NHS computer systems hacked!?

Energize · 14 May 2017 at 23:06

Hikari Kisugi said:
How come masses of single user computers are not affected?
This all seems to be large scale organisations, or am I missing saomething?

Automatic updates and the fact that single users don't use windows xp.

Deleted member 77746 · 14 May 2017 at 23:10

Rroff said:
Tons and tons and tons of home users are on unpatched or poorly patched Windows 7. As I mentioned before though this seems to have been crafted with at least some focus on getting into and infecting organisation's networks.

Possibly it has got in through that recent issue with attachments being able to deliver their payload without a user even opening the attachment which mostly affected corporate networks but I'm starting to think there is something about this infection that we haven't seen/are aware of yet as the way it has spread through businesses especially seems suspicious to me - I'm seriously starting to wonder if they have exploited a previously unknown vulnerability on the server class vPro CPUs which are less common in a home environment and its then leapfrogged from that.

Indeed!

Nate--IRL-- · 14 May 2017 at 23:18

Rroff said:
Tons and tons and tons of home users are on unpatched or poorly patched Windows 7. As I mentioned before though this seems to have been crafted with at least some focus on getting into and infecting organisation's networks..

It exploits a flaw in SMB used by the NSA, by its nature it isn't going to affect your Mothers PC as much as it would a corporate network.

Nate

Rroff · 14 May 2017 at 23:18

Energize said:
Automatic updates and the fact that single users don't use windows xp.

There are still loads of people using Windows XP - albeit its at 0.89% on say Steam hardware survey but that is still millions of users worldwide and often people on XP and 7 aren't using automatic updates - for awhile infact XP and 7 updates were stalled broken and anyone who hasn't applied the fix will not be getting new updates since about 18 months ago or so.

Rroff · 14 May 2017 at 23:20

Nate--IRL-- said:
It exploits a flaw in SMB used by the NSA, by its nature it isn't going to affect your Mothers PC as much as it would a corporate network.

Nate

It still has to get a foot in the door - which would have around equal chance of happening ostensibly for the overall collection of home users versus overall collection of enterprise ignoring the number of machines involved in each. Other "scattershot" attacks have seen far higher volume of non-corporate systems compromised in comparison to what we see here just comparing 1 home user to 1 corporate compromised as a whole.

LeeUK · 14 May 2017 at 23:24

I bet they are blaming Labour for it even though the Tories have been in charge for the last 7 years.

Destination · 14 May 2017 at 23:27

Energize said:
Automatic updates and the fact that single users don't use windows xp.

This was targeted at seven.
Windows seven, not xp.
Might be the free upgrade to ten has saved many.

Nate--IRL-- · 14 May 2017 at 23:38

Rroff said:
It still has to get a foot in the door - which would have around equal chance of happening ostensibly for the overall collection of home users versus overall collection of enterprise ignoring the number of machines involved in each. Other "scattershot" attacks have seen far higher volume of non-corporate systems compromised in comparison to what we see here just comparing 1 home user to 1 corporate compromised as a whole.

You misunderstand the problem. It isn't the initial infection that is the problem, it is that once one PC is infected, it can worm its way though the entire connected networks to infect all hosts with a network cable in them. This in turn can then infect other networks (given lax security) and it can spread..

Nate

Angilion · 14 May 2017 at 23:48

Rroff said:
There are still loads of people using Windows XP - albeit its at 0.89% on say Steam hardware survey but that is still millions of users worldwide and often people on XP and 7 aren't using automatic updates - for awhile infact XP and 7 updates were stalled broken and anyone who hasn't applied the fix will not be getting new updates since about 18 months ago or so.

In addition to that, anyone who cares about security and privacy won't be using automatic updates because last year MS made it impossible to get automatic security updates for 7 without also installing whatever malware MS decide to push at their users. You have to patch manually. In addition, MS patches have become notoriously crap and many people delay them until they find out what's broken by new patches. Something often is.

Rroff · 14 May 2017 at 23:49

Nate--IRL-- said:
You misunderstand the problem. It isn't the initial infection that is the problem, it is that once one PC is infected, it can worm its way though the entire connected networks to infect all hosts with a network cable in them. This in turn can then infect other networks (given lax security) and it can spread..

