Ransomware & HSE

ClosedAccountFuzzy

Is there any way the CSO could just take over gathering vaccine and COVID data on their own systems?

I don’t really see how it can be that complex to create a parallel system specifically for this.

There’s an ongoing lack of public data that getting a bit concerning at this stage.

radiospan

ixoy wrote: »

My guess is they got leaned on by someone or got worried they had gone a little too far. It could be:
- Russia, not wanting the bad rep associated with crippling a health service. Private companies, fair game.
- Worried about responses drawing down the wrath of international organisations be it Europol, FBI, etc. America is already pissed over the Colonial Pipeline hack and they might fear a pre-emptive strike against them.
- Other gangs. Other gangs could fear the above and tell them, in their own assuredly polite way, to scale it back a bit so they can continue to ransomware other companies without the world coming down on them too heavily.

We can be fairly confident it wasn't out of any sense of guilt, only to protect their own skin.

Other gangs is surely a big part of it. Can't find the link to it now, but on the same morning the attack was announced here, another ransomware gang announced that attacks on healthcare systems are off-limits for their members.

stoneill

Just got a call there, apparently law enforcement are hunting me down for an unpaid bill.
Number 0775298215

JDxtra

Yes, RTE really need to update their selection of videos. For years, they've been showing the same clips of someone doing a directory listing, an old network switch with flashing lights and a messy comms cabinet. Ooohhh, "hacking". It's like that Sandra Bullock movie The Net.

nullObjects

Any insight into what's taking so long to get the systems back up?

From the bits and pieces I've heard it sounds kind of like they are trying to figure out how to stand up various bits and pieces of infrastructure rather than figure out how to stop the attack happen again (Could be miles off though)

Donald Trump

JDxtra wrote: »

Yes, RTE really need to update their selection of videos. For years, they've been showing the same clips of someone doing a directory listing, an old network switch with flashing lights and a messy comms cabinet. Ooohhh, "hacking". It's like that Sandra Bullock movie The Net.

Why? Who cares really? It's for the general public.



I doubt there are too many people who work in proper IT security out there waiting, and depending, on Prime Time to do a deep technical coverage of any particular issue so that they can learn about it.




(I don't work in IT or network security)

Donald Trump

nullObjects wrote: »

Any insight into what's taking so long to get the systems back up?

The lads only attended the morning session of the 1-day IT training course - "Turning it off and back on again"

Glaceon

Jeff2 wrote: »

Rte news.

Mario Paint Composer

paul71

stoneill wrote: »

Just got a call there, apparently law enforcement are hunting me down for an unpaid bill.
Number 0775298215

Great fun to be had.

You: Is this an official call?
Him: Yes
You: Is fearr liom Gaeilge a labhairt le do thoil

MarkEadie

It's going to happen again. The same with a pandemic. Although a cyber attack is much more likely. Its just a matter of when. What I would say is don't trust the HSE with your data. A couple of years ago I was asked by a doctor who took some pictures of me if he could put them on the HSE system so that other doctors could see it and they could make a diagnosis. They have to get your permission to do this. What followed was a 5 minute conversation where I explained that a cyber attack is an inevitability and I didn't want my data up there and he explained that it is a secure system. Thankfully I didn't relent and those pictures are not on the dark web. Others won't have been so lucky

speckle

Some examples of how it is affecting people locally here still even with staff doing their best

physio not able to print off physio excercises
gp unable to use healthlink prescription IT service
only urgent bloods done..issues getting results back
some mri cancelled in hospitals
surgery having to organise over phone appointments for important diagnostic tests etc etc

plodder

nullObjects wrote: »

Any insight into what's taking so long to get the systems back up?

From the bits and pieces I've heard it sounds kind of like they are trying to figure out how to stand up various bits and pieces of infrastructure rather than figure out how to stop the attack happen again (Could be miles off though)

The COO of the HSE was on RTE Radio this morning. It all sounded a bit vague and breezy. Getting email back working seems to be a priority.

RunningFlyer

Family member had been due to get (non-urgent) blood test at GP last week. Was postponed last week and just heard it's been postponed again until next week. As a result, she is now getting anxious the longer she has to wait.

Realistically, how long could she be waiting for this test? Does anyone know if the hospital labs will be accepting GP blood tests in the next few weeks (Dublin labs)? I've said to her to prepare that it could be end June/July before it will be done, unless her GP suddenly decides it's urgent.

