Ransomware & HSE

Beasty

BattleCorp wrote: »

Except it's not free. It's taxpayers money. And the consequence is that other people will miss out on medical treatment because there is less money to fund it.

I'd bet they'd be the type of people to complain about waiting lists etc.

Not only is it not free, but substantial amounts would be directed from the taxpayer to the legal profession

AndrewJRenko

plodder wrote: »

That might be reasonable policy. Can it be enforced though? Can they even detect if someone plugs their own PC/equipment into the network in the office?

I know some places will protect wifi networks with systems like SecureW2, but the wired networks are completely open, depending on physical building security, and people obeying the rules. But, rules are often bent, exceptions made etc.

Not in our case - doesn't matter what you plug into the wired connection - if the device hasn't been imaged with the right set up, incl certificates - it won't be able to login to the network.

DublinWriter wrote: »

Not really. A user may have no admin rights on their local device, but if they've got a group/sectional network file-share open with read/write access to tens thousands of files, then it's open-season for ransomware.

They have r/w access, but the code to take control of the r/w access and do some damage still needs to get on the local device. So if the user has no admin rights, and can't download executable files or install browser plug-ins, how does the code get onto the local device?

DublinWriter wrote: »

People tend to over-complicate these attacks. 50% of them are all about social-engineering. In the original 'Wannacry' attack I witnessed, the user received a very convincing email from Eircom regarding their account.

I'm still struggling to see how the link clicked does harm, if the user is restricted and doesn't have admin rights.

Wombatman wrote: »

They usually enter using phished credentials or via malware that enables command-and-control.

Once in they can use an attack like this to bypass user account control.

https://www.securityinbits.com/malware-analysis/uac-bypass-analysis-stage-1-ataware-ransomware-part-2/

OK, I get that phished credentials could work, though that would require at a minimum two phases of attack - one to phish the credentials and then a second phase to use those credentials.

Malware that executes command and control - would this require an unpatched Windows issue or something to allow the malware to be downloaded?

That description of the UAC bypass attack is interesting, though is stretching my technical understanding. The first thing that strikes me is that blocking Dropbox would prevent it getting through. I thought that most corporates wouldn't allow unrestricted access to Dropbox these days?

Blowfish

dingding wrote: »

There can be MAC address access enforced at switch level. It can be set up that the first device plugged in is the only MAC address it will allow. Plugging in anything else, will not be allowed through the network.

Going oldschool I see and not all that effective. I think 802.1x is what you are looking for, preferably with certs, but that can take a bit of work.

Glaceon

AndrewJRenko wrote: »

Not in our case - doesn't matter what you plug into the wired connection - if the device hasn't been imaged with the right set up, incl certificates - it won't be able to login to the network.


They have r/w access, but the code to take control of the r/w access and do some damage still needs to get on the local device. So if the user has no admin rights, and can't download executable files or install browser plug-ins, how does the code get onto the local device?

I'm still struggling to see how the link clicked does harm, if the user is restricted and doesn't have admin rights.



OK, I get that phished credentials could work, though that would require at a minimum two phases of attack - one to phish the credentials and then a second phase to use those credentials.

Malware that executes command and control - would this require an unpatched Windows issue or something to allow the malware to be downloaded?

That description of the UAC bypass attack is interesting, though is stretching my technical understanding. The first thing that strikes me is that blocking Dropbox would prevent it getting through. I thought that most corporates wouldn't allow unrestricted access to Dropbox these days?

In a lot of cases they don’t need admin rights. The ransomware can encrypt anything that the user does have access to, such as on shared drives.

AndrewJRenko

Glaceon wrote: »

In a lot of cases they don’t need admin rights. The ransomware can encrypt anything that the user does have access to, such as on shared drives.

But how does it download and run without admin rights?

The standard user can't download an exe or a dll or install anything or add a browser plug-in.

So where is the code that runs to encrypt?

swampgas

A great book on zero day exploits is "This Is How They Tell Me The World Ends - The Cyber Weapons Arms Race" which was published in February. It's by Nicole Perlroth, the New York Times cybersecurity reporter. [**Edit** I'm not saying there was a 0day used in the HSE attack.]

It's a dirty, dirty business.

https://www.amazon.com/This-They-Tell-World-Ends/dp/1635576059

Blowfish

AndrewJRenko wrote: »

But how does it download and run without admin rights?

The standard user can't download an exe or a dll or install anything or add a browser plug-in.

So where is the code that runs to encrypt?

In a default Windows install, a standard user can download and run executable code no problem, it's just limited to only being able to have access to whatever the user has access to. Ransomware doesn't need to 'install' to be able to encrypt all the (local and remote) user files, it only really needs to escalate if it wants to spread to other machines the user doesn't have access to.

