Ransomware & HSE

irishgeo

The Dept of health was referred to as Angola. Maybe we could refer to the HSE as Russia and the hackers might leave it alone.

Cluedo Monopoly

speckle

Pops_20 wrote: »

I'm sure the malware uses a more advanced method to check that.
In fact it probably just uses the Windows APIs RegOpenKeyA ad RegGetValueA to check the registry key "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language" and to get the value of it.

The value will tell the malware the default langauge on the system and if it's set to Russian the code will just exit there.

However the Conti Ransomware is human operated to an extent, so they're probably already on the target system, and if not, they can use other methods to make sure its not a Russian system

Have everything as Gaeilge instead?

As of today locally..on a more serious note GP still having problems with outpatient apts/referrals/bloodtests today here.scans/xray transfer of info in hospitals or to gp...healthlink sending pscrips to pharmist ok. most work done by phone..only urgent bloods.. internal computers ok

hmmm

plodder wrote: »

That's shocking. It has to involve multiple systems that aren't supported or maintained and they aren't able to restore them from backups. So, they have to purchase new systems from scratch. At least, I can't imagine how they could burn that much money just on consultant's fees. There needs to be a serious enquiry into this and explanation for the disaster.

I'm sure there are some systems in there, but I wouldn't be surprised to see 20 to 30 million spent on consultancy fees. The incident response people involved do not come cheap, but are worth every penny. Unfortunately they are not miracle workers however, so while they might figure out how the hackers got in they won't be able to wave a magic wand and make all the vulnerabilities disappear.

Security is a bit like growing a garden, you build it over time & it takes a while for the results to appear.

Hotblack Desiato

Specialun wrote: »

iIts about time ireland take cyber security seriously. even start with looking to increase knowledge with current staff and looking to bring in more younger talent.

Ageist, much?

why dont the gov pay for courses but as part of this you have to work with the gov in a cyber security role for xamount of years?

The Defence Forces do this with pilots, etc. But they can imprison you if you don't turn up for duty... you can't do this with civilians.

Recruitment and retention are huge issues in public sector IT but this has been the case for at least 30 years and nothing whatsoever has been done about it.

ineedeuro

Hotblack Desiato wrote: »

Ageist, much?



The Defence Forces do this with pilots, etc. But they can imprison you if you don't turn up for duty... you can't do this with civilians.

Recruitment and retention are huge issues in public sector IT but this has been the case for at least 30 years and nothing whatsoever has been done about it.

Yet the HSE currently has no open positions in cyber security

plodder

hmmm wrote: »

I'm sure there are some systems in there, but I wouldn't be surprised to see 20 to 30 million spent on consultancy fees. The incident response people involved do not come cheap, but are worth every penny. Unfortunately they are not miracle workers however, so while they might figure out how the hackers got in they won't be able to wave a magic wand and make all the vulnerabilities disappear.

Having to call in incident response people is an admission of failure though. It remains to be seen where the problems are exactly and it wouldn't surprise me if a lot of it goes into a redesign of their networks so that applications are better isolated from each other. Maybe they will move some of it to the cloud/Azure. Who knows? They could spend a lot on that type of consultancy.

But, they need to get systems back running now and I find it hard to understand why they are so reluctant to switch some of the recovered systems back on. What could be worse than the situation we are in? Over time, they can fix the problems and I'm sure there are some measures they can take to harden the network and limit access to it immediately.

ineedeuro

hmmm wrote: »

I'm sure there are some systems in there, but I wouldn't be surprised to see 20 to 30 million spent on consultancy fees. The incident response people involved do not come cheap, but are worth every penny. Unfortunately they are not miracle workers however, so while they might figure out how the hackers got in they won't be able to wave a magic wand and make all the vulnerabilities disappear.

Security is a bit like growing a garden, you build it over time & it takes a while for the results to appear.

