Its always been this way as far back as I can remember. Its why so many peoples browsers are full of 20 odd toolbars.
NHS computer systems hacked!?
- Thread starter Tone1979
- Start date
Its always been this way as far back as I can remember. Its why so many peoples browsers are full of 20 odd toolbars.
The thing is a pretty high % of the XP machines will only have been upgraded to Windows 7, it isnt a massive leap forward in terms of time\latest tech, and the NHS never will be, it will always be 10 years behind due to the nature of the NHS.
That is one of the mechanisms (it also loops RDP sessions to see if it can spread through those and tries to install a backdoor which may be used to side load further malware which may also aid it in spreading once in) that it uses to spread once it has got inside a network it isn't clear at this time whether the same technique was used to get a foot in the door or not.
The exact mechanism used to get a foot in the door isn't clear at this time - usually it is via someone opening an infected attachment like document.doc.exe but this infection has spread far too quickly and too widely compared to previous ransomware using that mechanism - it certainly doesn't match what I have observed previously watching older malware:
Microsoft said:
Microsoft said:
The number of machines with SMB exposed directly to the internet is in theory very low - a corporate network usually would have that all locked down - most home routers would naturally block it unless machines were intentionally put in the DMZ. While it would only need to find one machine that was both exposed to the internet in this way and networked internally in a way it could spread out to move very fast inside an organisation in theory the numbers are way too low for how fast this has spread in terms of number of infected corporations rather than number of infected machines. Which makes me wonder if there is something more to it than we have seen so far.
I have been following as many of the updates as I can semi frequently and based on your many posts, you do know a lot. However, in fairness, you do come across as a bit of an armchair expert who is not particularly interested in clarifying or summarising.
Based on your insight, why not put together an informed and informative post explaining:
I haven't seen ANYONE concisely and coherently address these questions.
- How this malware reached PCs (e.g. email, IP address and open port)
- If by email, what was the content of the email (URL, attachment)
- If an attachment, what was it (I have seen references to Word document or .PDF)
- How any affected organisation or person can recover (aside from restoring from a backup)
- What lessons the average (e.g. GP IT support person) can learn from this event
If you decide to take my challenge, many thanks; if not, thanks for reading so far
See above - problem is I've been following a lot of information very broadly and had a casual interest in the subject going back to the icon sprite virus in RISC OS in the early 90s what I can see intuitively is a lot harder to backup with solid facts in an ongoing and fluid situation.
Some of the last 2 points I addressed in the thread on it in the Windows sub forum.
Last edited:
I agree, Rroff and Caged were posting about it earlier in the thread, I agreed that it wasn't directly at the NHS obviously because this is worldwide, but i do not think we are being told everything and some Govt\businesses have kept this quieter than it is.
Some form of targeting has gone on with this, how many other businesses in the UK were hit? The NHS are not the only business with ageing I.T and security systems. It also isn't as simple as someone clicking on a dodgy email, there are 1.7 million people who work in the NHS, if it was as simple as a dodgy email this would happen everyday.
This, but i cannot think what, there could be all kinds of theories, conspiracies as wellAs per neil's post above its not hard to claim and make it look like you were hit also
While not appearing to be a targeted attack itself I do have to wonder if it is smokescreen something more specific.
Unless it was set to go live at a certain date/time. Surely it could be activated but dormant to get the maximum infestation.
This, but i cannot think what, there could be all kinds of theories, conspiracies as well
It looks like Russia is pretty hard hit compared to the rest of the world - last time I looked it was 45,000 out of just over 200,000 infections - not sure if there is anything significant to that or just higher proportion of older hardware and less security.
Soldato
- Joined
- 10 Oct 2005
- Posts
- 8,706
- Location
- Nottingham
I think KB4012215 is for 32bit Windows 7, for 64bit you need to look for KB4012212. Remember to include the KB not just the number otherwise it won't find it.
Just talking to my (other) brother who runs one of the bigger education network backends and they first saw it earlier in last week (and fortunately they have a really bright network security guy) exploiting this: http://thehackernews.com/2017/05/windows-defender-rce-flaw.html - a user only has to open an infected email even if they don't touch the attachment and in some cases don't even need to open the email just receive it. They immediately went on lockdown when this vulnerability was published and believe they successfully stopped it from the first moment it appeared on the edge of their network (still doing ongoing security sweeps just to make sure).
Soldato
- Joined
- 13 Sep 2005
- Posts
- 4,354
Ha just spoken to an NHS site with a few XP machines and they weren't replaced, as those wipe clean keyboards to prevent cross contamination had no Win 7 drivers and were £300+ each to replace.
Maybe, there is as of yet no information on how it was started, we know what has slowed it down, but nothing on the former, will there be?
Oh and hahahaha at Microsoft blaming the NSA.
e: I dont think anyone is going to come forward considering how much of Russia was hit like Rroff posted above.
Last edited:
Are any of the sites you posted pages back any the wiser on how it started? Ive not read them for nearly 48 hours, i am being lazy yes
It is funny as increasingly the evidence seems to be down to flaws in MS's work - I wonder why they didn't mention anything about their recent RCE flaw in the summary I posted excerpts from above.
Are any of the sites you posted pages back any the wiser on how it started? Ive not read them for nearly 48 hours, i am being lazy yes
Nothing I've seen so far has a clear understanding of the initial attack vector - its all vague finger pointing at people opening attachments or SMB - despite neither of those factors on paper being a good fit for just how fast this one has spread entity to entity (not the number of machines involved). For some reason the RCE vulnerability (in Windows Defender) seems to rarely have been taken into consideration though even that I'm not sure alone explains it - hard to say at this point. It would make sense if the payload was triggered somehow once MS started patching against that vulnerability but seems a bit unlikely that it managed to sit there undetected but able to execute at will on so many networks that long if it was the case.
Last edited:
Well they do have a point, if the NSA had made them aware of the flaw it would have been patched before hackers ever discovered it nevermind exploited it. Instead the NSA chose to stockpile the flaw as a weapon, then their data got stolen, now as a result this has happened.
Their own testing department should have found it imo, they written the code and imo are responsible for the most part, hackers and security services are secondary to blame.
I'd put it at about 50/50 looking at what security researchers have published about the SMB vulnerability and the Malware Protection Engine issues MS really should have found and patched them before 2017 - even if they did release patches very quickly for both when brought to their attention.
It has happened to my mother as well. The local GP surgery has been hit this morning. She was scheduled to go in tomorrow as one of them phoned her up to cancel. The phones have an automated message for emergencies only now. The practice cannot get access to their own site so they cannot update anything.
Once it has encrypted files then you either have to chance paying up and hope they will provide the key to decrypt (which will be different for each case) or hope you have decent, isolated, backups. Hence why I keep some USB HDDs offline and separate to my systems that I rotate backups onto regularly.
In this day and age of crypto malware I highly recommend something along the lines of what I do if you have critical data - a 1 or 2 bay NAS that supports USB remote replication with a USB HDD plugged into the back replicating the internal drive (saves having to ever mess around recovering from RAID should the whole array fail - I just use mirroring RAID internally on my NAS for uptime convenience should one of the drives fail) and a front USB copy port setup to snapshot any important data to a USB HDD and then have 2+ USB HDDs that you regularly snapshot to kept somewhere offline and secure - even better use a medium that can be write protected. The NAS could also be configured to upload to a cloud service for an extra level of protection.