AndrewJRenko

Blowfish wrote: »

In a default Windows install, a standard user can download and run executable code no problem, it's just limited to only being able to have access to whatever the user has access to. Ransomware doesn't need to 'install' to be able to encrypt all the (local and remote) user files, it only really needs to escalate if it wants to spread to other machines the user doesn't have access to.

Not in most corporate environments, surely? Don't most systems block downloading and running of executable code as a fairly standard measure? How can the business stand over corporate licensing if every employee can download whatever they like on their device?

Sierra Oscar

Beechwoodspark wrote: »

What’s going on folks.... have the hackers given up or why havnt they carried out their threat of dumping the data?

Doubt they'll dump it. More lucrative to sell the data.

hmmm

AndrewJRenko wrote: »

But how does it download and run without admin rights?

The standard user can't download an exe or a dll or install anything or add a browser plug-in.

So where is the code that runs to encrypt?

Temp folder, AppData etc. are writeable by non-admin users. A few malware families use vulnerabilities in unpatched browsers.

hmmm

Beechwoodspark wrote: »

What’s going on folks.... have the hackers given up or why havnt they carried out their threat of dumping the data?

It is unusual - a group like this would be very aware of their "reputation". When they say they are going to dump data they usually follow through, so that future victims know they are serious.

Blowfish

AndrewJRenko wrote: »

Not in most corporate environments, surely? Don't most systems block downloading and running of executable code as a fairly standard measure? How can the business stand over corporate licensing if every employee can download whatever they like on their device?

Pretty much anything that requires a corporate paid license will require 'installing', which is indeed normally blocked for non-admins. You can run code without installing as a non admin though.

saabsaab

hmmm wrote: »

It is unusual - a group like this would be very aware of their "reputation". When they say they are going to dump data they usually follow through, so that future victims know they are serious.

Our lads must have sabotaged their systems in St Petersburg.

ineedeuro

Sierra Oscar wrote: »

Doubt they'll dump it. More lucrative to sell the data.

For what?
What exactly is so valuable about the data from the HSE that it is worth walking away from 20 m?

kravmaga

The question I have is why would the hackers provide the key without a ransom being paid by the HSE?

My mother who is in her late 70's received a letter in the post to pay a bill for €35 euro for a blood test she had in the Mater private in Feb 2021.

She has VHI so the bill was already covered under her plan with VHI.

The letter was a photocopy and not from the hospital itself, from another Medicals billing company which I cant mention for legal reasons.

It was franked post , no postage stamp on letter.

All very suspect, she has reported it to the local Garda station and the Medical Billing Company based in Dublin 16.

ixoy

kravmaga wrote: »

The question I have have is why would the hackers provide the key without a ransom being paid by the HSE?

My guess is they got leaned on by someone or got worried they had gone a little too far. It could be:
- Russia, not wanting the bad rep associated with crippling a health service. Private companies, fair game.
- Worried about responses drawing down the wrath of international organisations be it Europol, FBI, etc. America is already pissed over the Colonial Pipeline hack and they might fear a pre-emptive strike against them.
- Other gangs. Other gangs could fear the above and tell them, in their own assuredly polite way, to scale it back a bit so they can continue to ransomware other companies without the world coming down on them too heavily.

We can be fairly confident it wasn't out of any sense of guilt, only to protect their own skin.

kravmaga

ixoy wrote: »

My guess is they got leaned on by someone or got worried they had gone a little too far. It could be:
- Russia, not wanting the bad rep associated with crippling a health service. Private companies, fair game.
- Worried about responses drawing down the wrath of international organisations be it Europol, FBI, etc. America is already pissed over the Colonial Pipeline hack and they might fear a pre-emptive strike against them.
- Other gangs. Other gangs could fear the above and tell them, in their own assuredly polite way, to scale it back a bit so they can continue to ransomware other companies without the world coming down on them too heavily.

We can be fairly confident it wasn't out of any sense of guilt, only to protect their own skin.

Okay thanks for the information, that said do you think the Russian hackers have sold the data on the dark web to hackers based here in Ireland.

AndrewJRenko

Blowfish wrote: »

Pretty much anything that requires a corporate paid license will require 'installing', which is indeed normally blocked for non-admins. You can run code without installing as a non admin though.

hmmm wrote: »

Temp folder, AppData etc. are writeable by non-admin users. A few malware families use vulnerabilities in unpatched browsers.

The folders may be writable, but wouldn't the firewall generally block any downloading of an executable? Maybe our own place is particularly strict, but any such downloads have been blocked for me for years now?

MrMusician18

They also may have sold the data and the group(s) that have it want to keep a monopoly over it.

Blowfish

AndrewJRenko wrote: »

The folders may be writable, but wouldn't the firewall generally block any downloading of an executable? Maybe our own place is particularly strict, but any such downloads have been blocked for me for years now?

