Ransomware & HSE

ineedeuro

[Deleted User] wrote: »

The HSE brought in FireEye to investigate, and FireEye said it was a zero day.



Whats your source that it wasn't a zero day?

Show me FireEye saying it was zero day? Thanks

AndrewJRenko

ineedeuro wrote: »

Remind me how long was it between the contract Leo slipped out and the media reported on it?

Are you working in government? HSE?

Remind me of the difference between posting an envelope and making a million Euro international bank transfer, via bitcoin?

And thanks for proving the general point of how difficult it is to keep secrets in Government.

AndrewJRenko

ineedeuro wrote: »

Show me FireEye saying it was zero day? Thanks

What's your source that it wasn't a zero day? Thanks.

ineedeuro

ineedeuro wrote: »

Show me FireEye saying it was zero day? Thanks

https://www.nytimes.com/2021/05/20/technology/ransomware-attack-ireland-hospitals.html

However, FireEye, the cybersecurity firm, released a report last month that found a ransomware group used a zero-day in SonicWall VPN security devices to breach organizations. Typically, ransomware gangs are known to break in using unpatched software, weak passwords or phishing attacks. The use of zero-days would mark a major advance in criminals’ tactics, and increase the likelihood that they can break into organizations’ networks undetected.

ineedeuro

AndrewJRenko wrote: »

Remind me of the difference between posting an envelope and making a million Euro international bank transfer, via bitcoin?

What’s your point? The discussion is about if the HSE, government etc lie. It is clear the government have no issue lying to the public

Maybe you can explain why hackers sit silent for weeks/months in HSE, deploy the ransomeware. Watch for a week while the HSE run around with no way to fix with zero concern and suddenly decide to just send over the deactivation with not a zero cent paid in ransom?
Seems a funny series of events.

ineedeuro

ineedeuro wrote: »

What’s your point? The discussion is about if the HSE, government etc lie. It is clear the government have no issue lying to the public

Maybe you can explain why hackers sit silent for weeks/months in HSE, deploy the ransomeware. Watch for a week while the HSE run around with no way to fix with zero concern and suddenly decide to just send over the deactivation with not a zero cent paid in ransom?
Seems a funny series of events.

See above for my theory.

ineedeuro

[Deleted User] wrote: »

https://www.nytimes.com/2021/05/20/technology/ransomware-attack-ireland-hospitals.html

Why not copy the paragraph before

Health network officials have described the attack as “highly sophisticated” and claim attackers used an undiscovered bug in software known as a zero-day to breach their systems. They did not name the affected software and did not provide evidence to back up their claims.

The article you posted does nothing to back up the claim made by the HSE, it does the opposite

The paragraph you copied was from a different attack. Nothing to do withHSE and a month ago

ineedeuro

ineedeuro wrote: »

Why not copy the paragraph before

Health network officials have described the attack as “highly sophisticated” and claim attackers used an undiscovered bug in software known as a zero-day to breach their systems. They did not name the affected software and did not provide evidence to back up their claims.

The article you posted does nothing to back up the claim made by the HSE, it does the opposite

What in the actual f*ck?


You posted a paragraph that supports my argument?

ineedeuro

[Deleted User] wrote: »

What in the actual f*ck?


You posted a paragraph that supports my argument?

I will quote again

“ They did not name the affected software and did not provide evidence to back up their claims.”

boege

Who says this is over?

"The hackers have threatened to share the stolen data online and with other criminals from next Monday unless a $20 million ransom is paid."

https://www.irishtimes.com/news/crime-and-law/hse-hack-decryption-key-did-not-come-from-diplomatic-channels-1.4571751

AndrewJRenko

ineedeuro wrote: »

What’s your point? The discussion is about if the HSE, government etc lie. It is clear the government have no issue lying to the public

Maybe you can explain why hackers sit silent for weeks/months in HSE, deploy the ransomeware. Watch for a week while the HSE run around with no way to fix with zero concern and suddenly decide to just send over the deactivation with not a zero cent paid in ransom?
Seems a funny series of events.

