NHS computer systems hacked!?

Somewhat ironically heads will likely roll after this because of people higher up in companies who don't understand the IT side of it with the consequence that likely experienced IT people will be replaced by "yes men" who are even less competent and in the future the next time this happens it will be even worse.

The true sign of madness.
 
The way it tries to spread inside networks, the specific implementation of backdoor once in and the setup to iterate through RDP connections suggests whoever packaged up this variant was looking mostly at bigger networks more than other setups - some kind of package deal would require targetting specific organisations directly with knowledge of how each one operated.

I suspect there is a degree of scattershot to it but a lot of it is crafted around trying to spread inside big networks once in.

It's exploiting SMB v1.0 so it could be anything from SOHO to Large Scale. Doesnt needto target anything specific, just latch onto a file share for example and it spreads.
 
It's exploiting SMB v1.0 so it could be anything from SOHO to Large Scale. Doesnt needto target anything specific, just latch onto a file share for example and it spreads.

That is just one aspect of how it works though - the overall package seems to have been crafted with the end goal of getting inside larger networks.

I'll repost Caged's link from before for those that might have missed it and still catching up:

This is all straying a bit far away from discussion on the issue and into the realm of armchair-CIOs or just plain incorrect assumptions being made. Have a read through this page and the linked Twitter feeds/Tweets if you're interested on a technical level.

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
 
So these hackers have infected Chinese, Russian, US and UK government institutions, banks and businesses. Whelp, I'd hate to be the guy who got caught for this.
 
Not sure if it's affected other hospitals but it has attacked German rail operators!

They swapped most of our epos and other customer/public facing systems to some variant of Linux (I think Arch Linux but not 100% on that) due to a mixture of this kind of thing and that they were being upgraded from XP and Windows 10 was just tragically bad in that kind of role.

So these hackers have infected Chinese, Russian, US and UK government institutions, banks and businesses. Whelp, I'd hate to be the guy who got caught for this.

Do have to wonder if it was some kiddie who completely wasn't expecting this level of attention from it :s though more likely it was somewhere along the lines of a semi-state sponsored act by a group - past stuff has often been linked back to operators with links to North Korea, etc.
 
So these hackers have infected Chinese, Russian, US and UK government institutions, banks and businesses. Whelp, I'd hate to be the guy who got caught for this.

Given the amateur implementation of the randomware itself, I think its extremely likely he will be.
 
A truly Global outbreak it seems - we got the below from our security consultants.

As most will be aware a large global malware attack took place yesterday affecting a large number of organisation around the world. Initially it was viewed in the media as a targeted attack against the UK’s National Health Service/Healthcare but as of this morning (13th May) at least 120,000 hosts have been infected worldwide across 90+ countries, affecting organisations across all industries.

Nate
 
What is everyone here using to protect there servers and desktop systems.

We've got something with MSP but it's rubbish.

Got the following

2003 server
2012 R2 server
2016 server
Windows 10 desktops
 
Somewhat ironically heads will likely roll after this because of people higher up in companies who don't understand the IT side of it with the consequence that likely experienced IT people will be replaced by "yes men" who are even less competent and in the future the next time this happens it will be even worse.
You've lost me. I don't understand your point. We have a highly professional and competent ongoing BAU patching process across all of our global datacentres. We also have prcesses in place to handle events such as this without business impact. I'm not quite sure why heads would roll for having some of the best industry standards in place around it.
 
What is everyone here using to protect there servers and desktop systems.

We've got something with MSP but it's rubbish.

Got the following

2003 server
2012 R2 server
2016 server
Windows 10 desktops

Mostly I concentrate on firewalling rather than relying on patching, etc. too much - keeping systems as locked down internally from talking to each other except as they need to and NAT/firewalling on the router side to limit external exposure. Plus offline backups to be able to recover from.

You've lost me. I don't understand your point. We have a highly professional and competent ongoing BAU patching process across all of our global datacentres. We also have prcesses in place to handle events such as this without business impact. I'm not quite sure why heads would roll for having some of the best industry standards in place around it.

Typically after high profile incidents like this upper management level look for scapegoats - which will likely be higher level IT people - especially if it can avoid calling into question their own lack of willingness to invest in keeping systems uptodate, etc. wasn't talking specifically where you work which might have a different culture entirely.
 
So these hackers have infected Chinese, Russian, US and UK government institutions, banks and businesses. Whelp, I'd hate to be the guy who got caught for this.

Yea whoever did it is probably ******** themselves right now. I say leave him to the Russians :D

They probably already have some "tea" ready for him.
 
It appears to have been customised with compromising corporations like the NHS but not specifically targetting the NHS or medical facilities, etc. it probably wouldn't take much imagination though to know it would do that.

On the one hand I think it was almost accidental it played out at such a scale in one go but on the other I almost get the feeling it was a large scale attack masking a more specific target (not the NHS) possibly utilities infrastructure or military/intelligence.

I think an analogy would be small terrorist group getting hold of state-level weapons. The NSA has a small stockpile of undocumented vulnerabilities. Sometimes they even instruct vendors not to close these vulnerabilities because they are using them. Recently a group called themselves the Shadow Brokers (n.b. I'm not making any of this up - it's all generally accepted stuff) leaked a number of these exploits. If I recall correctly they originally tried to auction them off but I could be wrong. In any case, they went out into the wild this seems to be a case of someone using one of those exploits for criminal purposes.
 
What is everyone here using to protect there servers and desktop systems.

We've got something with MSP but it's rubbish.

Got the following

2003 server
2012 R2 server
2016 server
Windows 10 desktops

I just double checked my AV was checking for defs. daily and then installed the MS patch to contain it if a worst case scenario was to occur.
 
I think an analogy would be small terrorist group getting hold of state-level weapons. The NSA has a small stockpile of undocumented vulnerabilities. Sometimes they even instruct vendors not to close these vulnerabilities because they are using them. Recently a group called themselves the Shadow Brokers (n.b. I'm not making any of this up - it's all generally accepted stuff) leaked a number of these exploits. If I recall correctly they originally tried to auction them off but I could be wrong. In any case, they went out into the wild this seems to be a case of someone using one of those exploits for criminal purposes.

Its documented in the link Caged posted and the links in the thread in the Windows section plus the wiki for EternalBlue.
 
What is everyone here using to protect there servers and desktop systems.

We've got something with MSP but it's rubbish.

Got the following

2003 server
2012 R2 server
2016 server
Windows 10 desktops

The two top-scoring AV providers in terms of successfully detecting malware are usually Trend Micro and Kaspersky. I personally use Kaspersky because they're much more than an Antivirus vendor. Kaspersky Labs are the ones that cracked the Equation Group's malware (Equation Group == NSA) and originally tracked down Stuxnet. They are world class in this field. Plus, US intelligence agencies have their fingers in Western software products whereas the Russians have no motive to assist the NSA. (And if anyone suggests they're in bed with the Kremlin well they may or may not be (though I'm aware of no evidence) but I'm a lot less worried about the authorities in a foreign country than I am in my own - that's just the logic of proximity.
 
Back
Top Bottom