NHS computer systems hacked!?

Rroff said:
Certainly an interesting one - lot of people are pointing fingers at things that superficially look likely like phishing but there is a lot that doesn't make sense when you contrast what is known with previous malware/ransomware. For instance even some established security people have glossed over or like the video above its only briefly commented on its ability to side load additional nasty stuff without looking at the implications and/or complications of that and instead focusing on the ransomware.
Click to expand...
What gets me is how many countries and organisations seem to have been affected, all within a few hours. That's a monumental amount of work to pull it off.
 
stockhausen said:
In post #655, DJMK4 described receiving an email that referenced his name and home address. This certainly suggests very detailed targeting.
Click to expand...
Rroff said:
An interesting point - I wonder if that slightly older incident with people getting emails with their name and home address is related - maybe identified in some way as people more likely to be soft targets for this kind of infection - would also explain somewhat the less usual pattern of infections compared to other attacks of this nature.
Click to expand...
Yeah and it could be possible that they have hacked an NHS 3rd party supplier (there are 1000s) and used their email system to send emails targeted at the NHS, the recipient is going to trust the email as they would recognise the company\employee who sent it (hackers).

e: Hackers could have hacked into a 3rd party software suppliers system and planted in some way, i think that could be possible because they are connected to NHS systems, in fact 3rd party companies exist all over the world for the NHS, especially software related, they usually have remote connections to whichever systems they provide remote support on, i often spoke to people in Mexico and some other South\North American 3rd party suppliers.
 
Last edited:
ChrisD. said:
What gets me is how many countries and organisations seem to have been affected, all within a few hours. That's a monumental amount of work to pull it off.
Click to expand...

Arazi said:
Yeah and it could be possible that they have hacked an NHS 3rd party supplier (there are 1000s) and used their email system to send emails targeted at the NHS, the recipient is going to trust the email as they would recognise the company\employee who sent it (hackers).
Click to expand...

I don't think they even needed to rely on that trust to open the email attachment just the email itself (and if they did use the data from the previously mentioned people targeted with the name and home address thing those are people most likely to open these kind of emails - which is supposedly enough with the defender RCE issue) - I'm starting to think there is some container aspect of it that somewhat worryingly hasn't been identified yet which has somehow managed to stay hidden on multiple corporate networks that made use of the recent flaw in Microsoft's Malware Protection Engine to get there in the first place and had basically been intentionally triggered once MS started patching that hole as it would curtail its spreading and intentionally triggered before the SMB issues could be dealt with. Which suggests a very high level of organisation from those involved.
 
Rroff said:
I don't think they even needed to rely on that trust to open the email attachment just the email itself (and if they did use the data from the previously mentioned people targeted with the name and home address thing those are people most likely to open these kind of emails - which is supposedly enough with the defender RCE issue) - I'm starting to think there is some container aspect of it that somewhat worryingly hasn't been identified yet which has somehow managed to stay hidden on multiple corporate networks that made use of the recent flaw in Microsoft's Malware Protection Engine to get there in the first place and had basically been intentionally triggered once MS started patching that hole as it would curtail its spreading and intentionally triggered before the SMB issues could be dealt with. Which suggests a very high level of organisation from those involved.
Click to expand...

This was just for starters, i think it is high level because everyone is confused as to how it got there, nobody around the globe has yet, which is exactly what they want :)
 
Arazi said:
This was just for starters, i think it is high level because everyone is confused as to how it got there, nobody around the globe has yet, which is exactly what they want :)
Click to expand...

It would be kind of funny if it turned out to be some kid in their bedroom that managed to almost accidentally craft such a successful deployment system that happened by pure chance to be set in action at the right place at the right time (and now absolutely ******* themselves).
 
Rroff said:
It would be kind of funny if it turned out to be some kid in their bedroom that managed to almost accidentally craft such a successful deployment system that happened by pure chance to be set in action at the right place at the right time (and now absolutely ******* themselves).
Click to expand...
Haha yeah, i was actually thinking similar, some kid accidently set off someone else's bigger plan.
 
This was highlighted by El Reg. and made me chuckle.

It's a page on the Sophos website before and after this weekend. ;)

sophos_nhs.jpg



EDIT: I'll thrown them a bone though and say I'm not really sure how much you can do when your customer refuses to upgrade or patch in a timely manner.
 
^^ LOL ouch.

I do wonder if its time medical organisations switched to ROM based OSes and versioned files behind physical write protection (write once) once committed so that after an attack they can just reboot the device and be back up and running with minimal issues and minimal data loss.
 
When we got hit by something similar last year. McAfee didn't see it AT ALL (yes it was totally up to date). Even when you pointed it in the direction of a known virus, nothing. Biggest pile of crap ever :/

We replaced it with Sophos lol
 
Nasher said:
When we got hit by something similar last year. McAfee didn't see it AT ALL (yes it was totally up to date) :/

We replaced it with Sophos lol
Click to expand...

Meh! MacAfee. I've had way too many irritating experiences removing free trials of McAfee from people's newly bought PCs to ever use it myself. The best thing about the company is their founder and he's been trying to explain to people he's got nothing to do with his product for years! :D

John-McAfee.jpg
 
Looks like things are still busy at the NHS - couple of people I know were called into a meeting at head office this morning and said they'll likely be working into the early hours tomorrow :s
 
hyperseven said:
Click to expand...

Interesting looks like it alerts the user almost immediately that they've been ransomed but has only just started encrypting files - if you pulled the power at that exact moment you'd probably stop it encrypting 90% of your files.

A decent quick look at what it does once running but doesn't cover the initial attack vector which still seems a bit up in the air with people pointing at what looks likely but nothing really making sense.
 
edscdk said:
your protected against the over the network attack, but that the initial attack vector is probably going to be email, so for most home users (who have 1 PC) it (probably) makes no difference if they have the patch or not. - though it never hurts to have the latest patches (apart from when they break stuff)
Click to expand...

But it being spread by email has not been confirmed yet, only speculated because other types of attacks in the past have used email to spread. So far I've not read a single confirmed report that email is the initial attack vector. Even the Cisco Talos article linked earlier makes absolutely no mention of email. The dropper mechanism and infection using port 139 and port 445 have been, and these are what the MS updates protect you against, as well as blocking these ports within your router firewall, if they're open.
 
CHokKA said:
But it being spread by email has not been confirmed yet, only speculated because other types of attacks in the past have used email to spread. So far I've not read a single confirmed report that email is the initial attack vector. Even the Cisco Talos article linked earlier makes absolutely no mention of email. The dropper mechanism and infection using port 139 and port 445 have been, and these are what the MS updates protect you against, as well as blocking these ports within your router firewall, if they're open.
Click to expand...

That video hyperseven linked brings up some interesting points - he notes things like the lack of persistence mechanisms and seems a bit surprised by it but doesn't seem to make any connections to the potential implications for that like for instance there might be another component outside of the ransomware itself that is ostensibly taking care of that factor.

Also I think atleast one of the attack vectors comes down to this: https://technet.microsoft.com/en-us/library/security/4022344.aspx but IMO that doesn't fully explain it - infact raises more questions I think than it answers.
 
You must log in or register to reply here.
Back
Top Bottom