NHS computer systems hacked!?

Man of Honour
Joined
20 Sep 2006
Posts
33,883
Is it the worm embedded into a Doc X file that opens regardless of macro settings?

We have application control as well so highly unlikely to get attacked.
 
Soldato
Joined
26 May 2009
Posts
22,100
Patched or not - you forget that you still have to be stupid enough to open the attachment on these emails.
You're thinking of the older spam emails containing ransomware attachments like "notavirus.pdf.exe", this attack is regarding a worm that can install itself via Windows security flaws leaked by the NSA. The patches being discussed fix the flaw.
 
Soldato
Joined
17 Jul 2008
Posts
7,367
You're thinking of the older spam emails containing ransomware attachments like "notavirus.pdf.exe", this attack is regarding a worm that can install itself via Windows security flaws leaked by the NSA. The patches being discussed fix the flaw.

I bet it came in via email, once in it can then spread via network / exploit..
 
Soldato
Joined
17 May 2004
Posts
4,128
Location
Home
Patched or not - you forget that you still have to be stupid enough to open the attachment on these emails. In a home you have the small % users opening the attachment and infecting their machine and limited to probably 1 device. In a corporate environment you have a lot of users and it only takes one fool to open it to infect their machine and the malware will then try to infect other machines on the network or shared drives which is a much easier propagation of the malware.

This particular program infects machines using port 139 or port 445 and exploits a vulnerability within Windows. It doesn't work the same as the other CryptoLocker variants that have been out there recently. Because of the Windows vulnerability, unless you're specifically patched to protect you against it, you'll get it and all other PCs within the network will as well if not patched. It isn't necessarily down to a single person opening up an email.
 
Soldato
Joined
26 May 2009
Posts
22,100
Because of the Windows vulnerability, unless you're specifically patched to protect you against it, you'll get it and all other PCs within the network will as well if not patched.
And as with other ransomware it has the headache that an unpatched computer can wreck havoc on a patched computer/server if it has network access to a shared drive/folder.
 
Soldato
Joined
30 Nov 2007
Posts
2,989
Location
Bristol, UK
This particular program infects machines using port 139 or port 445 and exploits a vulnerability within Windows. It doesn't work the same as the other CryptoLocker variants that have been out there recently. Because of the Windows vulnerability, unless you're specifically patched to protect you against it, you'll get it and all other PCs within the network will as well if not patched. It isn't necessarily down to a single person opening up an email.

I agree once the worm is running on a network machine it opens up 137/445 connections to other hosts and if vulnerable will infect. To activate the code someone of something needed to have run the attachment - once thats done its a free for all on a network. A simple firewall would block 137/445 inbound connections from the Internet by default to it needed to be transported inside an organisation (via email) and executed from within to be able to spread
 
Man of Honour
Joined
20 Sep 2006
Posts
33,883
You can close ports 139 / 445 on your router / firewall instead of closing them in Windows.
The whole point that a lot of people seem to be missing is that once you are past the firewall/router, you can pretty much what you want if the OS is not secure.
 
Soldato
Joined
17 May 2004
Posts
4,128
Location
Home
I agree once the worm is running on a network machine it opens up 137/445 connections to other hosts and if vulnerable will infect. To activate the code someone of something needed to have run the attachment - once thats done its a free for all on a network. A simple firewall would block 137/445 inbound connections from the Internet by default to it needed to be transported inside an organisation (via email) and executed from within to be able to spread

Nobody knows that for sure right now. There's been talk of multiple ways that this has got into these networks. Some have said it was a direct attack on specific targeted IP ranges and routers vulnerable on ports 139 and 445 have let it through. There has been mention that it spread via email. There have been other things discussed at the moment. We don't know a whole lot about how it's actually out there entering systems right now, only that it specifically exploits a vulnerability within Windows.

For me personally, I'm inclined to go with the IP targeted attack, specifically using port 139 or 445 within the routers to get into a network to spread the infection. Someone earlier mentioned that over 500 000 routers tested with a port scan have these open, so that's a very viable way of starting this off. It wouldn't surprise me that most networks haven't been secured against this.
 
Soldato
Joined
17 May 2004
Posts
4,128
Location
Home
You can close ports 139 / 445 on your router / firewall instead of closing them in Windows.

This won't stop PCs from responding on those port numbers from internal requests though, because the router won't be responsible for handling these requests. The router will only block these requests from the outside. So if one of your internal PCs is already compromised, and your other PCs aren't patched against the exploit, they'll be infected as well. Your only protection in this case would be to have the patch on from MS to prevent infection.
 
Soldato
Joined
1 Dec 2004
Posts
22,367
Location
S.Wales
I have received an email in to my gmail account with a ZIP attachment, be careful people! Have warned people on facebook etc.

Email sender was a307192503 (at) 163.com which is confirmed on google as a known ransomware email sender/domain

email was

"Dear Darren
Statement: EZXXXXXXXXXXX" where XX Random numbers
My home address was listed

a 4 digit passcode


Sincerely
Arcelia Barnault"

and obviously the ZIP file attached


Went straight in the bin
 
Soldato
Joined
22 Nov 2006
Posts
23,299
This won't stop PCs from responding on those port numbers from internal requests though, because the router won't be responsible for handling these requests. The router will only block these requests from the outside. So if one of your internal PCs is already compromised, and your other PCs aren't patched against the exploit, they'll be infected as well. Your only protection in this case would be to have the patch on from MS to prevent infection.

If you have a proper firewall it will stop it sending out :)
 
Soldato
Joined
17 May 2004
Posts
4,128
Location
Home
If you have a proper firewall it will stop it sending out :)

By ethernet port or VLANs, sure, but most people don't have switches and firewalls that are capable of this sort of configuration. I'm focusing more toward the masses of home users or small businesses. Most that I deal with don't have any managed devices unfortunately. It would be so much easier if they did though!
 

V F

V F

Soldato
Joined
13 Aug 2003
Posts
21,184
Location
UK
This won't stop PCs from responding on those port numbers from internal requests though, because the router won't be responsible for handling these requests. The router will only block these requests from the outside. So if one of your internal PCs is already compromised, and your other PCs aren't patched against the exploit, they'll be infected as well. Your only protection in this case would be to have the patch on from MS to prevent infection.

You can still be infected if some numpty opens the email even if its patched. Granted it wont spread but you'll still be done.
 
Soldato
Joined
27 Feb 2003
Posts
7,171
Location
Shropshire
I have received an email in to my gmail account with a ZIP attachment, be careful people! Have warned people on facebook etc.

Is there anyone left to warn?

If people still open strange e-mails with attachments after the amount of press coverage over the weekend, they are just too plain stupid to be allowed a PC.
 
Soldato
Joined
1 Dec 2004
Posts
22,367
Location
S.Wales
Is there anyone left to warn?

If people still open strange e-mails with attachments after the amount of press coverage over the weekend, they are just too plain stupid to be allowed a PC.

Probably not but you never know there are some people out there that will do stupid things :p
 
Back
Top Bottom