You have a couple of basic in security so I would say it is more like a house. Get the foundation right and build on it. Hence why you should have a security assessment

Tow of the very basic is vulnerability management and EDR. Based on the information so far this is the two areas which the HSE have failed on

Doesnt matter how many billion you sink into the HSE is they can't patch

Plus the HSE should already have an incident response contract in place. They should have released a tender and let everyone bid for it, yes they don't come cheap but they are a lot cheaper if it is an RFP, not when you rock up at their door on a Friday morning with the whole HSE shut down.

davo2001

Software update and patches not applied, no access restrictions applied, not even changing default credentials of certain storage devices, no LAN segmentation what so ever, local admin accounts used by non IT staff.

A total **** show from bottom to top. From what we have seen, a certain department in a hospital has lost everything.

MrMusician18

davo2001 wrote: »

Our company were contacted by the HSE as they use some of our equipment for storage, we've been trying to help for the last few days.

I cannot go into to much details for obvious reasons but based on my experience working with HSE IT staff over the last few days I'm not surprised this happened.

Software update and patches not applied, no access restrictions applied, not even changing default credentials of certain storage devices, no LAN segmentation what so ever, local admin accounts used by non IT staff.

A total **** show from bottom to top. From what we have seen, a certain department in a hospital has lost everything.

I hope you're treating the people trying to fix it with some charity. The last thing they need is "tut tutting, ah jaysus I told you so's" right now. There will be plenty of time for that afterwards.

davo2001

MrMusician18 wrote: »

I hope you're treating the people trying to fix it with some charity. The last thing they need is "tut tutting, ah jaysus I told you so's" right now. There will be plenty of time for that afterwards.

Yes, we rubbed their backs and told them everything will be ok :rolleyes:

topdecko

Any idea of a timeline for development of some basic level of function? COVID and this have crippled our healthcare system. HSE are not giving a timeline at all as to resumption of services but rather bland platitudes. I expect reduced service in hospitals will go on for months??

realdanbreen

ineedeuro wrote: »

It's a shambles the whole thing. But sure people here will tell you that nobody is to blame :-)

Then again if we were told we'd have to pay 2% extra in taxes to pay for a proper upgrade we'd be out on the streets protesting. FFS we couldn't even raise money to upgrade our water system without every gobshyte and his mother in hi vis jackets out marching!

MrMusician18

davo2001 wrote: »

Yes, we rubbed their backs and told them everything will be ok :rolleyes:

There nothing worse than when a captain hindsight comes in and tells you what you should've done when you're trying to fix a problem. It's actually infuriating. They'll already know what should've been done and wasn't.

It's not about telling people "it will all be ok", especially when it won't be. It's about being solutions orientated. Telling them that "omg I can't believe you bunch of amateurs had the username and password as admin and admin" really doesn't help and during a crisis is not the time for that advice.

davo2001

MrMusician18 wrote: »

There nothing worse than when a captain hindsight comes in and tells you what you should've done when you're trying to fix a problem. It's actually infuriating. They'll already know what should've been done and wasn't.

It's not about telling people "it will all be ok", especially when it won't be. It's about being solutions orientated. Telling them that "omg I can't believe you bunch of amateurs had the username and password as admin and admin" really doesn't help and during a crisis is not the time for that advice.

It's not my job to point fingers, nor is it my job to try and make them feel better, we are professionals and are dealing with it as such. It doesn't mitigate my personal feelings about their lack of competence.

XVII

davo2001 wrote: »

Our company were contacted by the HSE as they use some of our equipment for storage, we've been trying to help for the last few days.

I cannot go into to much details for obvious reasons but based on my experience working with HSE IT staff over the last few days I'm not surprised this happened.

Software update and patches not applied, no access restrictions applied, not even changing default credentials of certain storage devices, no LAN segmentation what so ever, local admin accounts used by non IT staff.

A total **** show from bottom to top. From what we have seen, a certain department in a hospital has lost everything.

not surprising to hear this at all.

MrMusician18

davo2001 wrote: »

It's not my job to point fingers, nor is it my job to try and make them feel better, we are professionals and are dealing with it as such. It doesn't mitigate my personal feelings about their lack of competence.

It's not particularly professional to be posting about what you're seeing through work on a public forum tbh.

Happyilylost

topdecko wrote:

Any idea of a timeline for development of some basic level of function? COVID and this have crippled our healthcare system. HSE are not giving a timeline at all as to resumption of services but rather bland platitudes. I expect reduced service in hospitals will go on for months??

