NHS computer systems hacked!?

[Caged]

Here's a Microsoft writeup:

https://blogs.technet.microsoft.com...-ransomware-worm-targets-out-of-date-systems/

 

[IronWarrior]

If anybody needs to be blamed it is the NSA.

Nate

Don't you mean the Russians? That's the liberal thing isn't it? Always the Russians.

 

[Akagi]

Clearly the Chinese. /trump

 

[Arazi]

Here is a great blog post from the 22 year old dude that discovered the domain sinkhole ability, great work that has no doubt saved people £$£$ and valuable data! Someone buy that fella a pint

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Why do you keep reposting links and info that were posted a page back by someone else?

 

[C.R.A.Z.Y]

My bad, didn't realise it had been posted already.

 

[Arazi]

My bad, didn't realise it had been posted already.

Sorry

 

[neil_g]

Here's a Microsoft writeup:

https://blogs.technet.microsoft.com...-ransomware-worm-targets-out-of-date-systems/

Ooft.

So win7 also vulnerable. And firewalling it off the internet only makes the spread worse..

 

[h4rm0ny]

That is just one aspect of how it works though - the overall package seems to have been crafted with the end goal of getting inside larger networks.

I'll repost Caged's link from before for those that might have missed it and still catching up:

Ah, but the malware at the core of this was developed by the NSA who likely did want that. But the people using it for ransomware are piggy-backing on it and their goals may not be the same.

 

[neil_g]

NHS says only 4.7% of systems are xp.

https://digital.nhs.uk/article/1493/UPDATED-Statement-on-reported-NHS-cyber-attack-13-May-

 

[Azza]

NHS says only 4.7% of systems are xp.

https://digital.nhs.uk/article/1493/UPDATED-Statement-on-reported-NHS-cyber-attack-13-May-

I don't believe that for a second.

 

[h4rm0ny]

Seems to be the reasoning - but anyone analysing it in a sandbox would quickly discover that and deactivate so seems more like just a way for them to run it for testing but kind of elaborate compared to a simple if statement.

EDIT: These kind of killswitches and controller domains aren't unusual in themselves but this implementation seems a bit odd - not sure if its just amateur work from script kiddies packaging it up or whether there is something more behind it.

Thanks for that. Very interesting.

 

[h4rm0ny]

Thinking about this... what would have happened if the NHS files were all deleted?

Free drugs for all! Just in case!

 

[Destination]

Don't be obtuse... If the systems were funded to be secure/at least updated to something beyond the now ancient WinXP, this would have been incredibly unlikely to have occurred.
They removed funding for XP security, so yes it is THEIR fault.
http://www.mirror.co.uk/news/uk-news/tories-cut-security-support-outdated-10413160
The least they could to do was to keep funding it and force the NHS to update, rather than just leaving it completely undefended and asking a massive organisation to change within 3 years.

Hospital given money for budget, additional money for outdated systems cut, they can spend their money to upgrade any time they want.

Ooft.

So win7 also vulnerable. And firewalling it off the internet only makes the spread worse..

Very interesting.
So not the torys's fault chap who claimed it was lack of funding causing the XP to be exploited.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

Would suggest it was aimed as reasonably modern machines, forgoing the xp and older vulnerable machines.
Just if you didnt oatch since march you were in trouble.

 

[V F]

Would suggest it was aimed as reasonably modern machines, forgoing the xp and older vulnerable machines.
Just if you didnt oatch since march you were in trouble.

Reminds me of the time for the blaster worm.

 

[Glaucus]

Ooft.

So win7 also vulnerable. And firewalling it off the internet only makes the spread worse..

Only if unpatched

 

[quickshot89]

Only if unpatched

Client OS from XP to windows 10 are vulnerable if using SMB v1
Server OS from 2003 to 2012R2 are vulnerable if using SMB v1

Basically anyone who has any form of file share using SMB v1.0 can be impacted by this.

Yet to see whats happening with 2000, I'm hoping we can just shut them down

 

[Glaucus]

Client OS from XP to windows 10 are vulnerable if using SMB v1
Server OS from 2003 to 2012R2 are vulnerable if using SMB v1

Basically anyone who has any form of file share using SMB v1.0 can be impacted by this.

Yet to see whats happening with 2000, I'm hoping we can just shut them down

from Microsoft

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

 

[quickshot89]

from Microsoft

Patch in question that resolves the exploit https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

more than just 2008 and earlier

 

[Glaucus]

Patch in question that resolves the exploit https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

more than just 2008 and earlier

for a start you first quoted me when I said unpatched, which nothing you have said backs you up. secondly just because its been patched doesn't mean the worm targeted these systems.
its already been posted but you can have a nice in depth read here
https://blogs.technet.microsoft.com...-ransomware-worm-targets-out-of-date-systems/

 

[quickshot89]

for a start you first quoted me when I said unpatched, which nothing you have said backs you up. secondly just because its been patched doesn't mean the worm targeted these systems.
its already been posted but you can have a nice in depth read here
https://blogs.technet.microsoft.com...-ransomware-worm-targets-out-of-date-systems/

In terms of the Wanncry itself, yes, thats true, but it wont be the only one out there and has probably been changed and resubmitted and I'm expecting other companies come monday morning to say they have been hit. It's just lucky this was on a Friday rather than a Monday. That's my point of all systems that use SMB1 can be impacted, the worm exploits the EternalBlue issue, which impacts the OSes I've listed.