscure software associated with specific pieces of hardware like scanners

Costs of rewriting / writing new updated software dedicated to this hardware are probably shocking too..

Pandiculation wrote: »

They should be, but they’re likely to be untouchable in some rogue state location like North Korea.

There are great and democracy-loving states that hack other countries nuclear installations and we are clapping with joy seeing it (at least our Dail lords)

Hurrache

Hurrache wrote: »

I'm enjoying how everyone are now both experts in pandemics and viruses, and have quickly gained expertise in IT security.

It must be all the TV they're watching, as it appears to little foundation in reailty,

Indeed. Not sure if its an Irish thing or if its just a boards thing, but folks become armchair experts on anything within minutes of a story breaking. Happens all the time. Look at all the rubbish spouted by folks in the various vaccine threads to get an idea. The amount of hypervole in this thread alone is off the charts.......e.g....

Deleted User wrote: »

Public services always go for the cheapest available anything, not the most cost-effective in the long run.

That's just wrong. Anybody with any sort of background in public procurement knows that the establishment of the OGP and their mantra of MEAT means that picking the cheap and cheerful option just doesn't fly. You simply can't pick the cheapest version of anything without justification, or you'll end up in hot water.

davo2001 wrote: »

The fact that the HSE has had to shutdown it's ENTIRE network shows what a poorly implemented network security system they have, they clearly didn't learn anything from 3 years ago.

The head of IT should be fired over this (but obviously he won't be).

The fact that you are unaware that they didn't have to shut down the entire systems and are claiming that they DID have to, shows what a poorly implemented, baseless and uninformed attack you're making on something which you are clearly not in a position to do.

leahyl wrote: »

I work in a University and have communcations with the HSE and some of them have extreme difficulty in even accessing microsoft Teams for meetings. Their IT infrastructure sounds very bad.

That's not an infrastructure issue and is not indicative of anything. There are security and confidentiality issues with Zoom, MS teams etc. so not all public organisations allow it to be installed, and plenty of departments etc. have banned it outright for these reasons. This is a sign of a GOOD policy regarding infrastructure and not a bad one, but sure lets have a pop anyway.

I can guarantee you that at least half of the people on here complaining about lack of upgrades from windows 7 etc, would be on here moaning about wastage if the story this morning was that all 100k+ HSE employees got a new laptop with windows 10 at the start of the pandemic. I guarantee it.

People like to moan. Irish people like to moan more than most. And the denizens of Boards.ie are the moaniest Michaels that you ever did see. Plus ca change.......


Edit:

Atlantic Dawn wrote: »

I'd like to think the HSE IT system is so backward even hackers would struggle to find their way around it, likely a few Commodore 64's still holding up parts of it.

This made me laugh though, fair play.

Pandiculation

zom wrote: »

There are great and democracy-loving states that hack other countries nuclear installations and we are clapping with joy seeing it (at least our Dail lords)

Again state actors - beyond reach of the law.

There’s some notion in Irish discussion that this is Sean or Marry the Hacker from their bunker in Tipperary and the gardai need to knock on the door.

That’s just not the case at all.

This stuff is out of reach of even major intelligence agencies.

If anything it shows a need for EU pooled response on cyber security.

leahyl

Deleted User wrote: »

That's not an infrastructure issue and is not indicative of anything. There are security and confidentiality issues with Zoom, so not all public organisations allow it to be installed, and plenty of departments etc. have banned it outright for these reasons. This is a sign of a GOOD policy regarding infrastructure and not a bad one, but sure lets have a pop anyway.

Try reading my post - where did I mention Zoom???

shanec1928

magicbastarder wrote: »

yeah, i think a lot of the issues the NHS faced - and are undoubtedly faced by the HSE - is that if you've a working 12 year old MRI scanner and the software runs on XP, are you going to upgrade the software at a cost of (plucks figure out of the air) €25k to stave off a malware attack which might not come?

that said, i know someone who got a job in the HSE and mentioned working on a disk array with no backup that was hooked up to a Win2k server (he told me this maybe 3 years ago).

or the only way to get a newer software version is to upgrade the machine it self which ive come across in other industries like injection molding where it could cost north of a million to replace the machine.

what?

whippet wrote: »

if you don't pay the hackers will just move on to the next target.

Dont know the specifics, but if data, esp patient data was exfiltrated, this can be used as blackmail, GDPR dont care how data was leaked, HSE would still be on the hook for it

Vaccinated30

crossman47 wrote: »

Well I'm male so maybe don't understand but I would regard all tests, etc as more important. They can have an impact on you or your baby's health - your partner's presence won't. I'll also admit I am from the generation of fathers who weren't left near the delivery ward (thankfully).
Good luck with your own pregnancy.

