Ransomware & HSE

TomOnBoard

realdanbreen wrote: »

So, I'm here, where's everybody?:mad:

Sorry, Dan.. The bus from Kerry was a bit late arriving.. And some of the lads brought on a slab of lager so they were doing the stop the bus I want a wee wee since Cashel and some of them are a bit ould and have trouble with the prostate so were only dribbling piss down their legs and then had to sit up near the driver to dry out their trousers and the driver told them to sit the **** down but they wouldnt so he pulled over into a layby and wouldnt move until James Spillane moved back down the bus..

Anyway, we'll be there soon so you wait there and we'll have a grand protest. Good man!

realdanbreen

TomOnBoard wrote: »

Sorry, Dan.. The bus from Kerry was a bit late arriving.. And some of the lads brought on a slab of lager so they were doing the stop the bus I want a wee wee since Cashel and some of them are a bit ould and have trouble with the prostate so were only dribbling piss down their legs and then had to sit up near the driver to dry out their trousers and the driver told them to sit the **** down but they wouldnt so he pulled over into a layby and wouldnt move until James Spillane moved back down the bus..

Anyway, we'll be there soon so you wait there and we'll have a grand protest. Good man!

There's a couple of shady lads across the street looking at me. I don't know if they're locals or Moscovites, will ye be long more, it's starting to rain.

saabsaab

10000maniacs wrote: »

I have no problem with that. But good point before that.

I know where a cleaner was sacked for using office equipment (probably computers too) at night. She forgot to turn off a screen and it was spotted the next day and it was linked back to her.

Ash.J.Williams

saabsaab wrote: »

I know where a cleaner was sacked for using office equipment (probably computers too) at night. She forgot to turn off a screen and it was spotted the next day and it was linked back to her.

How on earth did a cleaner have a login?

saabsaab

Ash.J.Williams wrote: »

How on earth did a cleaner have a login?

No idea. Must have found it in someone's desk. Didn't get much details but that it had happened. The language on the screen traced it to her.

Cuddlesworth

Deleted User wrote: »

The HSE consulted with FireEye who's primary job is focusing on zero days and they confirmed it was a zero day.

Just going to point out, its still a zero day exploit after day 0. So did they confirm it was a new previously unknown zero day, or a zero day.

Hibernicis

Ash.J.Williams wrote: »

How on earth did a cleaner have a login?

I can't reveal how the credentials were actually acquired in the the case which I referred to (this became the subject of a High Court action) but I've seen and been aware of numerous occasions over the years where abuse/mis-use of credentials becomes possible as a result of human failings/stupidity/carelessness/thoughtlessness as well as more general issues such as poor or non existent security protocols and procedures, poor training, lack of security auditing etc.

TomOnBoard

realdanbreen wrote: »

There's a couple of shady lads across the street looking at me. I don't know if they're locals or Moscovites, will ye be long more, it's starting to rain.

If they're shady looking lads, that'll be the Cork brigade. Don't mind them, they're all mouth and no trousers. Pity about the rain, we have that too and we're all on the side of the road outside Monasterevin trying to lift up the bus to change a wheel that picked up a nail in Portlaoise when we came off the motorway to pick up a Supermacs and the feckin eejit of a driver has no jack in the bus so we're all listening to Séamus Beag de Faoite doing a On Three Boys, Liiiiiift but he's having to stop when he gets to two with him running out of breath coz of the 60 Majors a day since 1972 and his lungs are like bags of stones with no soakage for the air so he runs out of steam before he gets to three and I'd say we'll be another hour.

Good man, Dan. You fly the flag until we get there. Jesus but we'll have great craic later, wha? Ivan won't know what hit him when this protest kicks off!! I wonder will the Guards be there... I hope they bring the lads on the big horses! I love horses!

Hibernicis

Interesting piece by Senan Molony on independent.ie - better standard of journalism than the usual indo click bait.

Sadly, this could be a game changer:

Jennifer Whitmore of the Social Democrats said Túsla had been hacked as well, and there were fears of details about at-risk children being leaked to the internet and published on the dark web.

She asked about the child protection risks, and the impacts on Túsla, adding: “There are a whole range of different issues of real concern.”

Mr Ryan said Túsla systems had been connected to HSE networks, and the Government was looking to contain the release of such information. “We already doing that.

We already knew that the Tusla systems were hosted by the HSE. If it transpires that Tusla case data was included in the 700GB which was stolen and could be sold/released then the pressure to pay the ransom will increase exponentially.

flask_fan

There are companies all over the world similarly affected.



