Ransomware & HSE

Originally Posted by topdecko
This is a huge issue. Healthlink down for us in GP land and we don't seem to have a back up in place.

Just to correct your use of jargon, its not that they don't have back ups, its that they dont have an immediate contingency in place. They do have backups. They have shutdown the system to prevent further infection. There actually have been no reports of encrypted files yet. They might have caught it early enough, but they can't switch systems back on until they are certain the malware has been removed.

Furze99

gctest50 wrote: »

lol

It's you & I Bud that'll be paying in taxes if they don't crack this and/or manage the extent of infection so that systems can be restored. The idea that you can rebuild the health data of several hundred thousand citizens is not really a goer, is it.

topdecko

Deleted User wrote: »

Just to correct your use of jargon, its not that they don't have back ups, its that they dont have an immediate contingency in place. They do have backups. They have shutdown the system to prevent further infection. There actually have been no reports of encrypted files yet. They might have caught it early enough, but they can't switch systems back on until they are certain the malware has been removed.

yeah i didn't mean back ups in the computer sense but rather an alternative way of continuing to provide service within the various healthcare settings be it appointments or referrals etc.

magicbastarder

StupidLikeAFox wrote: »

Some are very subtle though Our company put in a "fake phishing" system a while ago which randomly sends phishing type emails to employees.
....
Its a great system and really trains people over time.

https://www.theguardian.com/uk-news/2021/may/10/train-firms-worker-bonus-email-is-actually-cyber-security-test

sphinxicus

topdecko wrote: »

yeah i didn't mean back ups in the computer sense but rather an alternative way of continuing to provide service within the various healthcare settings be it appointments or referrals etc.

Pen, paper & fax machines by the sounds of it

MrMusician18

I wonder could someone in the technical know how post about how an organisation like the HSE would go about recovering from this. Yes of course it depends on the backup systems they have, so I know that caveat.

So at the moment they have the network turned off. What happens next?

fael

DaSilva wrote: »

I know this is a weird take for a lot of people and I know a lot of people are really invested in crypto so I expect backlash.

I think the cryptocurrency is half the problem here, it facilitates these criminals. I understand there is little governments can do about them though, banning doesn't really have any effect. If the value of all these cryptos plummeted though, I think ransomware attacks would be far less lucrative. Pipe dream though I understand.

There are some cryptocurrencies with privacy features, but bitcoin isn't one of them. You can publicly see where your (or some elses) BTC has gone to and where it goes from there. There are companies specialised in tracing where the BTC has gone. (and companies to obfuscate it , cat and mouse as always).

I don't want to judge the HSE before more info comes out. But these kinds of attacks are very common, with well published defence and prevention methods to protect your infrastructure. So they should be prepared.
In the same vein, if you are attacked, you'll want to contain it. And pulling the plug on your network is an effective way to do that.

Let's not forget that even companies like Maersk got caught out (https://www.bleepingcomputer.com/news/security/maersk-reinstalled-45-000-pcs-and-4-000-servers-to-recover-from-notpetya-attack/) and of course the NHS as well (https://www.acronis.com/en-gb/articles/nhs-cyber-attack/).

Paul Reid mentioned on newstalk that it is the Conti ransomware, of which you can read a good summary here: https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/

Still, those attacks in the past should have been a warning for any company and should have been mitigated against.

JDxtra

MrMusician18 wrote: »

I wonder could someone in the technical know how post about how an organisation like the HSE would go about recovering from this. Yes of course it depends on the backup systems they have, so I know that caveat.

So at the moment they have the network turned off. What happens next?

It stays off until they can identify the infection and propagation method, then protect against that. Then slowly bring core services online and initiate recovery/rebuild processes for any systems that were impacted.

It could be some bog standard malware that someone let in by accident, which should be easier to root out. If it was a targeted attack then there could be all sorts of weaknesses and backdoors exploited with bots sitting on host machines ready for their next moves.

jimmycrackcorm

magicbastarder wrote: »

https://www.theguardian.com/uk-news/2021/may/10/train-firms-worker-bonus-email-is-actually-cyber-security-test

I think the union in that case wouldn't be offering to pay for any losses caused by their members following through with a phishing attack...

Cortes (the union) said the company should apologise and now pay an actual bonus, to begin to make amends.

“In that way the company can begin to right a wrong which has needlessly caused so much hurt.”

with well published defence and prevention methods to protect your infrastructure.

Where are these well known mitigations?

If I knew of foolproof mitigations for these kinds of attacks I'd start my own security firm and this time next year I'd be a billionaire.

fael

Deleted User wrote: »

Where are these well known mitigations?

If I knew of foolproof mitigations for these kinds of attacks I'd start my own security firm and this time next year I'd be a billionaire.

No, you won't because hiring you would cost money. Most companies hit badly by ransomware or a hack only start spending on IT after the fact.