Nate

Not misunderstanding anything. In other ransomware attacks for one corporation hit - no matter how many machines internally are compromised, there would be a number of home users also hit, so far with this one there has been a very low number of reported home user infections which is a bit unusual and suggests that the foot in the door mechanism isn't fully understood yet.

SMB (EternalBlue) and the internal RDP looping, etc. is irrelevant to what I'm saying here.

Nate--IRL-- · 14 May 2017 at 23:57

Rroff said:
Not misunderstanding anything. In other ransomware attacks for one corporation hit - no matter how many machines internally are compromised, there would be a number of home users also hit, so far with this one there has been a very low number of reported home user infections which is a bit unusual and suggests that the foot in the door mechanism isn't fully understood yet.

SMB (EternalBlue) and the internal RDP looping, etc. is irrelevant to what I'm saying here.

What is the Ratio of Home users to Corporate users infected then? I'm not being glib but the extent is not known so far to be able to state such as fact.

Nate

Cuchulain · 15 May 2017 at 00:02

There's 31 pages of replies so someone may have mentioned this already, but, surely with proper policies set absolutely no XP machine in a corporate environment should have contracted a virus?

LizardKing · 15 May 2017 at 00:04

This strain of malware seems to have very specifically targeted masses of corporate email address's hence the little/no reports of home users, had they sent them to hotmail/gmail users etc they would most likely have found there smtp servers on a blacklist very quickly.

Rroff · 15 May 2017 at 00:06

Nate--IRL-- said:
What is the Ratio of Home users to Corporate users infected then? I'm not being glib but the extent is not known so far to be able to state such as fact.

Nate

Don't have exact figures but I've been following those that are monitoring it like malwaretech that have published lots of data.

Cuchulain said:
There's 31 pages of replies so someone may have mentioned this already, but, surely with proper policies set absolutely no XP machine in a corporate environment should have contracted a virus?

There is no way to fully protect against i.e. previously undiscovered way to inject code via a vulnerability in a signed driver, etc.

LizardKing said:
This strain of malware seems to have very specifically targeted masses of corporate email address's hence the little/no reports of home users, had they sent them to hotmail/gmail users etc they would most likely have found there smtp servers on a blacklist very quickly.

Its possible it is as simple as that but something doesn't add up to me instinctively. It seems to have gone impossibly far impossibly fast to depend on the odd person opening an attachment in a business even with its possibly unprecedented ability to quickly spread internally on a network - I mean it is less than a month or so since the NSA tools used were leaked.

LizardKing · 15 May 2017 at 00:07

Cuchulain said:
There's 31 pages of replies so someone may have mentioned this already, but, surely with proper policies set absolutely no XP machine in a corporate environment should have contracted a virus?

They would need to be on a totally air gapped network to have avoided the infection, off the top of my head most guidlines suggest xp machines must not have internet/emails, unfortunately this is not enough in this instance.

Nate--IRL-- · 15 May 2017 at 00:11

Rroff said:
Don't have exact figures but I've been following those that are monitoring it like malwaretech that have published lots of data.

Hmm - can't seem to find that specific info about Home users and Corporate users - have you got a link?

Nate

Rroff · 15 May 2017 at 00:22

Nate--IRL-- said:
Hmm - can't seem to find that specific info about Home users and Corporate users - have you got a link?

Nate

As I said been following a number of sources on it - I'm not sure if what you want to see is all nicely collated in one neat place yet.

Rroff · 15 May 2017 at 00:28

Regarding the Russian stuff earlier - looks like the latest info shows massively more infections in Russian organisations than any other country or demographic which is interesting - as someone said tends to indicate it doesn't originate in Russia as they'd be very unlikely to risk messing with the FSB lol.

teaboy5 · 15 May 2017 at 00:33

Rroff said:
As I said been following a number of sources on it - I'm not sure if what you want to see is all nicely collated in one neat place yet.

Just post your sources so we can all see.

mattyg · 15 May 2017 at 00:34

Looks like the NHS saga has now affected me personally. Looks like my outpatients dept is still broken so have had my appointment tomorrow cancelled. T
hats the 2nd cancellation in two weeks. Hope the meds that I'm on that aren't working aren't also doing any damage.

I know, a bit woe is me