Scripps in San Diego and Waitako in NZ.

ineedeuro wrote: »

Zero day attack. Yet the Department of Health was able to stop it. Funny zero day attack? It never was and never will be a Zero Day attack.
HSE Chief Operations Officer Anne O'Connor said the HSE was alerted to the attack at 4am and she described it as a "zero-day threat with a brand new variant of the Conti ransomware".


If this was true you would have companies all over the World with the same issue. Strange it is just the HSE and even an organisation in the same country can stop it.

Also RTE and HSE ran a campaign saying they done everything right in turning off everything. This is not true. Once you shut everything down how do you know what is infected and what isn't?

“In shutting everything down, it would appear HSE were unable to confidently isolate the problem by switching off just part of the network or even just quarantining the problematic IT assets out of the network,” suggested Amit Serper, associate vice-president of security research at Guardicore Labs.

That's just a start.

ixoy

Cuddlesworth wrote: »

Just going to point out, its still a zero day exploit after day 0. So did they confirm it was a new previously unknown zero day, or a zero day.

That's what I had wondered too - was it completely unknown or, if known, how long for and what position were they in to address it?

I'd love to know at this point what their CIO wanted, in terms of security, etc, and what he was told he could have (budget wise). I'm sure plenty of us here are aware of companies cutting corners when it comes to IT budget, especially security / patching / upgrading. Trying to convince people why it's necessary can be difficult although, if nothing else, we can now all point and go: "Do you want to be like the HSE?" (rightly or wrongly, they'll be used as a scapegoat for this for a while).

kippy

Hibernicis wrote: »

Interesting piece by Senan Molony on independent.ie - better standard of journalism than the usual indo click bait.

Sadly, this could be a game changer:



We already knew that the Tusla systems were hosted by the HSE. If it transpires that Tusla case data was included in the 700GB which was stolen and could be sold/released then the pressure to pay the ransom will increase exponentially.

Paying the ransom is off the table for a multitude of reasons discussed.

Keyzer

Ash.J.Williams wrote: »

How on earth did a cleaner have a login?

You'd be surprised what you find posted on office walls and under keyboards in corporate offices...

hmmm

ixoy wrote: »

That's what I had wondered too - was it completely unknown or, if known, how long for and what position were they in to address it?

All I think we know from public information is that the DoH found the beacon on their network. That doesn't just magic onto a network, something had to happen previously to facilitate its installation - that's I presume where the zero-day would have happened. In my experience that's likely to be either an OS exploit or perhaps something like a PDF reader or browser, or it could have been on a VPN device.

I'm a bit surprised we haven't seen IOCs published yet for the source of the initial infection as a zero-day being actively exploited for ransomware is a big deal (for the world).

If they did get hit by a zero-day I have huge sympathy, and the criticism from people who are not experts in this area should stop. Everyone tries to build layers of security, but when you're dealing with attackers using that level of sophistication it is difficult to defend for almost any company or organisation.

TomOnBoard

Keyzer wrote: »

You'd be surprised what you find posted on office walls and under keyboards in corporate offices...

The inside back page of the desk diary was the favourite password vault in the 1980s...

MikeSoys

id like to see if my medical data was leaked on the dark Web, anyone else have a pointer to the dark web site name?

Hibernicis

kippy wrote: »

Paying the ransom is off the table for a multitude of reasons discussed.

I'm not advocating payment, just recognising that the political pressure may become insurmountable. The detailed records of Tusla client cases are in another league.

Hibernicis

MikeSoys wrote: »

id like to see if my medical data was leaked on the dark Web, anyone else have a pointer to the dark web site name?

check out this lad - very helpful first time poster that appeared here yesterday - he may need your credit card details

hmmm

Hibernicis wrote: »

I'm not advocating payment, just recognising that the political pressure may become insurmountable. The detailed records of Tusla client cases are in another league.

The data is gone. It's a disaster, but the sooner the opposition stops trying to make this attack on the state a political football the better. We are facing a genuinely very serious threat which I'm not sure we have ever faced before.

Seth Brundle

MikeSoys wrote: »

id like to see if my medical data was leaked on the dark Web, anyone else have a pointer to the dark web site name?

If you have to ask then you probably shouldn't go there!

Edit: just to check, are you on a work laptop?

Deliverance XXV

hmmm wrote: »

All I think we know from public information is that the DoH found the beacon on their network. That doesn't just magic onto a network, something had to happen previously to facilitate its installation - that's I presume where the zero-day would have happened. In my experience that's likely to be either an OS exploit or perhaps something like a PDF reader or browser, or it could have been on a VPN device.