Oh god my youngest is almost 2,there will be no more pregnancies for me.
Many things like BP can be done in the local chemist. They even have clinics that run in areas for the routine BP urine so that people don't have to go in to appointments anymore, and they've been around since I had my eldest (8) Apart from my 1st I've always laboured alone and called my husband into me once moved to delivery due to childcare issues but I absolutely understand why women would be afraid to go through it alone. Support is more important than pain relief, in my opinion.

AndrewJRenko

Good explanation of the Conti virus referenced by HSE

https://thedfirreport.com/2021/05/12/conti-ransomware/

Pandiculation

leahyl wrote: »

Try reading my post - where did I mention Zoom???

Teams, Zoom etc .. a lot of corporate networks are heavily locked down and were never intended to use conferencing facilities. The pandemic caused a organisations to be catapulted into using things that they never would have normally.

Healthcare in particular is hugely problematic, as you’d have lots of personal data.

Financial services and infrastructure providers are even tighter. I worked in one place where you weren’t allowed enter certain areas with any kind of device with memory, smartphones, USB sticks etc. Doing so would have resulted in being fired, as there was a risk of someone accessing systems.

AndrewJRenko

what? wrote: »

Dont know the specifics, but if data, esp patient data was exfiltrated, this can be used as blackmail, GDPR dont care how data was leaked, HSE would still be on the hook for it

HSE could pay the ransom and the lads will still leak or extort the patients. These guys don't play by the rules.

magicbastarder

Pandiculation wrote: »

I worked in one place where you weren’t allowed enter certain areas with any kind of device with memory, smartphones, USB sticks etc. Doing so would have resulted in being fired, as there was a risk of someone accessing systems.

you should see the machine symantec have to trash devices leaving their virus research lab in ballycoolin. basically turns computers/phones/tablets to tinsel, i have been told (alas, i did not see it in action).

Pandiculation

The HSE could put them on a waiting list to speak to a cyber security consultant. By the time they get the appointment in 2031 they’ll give up and apologise.

leahyl

Pandiculation wrote: »

Teams, Zoom etc .. a lot of corporate networks are heavily locked down and were never intended to use conferencing facilities. The pandemic caused a organisations to be catapulted into using things that they never would have normally.

Healthcare in particular is hugely problematic, as you’d have lots of personal data.

Financial services and infrastructure providers are even tighter. I worked in one place where you weren’t allowed enter certain areas with any kind of device with memory, smartphones, USB sticks etc. Doing so would have resulted in being fired, as there was a risk of someone accessing systems.

Fair enough, don't like being misquoted though, as I didn't mention Zoom - it's not the same thing and Zoom would have been a bit of an issue in the University for a while also. You'd imagine a microsoft application would be somewhat more "trustworthy". I was accused of being a moaner also simply from stating my experience of things - jaysus! Can't say anything now and you're a complainer and a moaner (I know you weren't the original poster!)

Pandiculation

You’d imagine, but there’s nothing more trustworthy about them. Some of the most common vectors for viruses and malware are Microsoft applications like Outlook because they’re ubiquitous.

Secure IT environments don’t necessarily allow users to install anything.

Teams, for example, includes collaboration services that would potentially grant access to screen sharing, which is a BIG *no* in some contexts and health is likely one of those.

Prisoner6409

Are their IT people living in the land of Nod, who did not see this coming so much so they would have an off site backup that is maintained off the Internet, one live system and at least 2 backups, 1 not connected, its hardly rocket science.

biko

.42. wrote: »

Are the HSE still using redundant OS like Windows XP?

It's not "redundant", it's outdated.

But yes, I think quite a few of their systems are outdated. Too expensive to stay updated I assume.
They should just go full Linux.

BailMeOut

When they figure out what happened it will on all likelihood come down to an individual with higher-level access being tricked into doing something stupid to allow access. We all think these hacks are very sophisticated but usually are very low tech and the weak link is a human who clicks something, installs software, or gives out information over the phone to the bad folks which then allowed access. From what I am reading this hack is about data loss/theft so the hackers are simply copying data from the HSE to their systems and probably just using the permission of the user or admin who had access.

It's very tough to prevent humans from doing stupid things and the HSE will have layers of systems, processes, and training in place to stop people from doing stupid things but the bad folks will always find a way around this.

ixoy

Prisoner6409 wrote: »

Are their IT people living in the land of Nod, who did not see this coming so much so they would have an off site backup that is maintained off the Internet, one live system and at least 2 backups, 1 not connected, its hardly rocket science.

Even if they did - Do you know where the trigger for the ransomware is? Do you know when it is installed? Attackers could have left it dormant for months, embedded in the system, so a backup could just restore the same security hole.

madcabbage

Social engineering is the by far the most common cause of these attacks. But saying that, it could be a number of factors.

heroics

BailMeOut wrote: »

When they figure out what happened it will on all likelihood come down to an individual with higher-level access being tricked into doing something stupid to allow access. We all think these hacks are very sophisticated but usually are very low tech and the weak link is a human who clicks something, installs software, or gives out information over the phone to the bad folks which then allowed access. From what I am reading this hack is about data loss/theft so the hackers are simply copying data from the HSE to their systems and probably just using the permission of the user or admin who had access.