JDxtra

plodder wrote: »

The COO of the HSE was on RTE Radio this morning. It all sounded a bit vague and breezy. Getting email back working seems to be a priority.

The lengthy recovery time shows me that the HSE did not have comprehensive IT disaster recovery procedures.

Regardless of the type of disaster, core systems such as email should have been available within days. A virus/worm/cyber attack is a typical scenario that should have been planned for and tested.

lukin

The Conti gang have put an interesting message on their site this morning.
The have samples of data they have stolen on it (for the purposes of attracting potential buyers) but there is nothing there that looks like it might be from the HSE.
I don't want to quote the message exactly and I certainly won't put up the link.
However it basically says if you are an organization that has been hacked and don't see any of the stuff that was stolen on the sample data that doesn't mean they have forgotten about it, it means they have sold it but did not put samples of it on the site.
Seems like this was directed to the HSE.

JDxtra

JDxtra wrote: »

The lengthy recovery time shows me that the HSE did not have comprehensive IT disaster recovery procedures.

Regardless of the type of disaster, core systems such as email should have been available within days. A virus/worm/cyber attack is a typical scenario that should have been planned for and tested.

Thank you for sharing your 1990's experience.

Bonus points for using the word cyber.

mrjoneill

JDxtra wrote: »

The lengthy recovery time shows me that the HSE did not have comprehensive IT disaster recovery procedures.

Regardless of the type of disaster, core systems such as email should have been available within days. A virus/worm/cyber attack is a typical scenario that should have been planned for and tested.

Lessons will have to be learnt in isolating systems. There is no need for outside access to any internal hospital imaging and same for GP access to hospital referrals. They should be on a closed encrypted loop on dedicated lines. Should a hospital seek outside opinion on imagery it should be physically copied off the imaging sys database and consultation take place on another sys. The days of the much vaunted interoperability are over. Isolation and security is the new

Martina1991

RunningFlyer wrote: »

Family member had been due to get (non-urgent) blood test at GP last week. Was postponed last week and just heard it's been postponed again until next week. As a result, she is now getting anxious the longer she has to wait.

Realistically, how long could she be waiting for this test? Does anyone know if the hospital labs will be accepting GP blood tests in the next few weeks (Dublin labs)? I've said to her to prepare that it could be end June/July before it will be done, unless her GP suddenly decides it's urgent.

If its not urgent, she likely will be waiting until normal service has resumed.
GPs can send urgent bloods to labs to be processed if they are critically urgent and a contact number is provided on the form.

Normal service will resume then HSE says its safe to do so. Communication will likely come from Dr Colm Henry. Labs won't be able to give a definite answer and neither will GPs when this will happen.

Ash.J.Williams

gctest50 wrote: »

2002 called and said hi

He’s right actually

kippy

plodder wrote: »

Fair enough. If your setup uses client certificates for 802.1X layer 2 authentication for LAN and WLAN, then that's a good deterrent against people connecting unapproved hardware. If the client certs are just used at the regular TLS (over IP) level, then it stops people logging into the Windows domain, but it probably doesn't stop an unapproved laptop from getting an IP address and being able to poke around the network. In any case, I'd be surprised if large heterogeneous networks like the HSE's use client certificates everywhere.

This kind of thing is all well and good for small organisations with limited type of devices connecting to a network, but client certificates aren't the answer.

biko

I wonder how many people know Windows 10 has ransomware protection built in, but it's not enabled.

skimpydoo

paul71 wrote: »

LOL, so if you are over the age of 45 and ever used a pc run on MS-dos you are a hacker!

I first used a pc that ran MS-dos in 1984, so I must be a major hacker and on Interpol's most wanted list.

skimpydoo

biko wrote: »

I wonder how many people know Windows 10 has ransomware protection built in, but it's not enabled.

Tell us more please.

Flinty997

skimpydoo wrote: »

Tell us more please.

I assume he's referring to this....

https://www.forbes.com/sites/brookecrothers/2021/03/14/state-of-windows-10-ransomware-protection-2021-some-surprises-says-report/

MarkEadie

skimpydoo wrote: »

Tell us more please.