GUH should be back fully operational Monday or Tuesday. The odd local system here and there still not back but for the main majority has come back online over the last two days.

ineedeuro

MrMusician18 wrote: »

I hope you're treating the people trying to fix it with some charity. The last thing they need is "tut tutting, ah jaysus I told you so's" right now. There will be plenty of time for that afterwards.

Now is the exact time to tell them. Otherwise everything will continue as is

ineedeuro

davo2001 wrote: »

Our company were contacted by the HSE as they use some of our equipment for storage, we've been trying to help for the last few days.

I cannot go into to much details for obvious reasons but based on my experience working with HSE IT staff over the last few days I'm not surprised this happened.

Software update and patches not applied, no access restrictions applied, not even changing default credentials of certain storage devices, no LAN segmentation what so ever, local admin accounts used by non IT staff.

A total **** show from bottom to top. From what we have seen, a certain department in a hospital has lost everything.

Yet we have people on here making excuses for them and saying it wasn't their fault.
You don't need to earn 200k a year to know to patch your servers.

MrMusician18

ineedeuro wrote: »

Now is the exact time to tell them. Otherwise everything will continue as is

Ah yes captain hindsights offering pearls of wisdom to the lowly technicians they're working alongside will stop this from happening again. :rolleyes:

rosiem

Happyilylost wrote: »

GUH should be back fully operational Monday or Tuesday. The odd local system here and there still not back but for the main majority has come back online over the last two days.

Do you have any idea about the system for registration of deaths I have been told today that the application I made 6 weeks ago is stuck in the system and nothing can be done until back online. Without death certificate I am unable to cancel utilities etc so am having to continue paying for them.

Cluedo Monopoly

MrMusician18 wrote: »

It's not particularly professional to be posting about what you're seeing through work on a public forum tbh.

Oh please. Quit the virtue signalling.

whippet

davo2001 wrote: »

Our company were contacted by the HSE as they use some of our equipment for storage, we've been trying to help for the last few days.

I cannot go into to much details for obvious reasons but based on my experience working with HSE IT staff over the last few days I'm not surprised this happened.

Software update and patches not applied, no access restrictions applied, not even changing default credentials of certain storage devices, no LAN segmentation what so ever, local admin accounts used by non IT staff.

A total **** show from bottom to top. From what we have seen, a certain department in a hospital has lost everything.

I’m working in the IT arena also - have been involved in some similar recovery projects although not the HSE ... If my employer saw a message like that from me on a public message board I’d have my P45 in my hand fairly sharpish.

MrMusician18

Cluedo Monopoly wrote: »

Oh please. Quit the virtue signalling.

Virtue signalling? There is nothing particularly virtuous about pointing out that it's very annoying to have some captain hindsight come in and tell you what you did wrong when they are there to help you fix an issue during a crisis. Nor is it particularly virtuous to tell someone it's quite unprofessional to go blathering on an internet forum about the issues an identified client is suffering.

SPDUB

RTE reporting info of 520 patients posted online last week

https://www.rte.ie/news/2021/0528/1224527-cyber-attack-hse/

...."and can confirm it is HSE data relating to approx 520 patients, as well as some corporate documents. The data includes sensitive patient data, minutes of meetings and correspondence with patients."

MrMusician18

520 records leaked last week.

Appears to be the initial sample data set leaked to prove that the attackers were serious.

ineedeuro

SPDUB wrote: »

RTE reporting info of 520 patients posted online last week

https://www.rte.ie/news/2021/0528/1224527-cyber-attack-hse/

No more details than the headline yet

It’s good of the HSE to tell everyone a week after it happens

Are people still saying the HSE could do nothing? Just shows the HSE and government don’t give a s**t, cover up job going on and people patting them on the back while they do it

Cordell

davo2001 wrote: »

It's not my job to point fingers, nor is it my job to try and make them feel better, we are professionals and are dealing with it as such. It doesn't mitigate my personal feelings about their lack of competence.

True professionals have no "personal feelings", and certainly they don't vent them on public forums.

Atlantic Dawn

Bad, bad, feckers releasing the patient data.