This isn't about ability to lie.

This is about ability to make a €20 million million transaction via bitcoin without involving a significant number of people, one of whom will inevitably leak.

irishgeo

The irony if the decryption key exe wasn't supported on windows 7.

kippy

boege wrote: »

Who says this is over?

"The hackers have threatened to share the stolen data online and with other criminals from next Monday unless a $20 million ransom is paid."

https://www.irishtimes.com/news/crime-and-law/hse-hack-decryption-key-did-not-come-from-diplomatic-channels-1.4571751

No one said it was over. The HSE is still crippled.


The data is already out there. No point paying 20 million.

kippy

[Deleted User] wrote: »

I can't help wondering if perhaps the attack on Irelands HSE was a demo. A bit of marketing as it were. Providing the key, and (hopefully) demonstrating it can decrypt the files shows that they mean business, so if they target a larger or richer country, that pay up and you'll get a valid key that will work.

It's been a poor idea if that is the case. This is the very definition of cyber terrorism. If anything this will make the EU and other organisations sit up and look at greater ways to working together and pressurising safe haven nations to flush out and punish those behind these types of things.

States cannot be held to ransom, it is not acceptable. If you are thinking of trying this type of thing against a State you should have considered the serious consequences coming your way.

It's one thing to blame the victim and fair enough maybe the victim could have done more but the victim isn't the cause of this.

Esho

kippy wrote: »

It's been a poor idea if that is the case. This is the very definition of cyber terrorism. If anything this will make the EU and other organisations sit up and look at greater ways to working together and pressurising safe haven nations to flush out and punish those behind these types of things.

States cannot be held to ransom, it is not acceptable. If you are thinking of trying this type of thing against a State you should have considered the serious consequences coming your way.

It's one thing to blame the victim and fair enough maybe the victim could have done more but the victim isn't the cause of this.

It is another Putin-sponsored test of EU and West reactions - this is in line with Russian foreign policy. The hackers are operating with state support . The reactions are currently being analysed in the newly built annex in their embassy in Dublin 14.

Turtwig

irishgeo wrote: »

The irony if the decryption key exe wasn't supported on windows 7.

It's been a while since someone mentioned windows 7.

kowloonkev

Keyzer wrote: »

This is true, Russia turns a blind eye to this stuff all the time. Criminals operating out of Odessa years back were targeting banks all over the world with credit card fraud, made a fortune. They then mistakenly targeted a Russian bank and within two hours Spetsnaz raided them.

However, this is small fry for the Russian State - they are not behind this, aware yes, but not behind it.



Agreed - something obviously going on in the background within diplomatic channels. Surprising turn of events though, I don't remember seeing decryption keys being handed over like this.



Go away, please, just go away...



Exactly - like the guy who wanted his song back on Napster years back.



I highly doubt they have cyber insurance.



Diplomatic pressure I would assume, most likely instructed to by the Russian government after political discussion.



That's true, in these instances they throw it out and hope for a return. I doubt this was a targeted attack on the HSE.



Lol...



Not necessarily, you still have a duty of care to ensure you are protecting data adequately. Compliance does not mean secure - too many companies take an audit driven, check box approach to security. Pass audit, winner, we're secure. Doesn't work that way.



Clown school...



Don't be ridiculous... you're actually suggesting Ireland should start a targeted cyber attack on Russia? This is delusional and laughable.

If Russia decided, they could bring this country to its knees with a barrage of cyber attacks.



I'd go for this option...

I didn't say Ireland did I? Idiot.

jmayo

souter wrote: »

From what I've read on conti so far it uses a non-standard encryption to make it fast https://www.zdnet.com/article/conti-ransomware-uses-32-simultaneous-cpu-threads-for-blazing-fast-encryption/
i.e. using well established maths, but not just a passphrase to be fed into off the shelf s/w.
So the HSE et al will be re-implementing it, which is why it's not a magic key.
(and not forgetting every system has to be flushed, sterilised and secured, irregardless of how much we may want to believe the hackers bona fides).