Windows 10 protections don't matter if the hackers have zero day exploits. A zero day is an exploit that hasn't been found yet. Once it is found and assessed by Microsoft, a new Windows update is put out to fix it and that is then automatically downloaded When Irans nuclear facility was hacked and severely damaged (by the US many think), several zero day exploits were used. There is no defence against zero day exploits. As soon as a new version of Windows is released, I'd imagine black market cyber groups and state-level cyber groups immediately begin working for zero day exploits. One found, they don't report them and continue to compile them. If the US/China etc don't have multiple zero day exploits sitting there I'd be very surprised. Some hacking groups must also have some.

Another thing is the hackers can gain entry to the system through a simple means of someone clicking a link and then escalate their privileges to admin status which allows them control over the whole system anyway.

Cyber attacks will continue to be an inevitability. There is much money to be made in them. Most companies just pay the ransom and say nothing. Look up uber. They got fined millions for doing it.

skimpydoo

MarkEadie wrote: »

Windows 10 protections don't matter if the hackers have zero day exploits. A zero day is an exploit that hasn't been found yet. Once it is found and assessed by Microsoft, a new Windows update is put out to fix it and that is then automatically downloaded When Irans nuclear facility was hacked and severely damaged (by the US many think), several zero day exploits were used. There is no defence against zero day exploits. As soon as a new version of Windows is released, I'd imagine black market cyber groups and state-level cyber groups immediately begin working for zero day exploits. One found, they don't report them and continue to compile them. If the US/China etc don't have multiple zero day exploits sitting there I'd be very surprised. Some hacking groups must also have some.

Another thing is the hackers can gain entry to the system through a simple means of someone clicking a link and then escalate their privileges to admin status which allows them control over the whole system anyway.

Cyber attacks will continue to be an inevitability. There is much money to be made in them. Most companies just pay the ransom and say nothing. Look up uber. They got fined millions for doing it.

The Iranian nuclear facility attack was done by Israel. America had developed the worm that was used and Israel used it without telling the Americans.

biko

Nothing protects against zero-day. But it won't be a super hacker coming for your laptop, it'll be some kid in a basement looking to make an easy buck.
Google the ransomware protection and use it.

mrjoneill

Martina1991 wrote: »

If its not urgent, she likely will be waiting until normal service has resumed.
GPs can send urgent bloods to labs to be processed if they are critically urgent and a contact number is provided on the form.

Normal service will resume then HSE says its safe to do so. Communication will likely come from Dr Colm Henry. Labs won't be able to give a definite answer and neither will GPs when this will happen.

Serious issues have arisen in the past with telephone consultations. Systems have been put in place so there will be no mistakes. I recall one incident which had tragic result and a young 21yr old died as the result when the GP could not interpret the bloods as taken down by his secretary and the follow up hospital letter the GP claimed he never got. The patient died as the result of a treatable condition which the GP claimed he was not aware of the patients condition and the hospital file had a sticky note which was not seen till after the patients death when a review was being done of the patient to determine the cause of death. Without fail-safe sys mistakes will be made, that is what makes this attack on the health services most obnoxious.

mrjoneill

skimpydoo wrote: »

The Iranian nuclear facility attack was done by Israel. America had developed the worm that was used and Israel used it without telling the Americans.

That was even more sinister and this was code embedded in PLC sold on to the Iranians that ran their centrifuges used for nuclear enrichment that caused them to run to destruction.

mrjoneill

MarkEadie wrote: »

Windows 10 protections don't matter if the hackers have zero day exploits. A zero day is an exploit that hasn't been found yet. Once it is found and assessed by Microsoft, a new Windows update is put out to fix it and that is then automatically downloaded When Irans nuclear facility was hacked and severely damaged (by the US many think), several zero day exploits were used. There is no defence against zero day exploits. As soon as a new version of Windows is released, I'd imagine black market cyber groups and state-level cyber groups immediately begin working for zero day exploits. One found, they don't report them and continue to compile them. If the US/China etc don't have multiple zero day exploits sitting there I'd be very surprised. Some hacking groups must also have some.

Another thing is the hackers can gain entry to the system through a simple means of someone clicking a link and then escalate their privileges to admin status which allows them control over the whole system anyway.

Cyber attacks will continue to be an inevitability. There is much money to be made in them. Most companies just pay the ransom and say nothing. Look up uber. They got fined millions for doing it.

As I wrote earlier I notice my own laptop running Windows 10 is doing a weekly or more upgrade. Once it was rare, a few times a year. We have to start thinking beyond the box as the malware output is keeping up to speed with the patches