There is some basic stuff in the article I linked:
What defenders can do
There are some proactive steps you can take to enhance your IT security for the future, including:

Monitor your network security 24/7 and be aware of the five early indicators an attacker is present to stop ransomware attacks before they launch
Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection and enforce the use of Multi-Factor Authentication (MFA)
Educate employees on what to look out for in terms pf phishing and malicious spam and introduce robust security policies
Keep regular backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline
Prevent attackers from getting access to and disabling your security: choose an advanced solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights
Remember, there is no single silver bullet for protection, and a layered, defence-in-depth security model is essential – extend it to all endpoints and servers and ensure they can share security-related data
Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help.


Just to make sure, I'm not saying you can protect yourself 100% from hacks. Apart from defending yourself from hacks, you also have to prepare for what you should do if you do get hacked. For example, don't just make backups. But also practice restoring your backups. And have both online and offline backups. Segment your network etc etc

magicbastarder

as per the above; there are security flaws being announced all the time. Adobe announced a zero day in a host of their products on tuesday (including Reader, which is very widely used). MS announced two high severity ones also on tuesday (affecting hyper-V and web servers). IIRC, Cisco also recently announced a critical vulnerability in Anyconnect.
organisations can't simply roll patches out at the drop of a hat; we've had ongoing issues with patch quality from MS for example.

DaSilva

Stewball wrote: »

The first page of this thread is probably the most idiotic collection of posts I've ever read on boards.

To steal a quote from the HN conversation:

the ransom part, at the scale possible with cryptocurrency, is new.

those who sound "silly" are the ones elaborately pretending that this formerly obscure class of electronic extortion didn't suddenly explode into an epidemic with the concomitant rise of cryptocurrency.

From: https://news.ycombinator.com/item?id=27152402

magicbastarder

fael wrote: »

There is some basic stuff in the article I linked:
What defenders can do
There are some proactive steps you can take to enhance your IT security for the future, including:

that is IT security 101. basic stuff.

fael

fael wrote: »

No, you won't because hiring you would cost money. Most companies hit badly by ransomware or a hack only start spending on IT after the fact.

There is some basic stuff in the article I linked:
What defenders can do
There are some proactive steps you can take to enhance your IT security for the future, including:

Monitor your network security 24/7 and be aware of the five early indicators an attacker is present to stop ransomware attacks before they launch

The HSE do monitor 24/7 which is why the network got shutdown at about 4am this morning

Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection and enforce the use of Multi-Factor Authentication (MFA)

Already done.

Educate employees on what to look out for in terms pf phishing and malicious spam and introduce robust security policies

Already done

Keep regular backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline
Prevent attackers from getting access to and disabling your security: choose an advanced solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights

Remember, there is no single silver bullet for protection, and a layered, defence-in-depth security model is essential – extend it to all endpoints and servers and ensure they can share security-related data

That was precisely my point.

Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help.

Already done which is why they shutdown the network at 4am this morning. Its part of the incident response plan.

Just to make sure, I'm not saying you can protect yourself 100% from hacks. Apart from defending yourself from hacks, you also have to prepare for what you should do if you do get hacked. For example, don't just make backups. But also practice restoring your backups. And have both online and offline backups. Segment your network etc etc

Already done.

So in summary, your well known well publicised mitigations were already in place. And they still got attacked.

To be honest, that they were able to shut down the network in the middle of the night really shows they have a robust incident response plan, and the HSE IT Teams should get praise, not have mud slung at them.

growleaves

Only comprehensive totalitarianism can prevent non-traceable transactions from occuring.

I consider the whole 'debate' around this disingenuous. Before the Patriot Act, large transactions were not monitored electronically.

Cash has always existed. Tracing existing money would just lead to some new black market equivalent of cash - with the form it takes being only a detail.

ixoy

Reading the likes of theregister you'll see how often CVEs come out and how very difficult it can to get on top of them. There's articles out there where you'll see even those with a high threat score are still found in many places, including large corporations. While it may be a phishing attack, there's other vectors of attack too.

magicbastarder

magicbastarder wrote: »

organisations can't simply roll patches out at the drop of a hat; we've had ongoing issues with patch quality from MS for example.

actually, there was a good one recently; if you patched your Win10 1809 client to october 2020 level, and then upgraded to 1909 with a source WIM that was from september or earlier, it nuked your certs.

would have been a colossal disaster for us had we not caught it in testing. we'd have had to ask every affected user worldwide to call back into the office to fix it, probably.

edit: and that was *by design*. it was not a bug.

DaSilva

growleaves wrote: »

Only comprehensive totalitarianism can prevent non-traceable transactions from occuring.

I consider the whole 'debate' around this disingenuous. Before the Patriot Act, large transactions were not monitored electronically.