Executables as in .exe files, sure, they'd often be blocked. Not all files that can contain executable code are .exe though, some of the more obvious examples being macros in excel or word documents, html/javascript files, .screensavers, html help files etc. All of which I've seen plenty of malware in and doesn't even get into obfuscation like putting them in encrypted zip files etc. to make them harder to spot.

ixoy

kravmaga wrote: »

Okay thanks for the information, that said do you think the Russian hackers have sold the data on the dark web to hackers based here in Ireland.

Such data, alas, could be of interest to anyone globally. You don't need to be based in Ireland to abuse the data these days.
The threat of releasing the data also points me towards no ransom being paid.

ineedeuro

ixoy wrote: »

Such data, alas, could be of interest to anyone globally. You don't need to be based in Ireland to abuse the data these days.
The threat of releasing the data also points me towards no ransom being paid.

Who and why would they be interested in the data?

MrMusician18 wrote: »

They also may have sold the data and the group(s) that have it want to keep a monopoly over it.

For what? What are they going to do with it?

riclad

Data can be sold to anyone who might want it to use for instance , I'd theft is easier if you have someone's address name psn no phone no, email address,
Irish people could be recieving random txts or bills from fake websites in a few weeks
or maybe phishing emails based on the data from the hse
Hack

Remember people received txts a few months ago pretending to be from an Irish bank and they were scammed
It's easier to scam someone when you have their name
address etc
I don't think there's any hacker groups based in ireland
They are based in Russia or other country's where they are safe from arrest and they are hard to trace
The data could be used in social engineering hacks
on Irish company's
It could be used for years in the future
Or the data could be just posted on a forum for anyone to use for future hacks
Anyone who ever used the services of the hse will be named in this data including
politicans celebrity's etc
There's a cold war going on Russia is quite happy to protect hackers

ineedeuro

riclad wrote: »

Data can be sold to anyone who might want it to use for instance , I'd theft is easier if you have someone's address name psn no phone no, email address,
Irish people could be recieving random txts or bills from fake websites in a few weeks
or maybe phishing emails based on the data from the hse
Hack

Remember people received txts a few months ago pretending to be from an Irish bank and they were scammed
It's easier to scam someone when you have their name
address etc
I don't think there's any hacker groups based in ireland
They are based in Russia or other country's where they are safe from arrest and they are hard to trace
The data could be used in social engineering hacks
on Irish company's
It could be used for years in the future
Or the data could be just posted on a forum for anyone to use for future hacks
Anyone who ever used the services of the hse will be named in this data including
politicans celebrity's etc
There's a cold war going on Russia is quite happy to protect hackers

Maybe but is that worth more than 20 million?

Sending a few texts to people and hoping they click on it. Or a couple of dodgy emails

What fake bills are they going to send? Ones from the HSE after the entire World knows it was hacked?

So what are the hackers going to do, ring up a celebrity and say they have information on them? So? Most would see something like this as a boost on their career. As well the hackers have already lost all face by not getting the ransom and still bending over.

Why exactly will someone in Russia care if Tubs has a ingrown toe nail.
Ireland isn’t a super power, we are a tiny island in the Atlantic which if you ask most Russian they wouldn’t be able to find on a map

Sorry I don’t get the data will be sold for millions in the black market. You can probably get the majority of it for free from social media

Jeff2

The other day RTE news while talking about the hacking ran a Command prompt C:\ Dir from Kim and Mario's PC as if that was hacking.

Now on Prime time they have a computer expert on but is named as a security researcher named Calm who tells everyone how to download the file the hackers used.

Unbelievable.

Jeff2

Rte news.

paul71

Jeff2 wrote: »

The other day RTE news while talking about the hacking ran a Command prompt C:\ Dir from Kim and Mario's PC as if that was hacking.

Now on Prime time they have a computer expert on but is named as a security researcher named Calm who tells everyone how to download the file the hackers used.

Unbelievable.

LOL, so if you are over the age of 45 and ever used a pc run on MS-dos you are a hacker!

paul71

paul71 wrote: »

LOL, so if you are over the age of 45 and ever used a pc run on MS-dos you are a hacker!

plodder

AndrewJRenko wrote: »

Not in our case - doesn't matter what you plug into the wired connection - if the device hasn't been imaged with the right set up, incl certificates - it won't be able to login to the network.

Fair enough. If your setup uses client certificates for 802.1X layer 2 authentication for LAN and WLAN, then that's a good deterrent against people connecting unapproved hardware. If the client certs are just used at the regular TLS (over IP) level, then it stops people logging into the Windows domain, but it probably doesn't stop an unapproved laptop from getting an IP address and being able to poke around the network. In any case, I'd be surprised if large heterogeneous networks like the HSE's use client certificates everywhere.

ineedeuro

Jeff2 wrote: »

The other day RTE news while talking about the hacking ran a Command prompt C:\ Dir from Kim and Mario's PC as if that was hacking.

Now on Prime time they have a computer expert on but is named as a security researcher named Calm who tells everyone how to download the file the hackers used.

Unbelievable.

He was probably one of the Cyber consultants HSE had in