The HSE hack

Impetus

The HSE IT system attack appears to have started at a ‘Patient Zero workstation’ on 18.03.2021. This was the entry point to the entire HSE network for the malware.  If the door was closed (ie this workstation was operating as an ordinary user), the HSE would not have been subject to the attack, and could continue to operate along its dysfunctional merry way.

Was that workstation being used with an admin login?   If so, why?  If it was being used by an ordinary (ie restricted) user, no programs (including malware) could have been installed on the workstation.

How many workstations and PCs and other devices are running with an admin login on a routine basis in the HSE?

How many PCs and workstations in Europe are regularly used with an admin login?  In companies, homes, banks and other government agencies?  People give over PII to others, and expect (naively) that it will be kept in a secure manner. Many/most people buy a computer, set-up a single user id on it and continue to use that admin account for day to day surfing and email etc.   Every computer needs at least two IDs – one with ordinary rights and one with admin rights.  

(Having said that, I notice that Google Chrome browser manages to keep itself up to date without asking for the admin password to install the update.  While Brave uses the same platform,  it asks for an admin password to run an update.  Which suggests to me that Google seems to have hacked the Windows and MacOS authentication control system. Which is concerning).

In my view the PwC report* does not put sufficient emphasis of matter on this simple issue.

* https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf

 

L1011

Vast amount of medical software is Very Very Old and the suppliers insist on local admin rights rather than fix it. Proper setups would isolated these and use app-v, appstream or equivalents but we can see from this report than the word proper does not vaguely describe the HSEs IT

Chromes updater has permissions to modify its own files, granted when first installed. Plenty of software is now able to update itself without needing new admin auth. Office, Adobe CS, etc etc

I’m not sure why you think if there was no admin privileges the virus would have simply just hung out on that one machine?

that PC connected to the HSE network via Ethernet (I assume) therefore it had no need to be running admin privileges because it was already connected to the entire network which I imagine it has to in order to operate properly.

as far as I’m aware the HSE doesn’t store sensitive data locally on machines so simply accessing some records would immediately open the entire network to the malware contained on that one machine. Malware also doesn’t have to be a program or .exe.

tl;dr

admin or not makes no difference.

Impetus

https://www.boards.ie/discussion/comment/118302411#Comment_118302411

There has to be an entry point for the malware. In this case it seems to be something related to an Excel spreadsheet link - which when clicked on ran a program, and this was an email attachment. If the operator of the PC/workstation in question was using an ordinary account, (and Excel was properly set-up not to run macros) the initial door opening event would not have taken place. How would the malware get to other nodes on the system?

While I don't wish to digress from the issue of computers being negligently run in admin mode in most places, there are email vetting services which detonate email attachments in a sandbox, and only let emails with clean attachments be delivered to the user. While malware does not have to be file ending in *.exe, 99% of it will not run without admin account access.

The workstation in question was the backdoor / entrypoint. If the o/s was doing its job (which is another question with HSE negligently using Windows 8,) and if the workstation was used in non-admin mode, it should keep out all but a fraction of a per-cent of attacks. The fact that it may have been connected to the entire network is a different issue. A weakness in the workstation setup - probably use of admin account, allowed the virus in to the network. Which then allowed the malware to replicate across the network. The first line of defence was broken.

Impetus

https://www.boards.ie/discussion/comment/118302395#Comment_118302395

While some medical applications may be old (one might question why?) there is nothing to stop them from being isolated with non-admin rights, and why aren't their network connections routed over servers using the latest patched software? ie firewalled off the main network.

Are you, for example posting to boards.ie tonight using a device ID with super-user privelidges?

tnegun

Anyone asking how this happened to the HSE has no real-world experience of operating IT infrastructure of any scale or complexity let alone anything resembling the complexity of the HSE.

L1011

https://www.boards.ie/discussion/comment/118303201#Comment_118303201

I said they shouldn't have been running them locally.

When I posted earlier, no, Android phone with normal permissions so no superuser

Right now, yes, Win10 machine as local admin with UAC turned off. But I made those decisions myself.

https://www.boards.ie/discussion/comment/118303233#Comment_118303233

They say a little knowledge is a dangerous thing. The OP is a very good example.

Has anyone any real idea how (outside eg Revenue) the public service operates its IT systems? Having macros disabled on Excel? Laugh out loud! In my own experience in an organisation of 150 people there is zero level of sophistication in the operation of systems. It is clerical type staff like myself who were “trained-up” in a couple of IPA courses and handed some folders with notes for Unix commands, sent on some advanced Excel courses etc but there was not the likes of systematic disabling of macros. Any staff member thought to be “handy with tech” was asked would they volunteer into roll of admins, given admin / super-user privileges, simply because there was no dedicated expertise employed. Whilst there seems to have been some dedicated people employed in HSE, I think they were/are spread thinly on the ground and not overseeing everything. Small local authorities etc just train enthusiastic people a bit in-house to do these duties alongside their other duties.

This model of operating is very clearly outdated, but budgets are yet to be updated to fulfil modern cybersecurity needs.

I’ve just panic-sold all my Cisco at a small profit. Very nervous of it atm, huge numbers of products at potential risk.

pah

OP likes to rant about infosec issues that appear to enrage them. No idea what their actual qualifications or experience are.

spaceHopper

Well this doesn't inspire confidence

https://www.breakingnews.ie/ireland/hses-head-of-digital-transformation-resigns-and-compares-job-to-scaling-everest-1419441.html