So, why did this become available?
1) HSE/Irish government paid the ransom secretly. Honestly don't think this is likely.

Could be, but we are cr** at doing anything and it would be found out.
Unless it was intermediary and Donnelly ruled that out

Then again someone higher up wouldn't tell that eejit or most of the other ones what was going on in order to keep a lid on it.

If a ransom was paid I would say the number that know is only a few.

souter wrote: »

4) Putin not liking the publicity, FSB abseil into a few basements waving underpants and perfume bottles. Very likely

I actually think this is very likely that Putin made a phone call and the boyos played ball.
They still have the data that they may be free to bargain with.

deandean wrote: »

From a small amount of insider information and from the reported circumstances, here is what happened:
- The attack was reckognised as coming from within Russia.
- The Russian Ambassador was called in for a meeting at top-level in Dublin. The displeasure of the state was clearly laid out to him.
- Top-level diplomats in Russia were informed of the situation, right up to Mr Putin.
- The hackers, who of course are known by high-level Russian intelligence, were told to cease & desist or face a SWAT team and being wiped out.
- The hackers complied, and sent the decrypt key to the HSE.

Either we paid or Putin put his foot down.
They really are only realistic reasons.

I definitely think there is distinct possibility this happened due to Putin, but it wasn't that he was quaking in his boots because the Irish called in his ambassador.

It was because it somehow benefits him and Russia.

What does Putin get out of this?
Well this episode shows that there are Russian resources that can be used to take down a country's entire medical system.
Could it be that he is happy that it is a shot across the bows of the West and now it is time to depart after point proven ?

Could it be that he doesn't want the bad publicity and unwanted attention that attack of this size brings and that these guys were too successful at this time?

Could it be that he now has a favour in the bank?
We are on security council, not that he probably cares about what they think.

Do we have to vote for Russia tonight in the Eurovision ?

markgb

VinLieger wrote: »

Someone on NT just there confirming again they didn't pay the ransom directly or via a third party as some had theorised. Heavily hinted it was political pressure via international bodies that got the encryption key.

I'm sure there is lots of stuff going on behind the scenes that we don't know about. There are several parties that are being hurt by this, including Russia and Wizard Spider themselves to some extent. It's a bit more difficult to operate in the shadows when the world is saying your name. Apparently some of their operatives don't even know they work for an illegal organisation so it's not beyond the bounds of possibility that some idealistic young hacker involved with them balked at the thought of their actions costing lives, instead of being a robin head that steals from big corporates. And I'm sure the US CIA and NSA aren't just sitting around do nothing either. They may not be acting on our behalf but I'm sure this is waking them up to the potential damage that can be done. Maybe even Microsoft is worried about people losing trust in Windows, who knows.

Keyzer

kowloonkev wrote: »

I didn't say Ireland did I? Idiot.

Considering its an "attack" on an Irish State body, its safe to assume you meant the Irish state. What state are you specifically referring to? Maybe we pay some other state to do this for us?

You're the one suggesting state sponsored ransomware attacks on Russian public services, attacking their oil and gas pipelines in the middle of winter.

And I'm the idiot... :P

markgb

Donald Trump wrote: »

They don't necessarily have to be directing it. It could be either being done with their tacit approval or turning a blind eye, or perhaps even their current or past agents doing it as a sideline.

You'll probably find that there aren't too many ransomware attacks from this group on Russian targets.

Apparently the conti code it automatically shuts down if the target site is in Russian or is hosted on a Russian IP. They won't sh1t on their own doorstep I guess or Putin might stop ignoring them.

AndrewJRenko

jmayo wrote: »

Could be, but we are cr** at doing anything and it would be found out.
Unless it was intermediary and Donnelly ruled that out

Then again someone higher up wouldn't tell that eejit or most of the other ones what was going on in order to keep a lid on it.