Pretty much. The attack would comprise of many different tools. Conti attacks are known for using Cobalt Strike so I am guessing that the DOH EDR or SIEM picked up signatures or IOCs for it. This would be a considered a serious alert in a SOC and would be actioned immediately.

frozenfrozen

hmmm wrote: »

All I think we know from public information is that the DoH found the beacon on their network. That doesn't just magic onto a network, something had to happen previously to facilitate its installation - that's I presume where the zero-day would have happened. In my experience that's likely to be either an OS exploit or perhaps something like a PDF reader or browser, or it could have been on a VPN device.

I'm a bit surprised we haven't seen IOCs published yet for the source of the initial infection as a zero-day being actively exploited for ransomware is a big deal (for the world).

If they did get hit by a zero-day I have huge sympathy, and the criticism from people who are not experts in this area should stop. Everyone tries to build layers of security, but when you're dealing with attackers using that level of sophistication it is difficult to defend for almost any company or organisation.

they are there but they aren't WHITE yet afaik

kippy

Hibernicis wrote: »

I'm not advocating payment, just recognising that the political pressure may become insurmountable. The detailed records of Tusla client cases are in another league.

It's irrelevant what the data is/what the political pressure is.
It's data. And data can be monitised in many different ways as well as copied and shared.

Payment is throwing good money after bad.

Wombatman

hmmm wrote: »

If they did get hit by a zero-day I have huge sympathy, and the criticism from people who are not experts in this area should stop. Everyone tries to build layers of security, but when you're dealing with attackers using that level of sophistication it is difficult to defend for almost any company or organisation.

You are missing the point. It may well have been an unavoidable zero-day exploit that lead to the attack. Announcing that it was, just hours after the attack, without the possibility of any proper analysis having been done, points to obvious disingenuousness and accountability dodging.

ineedeuro

Deleted User wrote: »

Speaking as someone who has written Incident Response plans, turning everything off was the correct decision. The HSE's response has been excellent so far. Having a process in place when you can shut down 80,000 computers at 4am in the morning is exemplary.

The HSE consulted with FireEye who's primary job is focusing on zero days and they confirmed it was a zero day.



Not if it was a targeted attack. This isn't a worm, the is a human-triggered attack.

Would you not disconnect external connectivity and then isolate all the systems?
Hard to disgnose the issue when everything is turned off.

Also as Mandiant/FireEye are involved they will install FireEye onto everything, this is EDR similar to Carbon Black/CrowdStrike etc. How do they install it when the systems are off?

I seen no press release from FireEye saying it was a Zeroday?

plodder

Wombatman wrote: »

You are missing the point. It may well have been an unavoidable zero-day exploit that lead to the attack. Announcing that it was, just hours after the attack, without the possibility of any proper analysis having been done, points to obvious disingenuousness and accountability dodging.

and if it was a zero-day, then I'd like to hear it from the NCSC, with evidence, rather than from a third party company selling security services. The NCSC doc that was linked earlier refers to it as a "variant" of Conti which could mean anything.

Seth Brundle

ineedeuro wrote: »

I seen no press release from FireEye saying it was a Zeroday?

Presumably they will have some form of NDA so really shouldn't say anything about what happend to their clients and what they have done to resolve it.

ineedeuro

Seth Brundle wrote: »

Presumably they will have some form of NDA so really shouldn't say anything about what happend to their clients and what they have done to resolve it.

Which is standard, but the poster said that FireEye have confirmed it was a zeroday.

The only person I have seen suggest it was a ZeroDay was the HSE.

Ash.J.Williams

ineedeuro wrote: »

Would you not disconnect external connectivity and then isolate all the systems?
Hard to disgnose the issue when everything is turned off.

Also as Mandiant/FireEye are involved they will install FireEye onto everything, this is EDR similar to Carbon Black/CrowdStrike etc. How do they install it when the systems are off?

I seen no press release from FireEye saying it was a Zeroday?

You switch everything off and next time you switch on is to wipe and rebuild.


Then go to the backups and pray they work


All pc/laptop data is gone

penny piper

kippy wrote: »

So everyone in the HSE needs to be educated up to masters level in Security?

Problem with the HSE is you have managers (highly undeserving of the salary scale) who don't even have a degree/clerical officers who have master's degrees (poorly paid and no chance of promotion...oh and if you know so and so...they'll probably put in a word and get your relative a job...along with having their wife/brother/son/daughter stuck in somewhere...