1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

NHS computer systems hacked!?

Discussion in 'General Discussion' started by Tone1979, May 12, 2017.

  1. ChrisD.

    Capodecina

    Joined: Sep 20, 2006

    Posts: 22,481

    Is it the worm embedded into a Doc X file that opens regardless of macro settings?

    We have application control as well so highly unlikely to get attacked.
     
  2. ubersonic

    Capodecina

    Joined: May 26, 2009

    Posts: 20,377

    You're thinking of the older spam emails containing ransomware attachments like "notavirus.pdf.exe", this attack is regarding a worm that can install itself via Windows security flaws leaked by the NSA. The patches being discussed fix the flaw.
     
  3. edscdk

    Soldato

    Joined: Jul 17, 2008

    Posts: 6,543

    I bet it came in via email, once in it can then spread via network / exploit..
     
  4. CHokKA

    Mobster

    Joined: May 17, 2004

    Posts: 3,437

    Location: Home

    This particular program infects machines using port 139 or port 445 and exploits a vulnerability within Windows. It doesn't work the same as the other CryptoLocker variants that have been out there recently. Because of the Windows vulnerability, unless you're specifically patched to protect you against it, you'll get it and all other PCs within the network will as well if not patched. It isn't necessarily down to a single person opening up an email.
     
  5. CHokKA

    Mobster

    Joined: May 17, 2004

    Posts: 3,437

    Location: Home

  6. ubersonic

    Capodecina

    Joined: May 26, 2009

    Posts: 20,377

    And as with other ransomware it has the headache that an unpatched computer can wreck havoc on a patched computer/server if it has network access to a shared drive/folder.
     
  7. jimjamuk

    Mobster

    Joined: Nov 30, 2007

    Posts: 2,734

    Location: Bristol, UK

    I agree once the worm is running on a network machine it opens up 137/445 connections to other hosts and if vulnerable will infect. To activate the code someone of something needed to have run the attachment - once thats done its a free for all on a network. A simple firewall would block 137/445 inbound connections from the Internet by default to it needed to be transported inside an organisation (via email) and executed from within to be able to spread
     
  8. marin

    Hitman

    Joined: Oct 18, 2002

    Posts: 648

    Location: Reykjavík - Iceland

  9. jimjamuk

    Mobster

    Joined: Nov 30, 2007

    Posts: 2,734

    Location: Bristol, UK


    If its Windows - those ports are part the core comms ports so closing them isnt an option. Patching and HIDS probably the only solution here
     
  10. marin

    Hitman

    Joined: Oct 18, 2002

    Posts: 648

    Location: Reykjavík - Iceland

    You can close ports 139 / 445 on your router / firewall instead of closing them in Windows.
     
  11. ChrisD.

    Capodecina

    Joined: Sep 20, 2006

    Posts: 22,481

    The whole point that a lot of people seem to be missing is that once you are past the firewall/router, you can pretty much what you want if the OS is not secure.
     
  12. CHokKA

    Mobster

    Joined: May 17, 2004

    Posts: 3,437

    Location: Home

    Nobody knows that for sure right now. There's been talk of multiple ways that this has got into these networks. Some have said it was a direct attack on specific targeted IP ranges and routers vulnerable on ports 139 and 445 have let it through. There has been mention that it spread via email. There have been other things discussed at the moment. We don't know a whole lot about how it's actually out there entering systems right now, only that it specifically exploits a vulnerability within Windows.

    For me personally, I'm inclined to go with the IP targeted attack, specifically using port 139 or 445 within the routers to get into a network to spread the infection. Someone earlier mentioned that over 500 000 routers tested with a port scan have these open, so that's a very viable way of starting this off. It wouldn't surprise me that most networks haven't been secured against this.
     
  13. CHokKA

    Mobster

    Joined: May 17, 2004

    Posts: 3,437

    Location: Home

    This won't stop PCs from responding on those port numbers from internal requests though, because the router won't be responsible for handling these requests. The router will only block these requests from the outside. So if one of your internal PCs is already compromised, and your other PCs aren't patched against the exploit, they'll be infected as well. Your only protection in this case would be to have the patch on from MS to prevent infection.
     
  14. ChrisD.

    Capodecina

    Joined: Sep 20, 2006

    Posts: 22,481

  15. DJMK4

    Capodecina

    Joined: Dec 1, 2004

    Posts: 21,921

    Location: S.Wales, Cardiff

    I have received an email in to my gmail account with a ZIP attachment, be careful people! Have warned people on facebook etc.

    Email sender was a307192503 (at) 163.com which is confirmed on google as a known ransomware email sender/domain

    email was

    "Dear Darren
    Statement: EZXXXXXXXXXXX" where XX Random numbers
    My home address was listed

    a 4 digit passcode


    Sincerely
    Arcelia Barnault"

    and obviously the ZIP file attached


    Went straight in the bin
     
  16. Nasher

    Capodecina

    Joined: Nov 22, 2006

    Posts: 11,827

    If you have a proper firewall it will stop it sending out :)
     
  17. CHokKA

    Mobster

    Joined: May 17, 2004

    Posts: 3,437

    Location: Home

    By ethernet port or VLANs, sure, but most people don't have switches and firewalls that are capable of this sort of configuration. I'm focusing more toward the masses of home users or small businesses. Most that I deal with don't have any managed devices unfortunately. It would be so much easier if they did though!
     
  18. V F

    Capodecina

    Joined: Aug 13, 2003

    Posts: 15,371

    Location: UK

    You can still be infected if some numpty opens the email even if its patched. Granted it wont spread but you'll still be done.
     
  19. #Chri5#

    Soldato

    Joined: Feb 27, 2003

    Posts: 6,605

    Location: Shropshire

    Is there anyone left to warn?

    If people still open strange e-mails with attachments after the amount of press coverage over the weekend, they are just too plain stupid to be allowed a PC.
     
  20. DJMK4

    Capodecina

    Joined: Dec 1, 2004

    Posts: 21,921

    Location: S.Wales, Cardiff

    Probably not but you never know there are some people out there that will do stupid things :p