NHS computer systems hacked!?

Rroff said:
Its documented in the link Caged posted and the links in the thread in the Windows section plus the wiki for EternalBlue.
Click to expand...

Thanks. I felt I needed to put the caveat in because people outside this field are still (for some reason) inclined to think such statements are tinfoil hat sometimes. "The Shadow Brokers" sounds like something from a Tom Clancy novel, but that is what they call themselves.
 
Rroff said:
I'm curious as to the use of that domain as a killswitch - probably completely science fiction but I wonder if there could be any ulterior motive for getting people to utilise that domain either internally or registering it, etc. but I can't see one.
Click to expand...

Not that I can think of. If they created the domain internally by just creating an entry in their DNS servers, they would just point it at some dummy content of their own if any. I think it's just a last-resort kill switch for if they lose control of it. The original creators might have put it there in case their work was stolen and re-purposed. If you're unleashing a deadly virus, it's nice to know you have the cure. ;) (Though now someone can remove it).
 
So it's basically confirmed that this entire debacle is the result of removed funding for IT security by the Tories (I assume Hunt, May and Cameron all have to be involved in some sense), but yet the country is steadfast supporting them in a few weeks.

Oh man, it'd be hilarious if it wasn't more so tragic.

Anyone that died because of this is on May's hands and anyone still voting for them more so.
 
h4rm0ny said:
Not that I can think of. If they created the domain internally by just creating an entry in their DNS servers, they would just point it at some dummy content of their own if any. I think it's just a last-resort kill switch for if they lose control of it. The original creators might have put it there in case their work was stolen and re-purposed. If you're unleashing a deadly virus, it's nice to know you have the cure. ;) (Though now someone can remove it).
Click to expand...

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.
Click to expand...

Seems to be the reasoning - but anyone analysing it in a sandbox would quickly discover that and deactivate so seems more like just a way for them to run it for testing but kind of elaborate compared to a simple if statement.

EDIT: These kind of killswitches and controller domains aren't unusual in themselves but this implementation seems a bit odd - not sure if its just amateur work from script kiddies packaging it up or whether there is something more behind it.
 
Wonder what all the zero'd variables are for - plus would it have hurt them to name their variables after their functionality rather than just number them heh :s (EDIT: didn't check actually might just be that way due to being reverse engineered).
 
Thinking about this... what would have happened if the NHS files were all deleted?

I mean if the NHS is anything to go by nowadays, it probably has bare minimum of back ups, could the NHS have literally failed?
 
StriderX said:
Thinking about this... what would have happened if the NHS files were all deleted?

I mean if the NHS is anything to go by nowadays, it probably has bare minimum of back ups, could the NHS have literally failed?
Click to expand...

I'd assume things like patient records are still duplicated to hard copy for archiving but no idea on that. They do have relatively robust backup though.
 
does compromise mean

(1) accessed
(2) can't be accessed by the Hospitals etc

I'm thinking maybe no. 1 which makes sense as this type of malware doesn't try and access the data to be "used" so to speak
 
quickshot89 said:
It is, but given the impact microsoft have released the patch. Unsure if anyone mentioned this already, but the exploits have been apparently known to the NSA for a while, and after they were breeched the exploits were released. No doubt they tipped microsoft off. Wouldnt surprise me either.

Problem with large scale IT, especially given the servers I look after, its impossible to keep patches on top every month, it has to be a 2-4 month cycle unless something like this happens.
Click to expand...

I was trying to make the point that it's not MS's fault entirely - clients know when a product is going EoS, and should have a suitable plan in place. They would have had plenty of notice. The NHS IT have been totally remiss here, and the buck should stop with them.
 
Buckster said:
does compromise mean

(1) accessed
(2) can't be accessed by the Hospitals etc

I'm thinking maybe no. 1 which makes sense as this type of malware doesn't try and access the data to be "used" so to speak
Click to expand...

There are several parts to this infection - the ransomware is just one part and AFAIK doesn't access the data itself other than to encrypt it so that it can be held to ransom. But the whole package also installs a backdoor - which might be used autonomously to sideload additional malware or for someone to take direct control of a machine as well as cycling through any available RDP connections internally it can find to further spread.
 
ianh said:
380 replies to this thread so far on with about 15 actually having useful info and 365 armchair experts arguing - Love You GD :D
Click to expand...
Cracking (ironic) post. But fair comment, random vague observations on procurement or in fact on the NHS are not really either relevant or informative.

It would be handy if some of the people who appear to know how this Ransomware was spread and about how to avoid these issues (other than just applying patches) were to share some of their wisdom, rather than simply making uninformative comments along the lines of "There are ways to manage Windows 10". As you say, Love You GD
 
You must log in or register to reply here.
Back
Top Bottom