NHS computer systems hacked!?

[ianh]

380 replies to this thread so far on with about 15 actually having useful info and 365 armchair experts arguing - Love You GD

 

[Hades]

That's the way it goes

I'm involved in the patching this weekend

 

[Nasher]

Enterprise Windows can be set not to spy on you and you have a great deal of control over it. It's only we peons with Home and Professional that get spied on. And Professional only spies on you a little bit.

Actually you can turn it all off in any version with a few hacks

 

[malachi]

Actually you can turn it all off in any version with a few hacks

Or with the right group policy templates, saves all the faff in the registry.

 

[Nasher]

Or with the right group policy templates, saves all the faff in the registry.

Nope, some of the group policy settings now only apply to enterprise version. E.g. you can't turn off the store in pro or lower any more :/

Microsoft snuck it in with an update a while ago.

You can still remove all the MS apps via powershell though I think, which is what I did.

 

[quickshot89]

patches for XP and 2003 released by microsoft, if you can get on their webpage to down

 

[Azza]

Nissan in Sunderland and a Renault have stopped production at several sites after being infected.

 

[AHarvey]

Nope, some of the group policy settings now only apply to enterprise version. E.g. you can't turn off the store in pro or lower any more :/

Microsoft snuck it in with an update a while ago.

You can still remove all the MS apps via powershell though I think, which is what I did.

Correct, we updated 44 desktops to Win 10 pro, only for the update a week later to wipe out some of the group policy stuff.

Had to use Powershell to remove Store and all the useless **** that you don't need on a business machine.

 

[V F]

So I was up till 2 last night on calls on how t deal with this. I know the backstory and its not a targetted attack at all, some numpty has opened a link on an email, and the thing has spread over smb

The NHS is only impacted as much due to the different local systems. Has it been on a larger single system, such as MOD, DWP, etc, then there would bigger issues.

Now to plan how to patch over 10K servers in a week

Coffee, lots of coffee

That's the way it goes

I'm involved in the patching this weekend

Nissan in Sunderland and a Renault have stopped production at several sites after being infected.

Sometimes I find it impossibly unreal thinking about in the way you'd expect this from home users where it is actually the opposite. If this was me and your companies are exposed like this, I'd find it disgracefully embarassing beyond levels one could comprehend.

 

[Skiddley]

MS have released the patch to XP...how nice of them. Only when confronted with a catastrophe did they step in.
What's your background?

I thought XP was out of service now?

 

[V F]

I thought XP was out of service now?

After this update no way will the NHS try to upgrade now.

 

[Stolly]

So I was up till 2 last night on calls on how t deal with this. I know the backstory and its not a targetted attack at all, some numpty has opened a link on an email, and the thing has spread over smb

The NHS is only impacted as much due to the different local systems. Has it been on a larger single system, such as MOD, DWP, etc, then there would bigger issues.

Now to plan how to patch over 10K servers in a week

Coffee, lots of coffee

More to the point, why are these 10k servers not already running a patch that was available 2 months ago ? Doesn't look very good.

 

[quickshot89]

I thought XP was out of service now?

It is, but given the impact microsoft have released the patch. Unsure if anyone mentioned this already, but the exploits have been apparently known to the NSA for a while, and after they were breeched the exploits were released. No doubt they tipped microsoft off. Wouldnt surprise me either.

Problem with large scale IT, especially given the servers I look after, its impossible to keep patches on top every month, it has to be a 2-4 month cycle unless something like this happens.

 

[quickshot89]

More to the point, why are these 10k servers not already running a patch that was available 2 months ago ? Doesn't look very good.

multiple service owners, SLA's, client overtime, different methods of patching clients, servers, mutiple different reasons

 

[h4rm0ny]

I don't think it was intentionally targetted at anything other than large corporations by the nature of its design - I suspect a botnet or similar just sat there pushing emails, sniffing for vulnerable machines and exploiting backdoors if and when opened when infections were successful to push further malware and largely acting autonomously.

I disagree. The fact that it asked for $300 to unlock a machine suggests it was a scattershot across small business and home users as much as it was larger companies. If you were specifically targetting a big business, I think you would come up with something more specific and with a "package deal" so to speak.

 

[Rroff]

I disagree. The fact that it asked for $300 to unlock a machine suggests it was a scattershot across small business and home users as much as it was larger companies. If you were specifically targetting a big business, I think you would come up with something more specific and with a "package deal" so to speak.

The way it tries to spread inside networks, the specific implementation of backdoor once in and the setup to iterate through RDP connections suggests whoever packaged up this variant was looking mostly at bigger networks more than other setups - some kind of package deal would require targetting specific organisations directly with knowledge of how each one operated.

I suspect there is a degree of scattershot to it but a lot of it is crafted around trying to spread inside big networks once in.

 

[Hades]

Sometimes I find it impossibly unreal thinking about in the way you'd expect this from home users where it is actually the opposite. If this was me and your companies are exposed like this, I'd find it disgracefully embarassing beyond levels one could comprehend.

In my case business is BAU but we have many, many, thousands of Windows servers being patched this weekend. We do have a rolling quarterly patching program in place across all servers so a lot of the estate had probably been patched recently anyway. The activity today is to just identify and mop up any remaining servers. In my companies case (a large blue chip financial business) it's being dealt with extremely professionally and patching is always kept at a high priority.

I'm not aware of us being affected by it and this is purely precautionary.

 

[Rroff]

In my case business is BAU but we have many, many, thousands of Windows servers being patched this weekend. We do have a rolling quarterly patching program in place across all servers so a lot of the estate had probably been patched recently anyway. The activity today is to just identify and mop up any remaining servers. In my companies case (a large blue chip financial business) it's being dealt with extremely professionally and patching is always kept at a high priority.

I'm not aware of us being affected by it and this is purely precautionary.

Somewhat ironically heads will likely roll after this because of people higher up in companies who don't understand the IT side of it with the consequence that likely experienced IT people will be replaced by "yes men" who are even less competent and in the future the next time this happens it will be even worse.

 

[Azza]

You do have to wonder if GCHQ was advised of EternalBlue before or after it was leaked by the NSA.

 

[Rroff]

You do have to wonder if GCHQ was advised of EternalBlue before or after it was leaked by the NSA.

I've not looked into it but wouldn't surprise me if it wasn't GCHQ who found the vulnerability in the first place.