If a ransom was paid I would say the number that know is only a few.

How do you make a payment of millions of Euros via bitcoin by a Government body from a Government bank account with 'only a few knowing'? Do you not think the accountants will notice €20 million gone missing from the account?

jmayo

AndrewJRenko wrote: »

How do you make a payment of millions of Euros via bitcoin by a Government body from a Government bank account with 'only a few knowing'? Do you not think the accountants will notice €20 million gone missing from the account?

There are always back channels.
Well there are for other countries anyway.
Here God knows.

And if it was done I don't think they would have done this out of a main bank account with transaction description down as "Bitcoin purchase for hackers" ?

Then again this is Ireland so anything is possible.

I am giving them some credit for having some ability somewhere.

PS maybe they just hid the payment in the bottomless money pit that is your favourite, the new children's hospital.
Fooking hell maybe we bought an old nuclear sub from Vlad for all we know with all the spending that has gone on in there.

Anyway as I said I believe it more likely it was old Vlad who put his foot down.
Then the question is why?

To inject a little humour here, I had a weird nightmare last night reflecting all that's going on, and inspired by my watching a hospital and the DSPCA program on tv. In my dream I was working as a HSE hospital porter, wheeling patients to an operating theatre which was headed by a veterinary surgeon. The trouble was, the patients' limbs and body parts kept falling off on the way, and I was stressed trying to gather them up and bring them to theatre for reassembly by the vet. There were some animal parts in the mix. The vet and his nurses laughed their heads off at me for even thinking these folk could be reunited with their body parts, and I asked why not. It was explained to me that "We haven't got the decryption key!"

Cluedo Monopoly

ineedeuro wrote: »

I will quote again

“ They did not name the affected software and did not provide evidence to back up their claims.”

If the vulnerability is in open source, it should be reported asap. I cannot see how they could avoid doing so and I expect we would already know the name of the particular open source library and CVSS. Enterprises rely on well known open source vulnerability classification databases to stay secure. I doubt it's a zero day incident.

AndrewJRenko

jmayo wrote: »

There are always back channels.
Well there are for other countries anyway.
Here God knows.

And if it was done I don't think they would have done this out of a main bank account with transaction description down as "Bitcoin purchase for hackers" ?

Then again this is Ireland so anything is possible.

I am giving them some credit for having some ability somewhere.

PS maybe they just hid the payment in the bottomless money pit that is your favourite, the new children's hospital.
Fooking hell maybe we bought an old nuclear sub from Vlad for all we know with all the spending that has gone on in there.

Anyway as I said I believe it more likely it was old Vlad who put his foot down.
Then the question is why?

How many people do you think would be involved in making a payment of €20 million from the hospital project account AND converting that into bitcoin AND paying the bitcoin over to the Russian lads. What happens when the project accountants start adding things up and doing their bank rec? What happens when the C&AG land at the end of the year?

No back-channel is going to front a €20 million for us.

MrMusician18

AndrewJRenko wrote: »

This isn't about ability to lie.

This is about ability to make a €20 million million transaction via bitcoin without involving a significant number of people, one of whom will inevitably leak.

Such an operation could feasibly be completed with only a handful of people. Governments keep secrets all the time remember. All the government would need to maintain is plausible deniability.

kippy

MrMusician18 wrote: »

Such an operation could feasibly be completed with only a handful of people. Governments keep secrets all the time remember. All the government would need to maintain is plausible deniability.

A ransom hasn't been paid.

Can we move on?

AndrewJRenko

MrMusician18 wrote: »

Such an operation could feasibly be completed with only a handful of people. Governments keep secrets all the time remember. All the government would need to maintain is plausible deniability.

A handful? Really? How many levels do you have to come down from the Minister to find the person who actually does the bank transfers? And that's without even considering the extra complication of the bitcoin transaction, for which there will be no current experience, knowledge or process in Government.

There isn't a hope that they could do this without it leaking out within weeks, if not days.