Cash has always existed. Tracing existing money would just lead to some new black market equivalent of cash - with the form it takes being only a detail.

Nobody is arguing for prevention of all non-traceable transactions, because, like you say its basically impossible.

What I am saying is that cryptocurrency has made this type of criminal activity much lower risk for the bad guys. If they had to collect a brief case of cash in some dark alley or accept a wire transfer to some bank account they would be at much greater risk of being caught than them simply supplying a random string of characters pointing to some digital wallet.

ohnonotgmail

Deleted User wrote: »

The HSE do monitor 24/7 which is why the network got shutdown at about 4am this morning

Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection and enforce the use of Multi-Factor Authentication (MFA)

Already done.

have the HSE not always had this enforced? I know they do for external contractors do they not do it for their own staff?

Alun

Pandiculation wrote: »

Usually they’re often not an obvious email. They’ll be something that looks very believable.

Unfortunately, some of this stuff isn’t preventable at the human factors level.

In this case this is very much a targeted attack. It’s not likely to be a simply phishing expedition.

Very true. As I mentioned earlier, these aren't always your typical Nigerian prince type emails. They're targeted, using information gleaned from various sources .. corporate websites, press releases, LinkedIn and Facebook profiles etc. and can look very believable.

Adelman of Beamfleot

seamus wrote: »

Suggestions that it could be Israeli after Coveney's criticism of Israel.

Sounds outlandish, but the online arm of the IDF is semi-autonomous and incredibly petty and thin-skinned.

Are you making these suggestions or was this reported somewhere?

ohnonotgmail

ohnonotgmail wrote: »

have the HSE not always had this enforced? I know they do for external contractors do they not do it for their own staff?

I meant already done as in, this was done long ago, not in reaction to this incident.

zom

fael wrote: »

No, you won't because hiring you would cost money. Most companies hit badly by ransomware or a hack only start spending on IT after the fact.

For accountants it makes 100% sense. You're not buying yourself sandwich if you're not hungry
If you work in any security/maintenance system you surely heard this before - "Why to spend money if there is nothing happening?"

magicbastarder

this is a good read for anyone interested in the topic in general; a history of information warfare.
explains things like the different approaches the russians use (subtle and sly) to the chinese and north koreans (warehouses full of people trying to brute force their way in, though their methods are becoming more crafty)

https://www.irishtimes.com/culture/books/intercept-the-secret-history-of-computers-and-spies-by-gordon-corera-review-1.2518297

Supercell

Just read up on the Conti ransomware thats its reported as being, what options do they really have here? Damned if they pay up and records released/sold on and published anyhow and damned if they dont and end up having to rebuild everything. I cannot see this being a quick fix.

sphinxicus

Deleted User wrote: »

To be honest, that they were able to shut down the network in the middle of the night really shows they have a robust incident response plan, and the HSE IT Teams should get praise, not have mud slung at them.

Exactly this! Many companies running Network monitoring/intrusion detection/prevention tools don't go to the trouble of ascertaining what is a healthy baseline image of their network traffic in the first place which therefore reduces the effectiveness of such tools in detecting a change from the norm.

Also, I haven’t read anything stating this yet but the "breach" didn't have to have occurred last night. The actor could have had a foothold for a good deal of time within the network and it was only detected now. There could have been a steady flow of data trickling out of the network for a long time. The increasing use of encrypted traffic is a hindrance in detecting this kind of activity in this case. Fair play to them for noticing and acting.

Insta234

Sorry if this has been mentioned but is this affecting gp practices?

AndrewJRenko

fael wrote: »

No, you won't because hiring you would cost money. Most companies hit badly by ransomware or a hack only start spending on IT after the fact.

There is some basic stuff in the article I linked:
What defenders can do
There are some proactive steps you can take to enhance your IT security for the future, including:

Monitor your network security 24/7 and be aware of the five early indicators an attacker is present to stop ransomware attacks before they launch
Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection and enforce the use of Multi-Factor Authentication (MFA)
Educate employees on what to look out for in terms pf phishing and malicious spam and introduce robust security policies
Keep regular backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline
Prevent attackers from getting access to and disabling your security: choose an advanced solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights
Remember, there is no single silver bullet for protection, and a layered, defence-in-depth security model is essential – extend it to all endpoints and servers and ensure they can share security-related data
Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help.


Just to make sure, I'm not saying you can protect yourself 100% from hacks. Apart from defending yourself from hacks, you also have to prepare for what you should do if you do get hacked. For example, don't just make backups. But also practice restoring your backups. And have both online and offline backups. Segment your network etc etc

Are you suggesting that the HSE hasn't already taken all of these steps?

AndrewJRenko

AndrewJRenko wrote: »

Are you suggesting that the HSE hasn't already taken all of these steps?

Thats exactly whats he's suggesting.