NHS computer systems hacked!?
- Thread starter Tone1979
- Start date
which again has sod all to the post of mine you had issues with.
do you even know why you quoted me in the first place.
Of course.
http://www.bbc.co.uk/news/technology-39913630
Europol think it was just the beginning and more attacks are imminent.
Europol think it was just the beginning and more attacks are imminent.
Associate
- Joined
- 7 Feb 2008
- Posts
- 2,377
- Location
- Surrey
I'm just surprised it's taken this long for this to happen. Cryptolocker viruses aren't exactly new, and there are plenty of ignorant people infecting their company PCs daily.
I'm also shocked there hasn't been a single reference to Mr Robot in all this, since it's almost the exact same scenario (except the victim wasn't someone like Google/Apple).
I'm also shocked there hasn't been a single reference to Mr Robot in all this, since it's almost the exact same scenario (except the victim wasn't someone like Google/Apple).
Previously they've been less sophisticated and not utilised capabilities like SMB to break out from the initial infection - as I've been saying in some of the threads slowly these are being packaged up with more sophisticated tools and increasingly there is attention being paid to things like infecting IoT devices or hiding copies of it away in device firmware (for instance NAS boxes) to reactivate at a later date when people think the infection has gone, etc. I'm not quite sure at what level and on what timeframe that kind of stuff is making its way into the wild.
Associate
- Joined
- 7 Feb 2008
- Posts
- 2,377
- Location
- Surrey
I've read accounts on here before of these viruses spreading from PC to PC and encrypting everything, so I thought this was old hat, but I'm not exactly well informed on how this stuff works. I read this was based on a virus stolen from the NSA, but I don't know what it does that other ones don't (I guess the SMB thing you referenced).
Not saying older variants didn't try to infect other systems, etc. just that they are becoming more sophisticated at doing so and hence more likely to spread. Previously it was mostly by looking at logged in shares that held executable files and infecting them, etc. while this variant much more directly attacks network interconnectivity and seems to have a more sophisticated method of compromising remote desktop servers active on a network and from what I've seen they are only going to get more sophisticated.
While I'm not saying patches, etc. are useless but if people are worried about it they need to focus on making sure they have offline backup copies of critical data ideally on a write protected medium.
Previously crypto-malware spread via email attachments (hey look at this invoice.zip), compromised websites/banner ad networks exploiting browser vulnerabilities to execute code, dodgy torrents etc.. This was different because it used an RCE vulnerability in SMBv1 that the NSA knew about and kept secret, until it was all leaked. Using this exploit gave the crypto malware worm-like capabilities.
AFAIK unless you have systems directly exposed to the internet it still needs to get a foot in the door via someone opening an attachment or the recent issue where an attachment could compromise the systems scanning the attachment before anyone even opened it.
Associate
- Joined
- 7 Feb 2008
- Posts
- 2,377
- Location
- Surrey
I was working there at the end of last year on a contract when someone in support sent a test email to a new Outlook distribution group which they had accidentally added pretty much the entire NHS staff mailing list to. Then people started doing "Reply All" to the message saying things like "Please remove me from this group"/"You sent me this in error" and this multiplied out into millions(?) of emails and brought the entire NHS email system to a halt. It even ended up on the BBC and I believe The Sun even named the support person who sent the initial email.
That is my understanding as well unless someone is stupid enough to expose SMB ports to the internet. The problem is that lots of enterprises still only focus on protecting the network edge, and consider everything within the network to be trusted. See how it seems that office desktop PCs can have unrestricted access to the systems that run the digital signs on German railway stations.
AFAIK current infections are stalled due to the "killswitch". The NHS has had people working through the weekend quarantineing and cleaning systems so there shouldn't be any mass event from people turning them on.
Looking at the realtime map for the systems reporting back to the "sinkhole" domain though there are a lot of companies who are going to need to do a ton of disinfecting of their systems still come Monday morning though - pretty much every company should be doing it as a matter of urgency :s
Yeah I was fascinated by that - the image of the ransomware up over the digital signs was kind of funny. (EDIT: As I mentioned in an earlier post that is why those systems are running on Linux where I work).
Cynically, it's just talk and they're gearing for more funding like any good little public body does. In the end, it's just another step on the grand road of authority without question.
Yeah they just seem to be generalising based on comments like the malwaretech guy made about the current killswitch only stalling this particular variant, etc. that said these crypto ransomware only seem to be getting more sophisticated and less controlled than anything else.