It's very tough to prevent humans from doing stupid things and the HSE will have layers of systems, processes, and training in place to stop people from doing stupid things but the bad folks will always find a way around this.

If you look at the info about conti earlier in this thread it both extracts data and also encrypts the data that is left behind. Uses a number of tools to gain elevated privelages and laterally move through an environment.

Another link with different initial attack to previous link
https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/

Pandiculation

The reality is we don’t know. The HSE systems probably are complex, involving a large number of instituons and legacy systems and have multiple risks, but I would also doubt they are as bad as some people seem to imagine.

Most healthcare organisations have faced this kind of issue. There were major cyberattacks on Spanish hospitals at the peak of the pandemic impact in Spain. The NHS has been hit multiple times and so on.

The shut down of systems is a standard way of quarantining them until you know what you’re dealing with and how much exposed they are.

It’s likely the attack is isolated to one system, so they’ll be able to safely restart systems bit by bit.

magicbastarder

one thing to bear in mind about the HSE, and i'm comparing it to the large multinational i work for - we've the luxury of being large, but contained and relatively homogeneous.
the HSE have to maintain systems which are not only massively diverse in terms of technology, but also massively diverse in terms of geography. you'd probably find that on plenty of sites, IT help is half an hour away at the very best. i would hate to work for them, it'd be a nightmare.

leahyl

leahyl wrote: »

Try reading my post - where did I mention Zoom???

Apologies, I meant to say "zoom, teams, etc".

I did not mean to misrepresent your post and I'll edit it now. My point still stands. Blocking the installation of non-standard applications is a good thing and indicative of a good ICT policy and infrastructure, and not a bad one (which you implied).

BailMeOut

heroics wrote: »

If you look at the info about conti earlier in this thread it both extracts data and also encrypts the data that is left behind. Uses a number of tools to gain elevated privelages and laterally move through an environment.

Another link with different initial attack to previous link
https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/

Thank you. Did not know there were encrypting the data left behind. This looks very similar to the US pipeline hack.

Prisoner6409

Prisoner6409 wrote: »

Are their IT people living in the land of Nod, who did not see this coming so much so they would have an off site backup that is maintained off the Internet, one live system and at least 2 backups, 1 not connected, its hardly rocket science.

How do you know they don't?

Just for clarity, I have been working in IT Security for approximately 15 years and currently work with some nationally critical systems, though not the HSE. We have reached out to them and offered our services though.

The discussion about out of date software is something of a red herring because even if they were running Windows 10 across the board, the threat actors could still leverage a zero day exploit to get access. A zero day exploit is an exploit for which there is no patch. So they could use a sophisticated exploit, or it could have been as straight forward as an Excel file with a macro.

Also, I'd like to point out that shutting down the network was the right thing to do and would commonly be part of an Incident Response Plan.

penny piper

Badly fukt wrote: »

No mostly windows 7 though which is also end of life

I think some in the hse are using windows 10.

what?

slightly tangential, this is a proof of concept
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/

air-gapped are now just networks with extreme latency :-)
literally a game of whack a mole

Prisoner6409

Prisoner6409 wrote: »

Are their IT people living in the land of Nod, who did not see this coming so much so they would have an off site backup that is maintained off the Internet, one live system and at least 2 backups, 1 not connected, its hardly rocket science.

Kind of the way things used to be done back in the day with non-internet networks. I know you're suggesting an internet based system be backed up on a disconnected server from which the data is transported by a human to an offsite location to mitigate against fire risk. Then you add the risk of the human being having the portable device stolen off them the way we used to often hear about laptops going missing with precious data compromised.

JDxtra

Times have changed since, but I remember around 10 years ago a company I was working with had a standby disaster recovery site which was online and ready in a recovery centre. We could flip between live and standby as needed.

The folks from HSE IT were using the same recovery centre. They were testing their recovery processes one day, which involved wheeling in servers on a trolley with a load of recovery tapes. It takes an incredible amount of time to recover systems and data in this manner.

More recently on the RTE News (2 years ago?) they showed the inside of the HSE IT dept. as part of a report. In the background there were Windows XP machines still running - and this was within IT (i.e. not connected to some legacy radiology machine).

ShayNanigan

I don't understand why they are still using Windows! From what I've seen, in many European countries they use Linux for several reasons.

Also this bit in the Journal article sort of made me smirk: "A contingency plan has been put in place to revert back to the “old-fashioned” paper-based system". Isn't that what they normally use most of the time anyway...? Time for an upgrade in the systems in any case I'd say. There's a good chance of mistakes daily just because either some papers go missing or they give a patient the wrong medication (unless the patient is very observant) because they have no system where to check. And of course then there's these types of cyber attacks because the system they do have in place is running on Windows.