NHS computer systems hacked!?

[V F]

Is there something you can do about people opening seemingly legit emails then?

I only ask because I have seen some VERY plausible looking SCAM/Phishing emails; there was a reference to one in this very thread.

I have had any number of emails, seemingly from people I know well, whose email contact lists had been hacked. I even had one that referred to a skiing holiday I had been on with one of them. People need to be INCREDIBLY cautious where emails are concerned. If there is an attachment and the emails looks less than 100% genuine, I frequently contact the "sender" to confirm that it was really they who sent it - after looking carefully at the "Reply to" address.

Most cannot help themselves.

 

[Arazi]

Suggestions are surfacing that Symantec and Kaspersky believe that this malware may have originated in North Korea.

Google ArsTechnica, Forbes, USnews or Reuters and "north korea ransomware" . . . could be interesting


Edited: "North Korea" suggestion report now on BBC Online.

There was also an interview with someone from IBM who suggested that there was no evidence that email was the initial distribution mechanism and that "individual" (i.e. Home) users appear not to have been greatly affected - perhaps suggesting a targeted attack?

Earlier in the thread i said this email distribution rumour wasnt correct as it would happen everyday because of the sheer number of NHS staff, 1.7 million plus, i also posted that it must be somewhat targeted, Rroff and a few others said the same.

 

[Rroff]

Is there something you can do about people opening seemingly legit emails then?

I only ask because I have seen some VERY plausible looking SCAM/Phishing emails; there was a reference to one in this very thread.

I have had any number of emails, seemingly from people I know well, whose email contact lists had been hacked. I even had one that referred to a skiing holiday I had been on with one of them. People need to be INCREDIBLY cautious where emails are concerned. If there is an attachment and the emails looks less than 100% genuine, I frequently contact the "sender" to confirm that it was really they who sent it - after looking carefully at the "Reply to" address.

One thing that boggles my mind in relation to this is that most email clients do their best to hide away the full header information and even automated spam detection systems don't seem to use it very effectively. MS are one of the worst for this as the implementation of it in their systems often seems to be done in a way that suggests the developer has utter contempt for the end user almost like they don't believe anyone else would be clued up enough to make use of the information.

In many cases just showing the difference between the originating IP and the supposed sender address would clue in many reasonably competent IT users and at least give those less able a prompt to get someone to double check for them if appropriate IT policies were in place.

 

[h4rm0ny]

The guy who helped stop the spread has been royally ****** over by the tabloids in the UK

https://theoutline.com/post/1536/uk-tabloids-doxxed-the-hero-hacker-who-stopped-a-global-cyberattack

What a tremendously ****** thing for them to do. The Mail, The Sun, The Telegraph and the Mirror. You would hope at least that the Telegraph would have been less of a click-beggar. Apparently not.

 

[StriderX]

All press is disgusting, stop reading them and they'll disappear.

 

[ChrisD.]

What a tremendously ****** thing for them to do.

Agreed.

 

[Arazi]

Is there something you can do about people opening seemingly legit emails then?

I only ask because I have seen some VERY plausible looking SCAM/Phishing emails; there was a reference to one in this very thread.

I have had any number of emails, seemingly from people I know well, whose email contact lists had been hacked. I even had one that referred to a skiing holiday I had been on with one of them. People need to be INCREDIBLY cautious where emails are concerned. If there is an attachment and the emails looks less than 100% genuine, I frequently contact the "sender" to confirm that it was really they who sent it - after looking carefully at the "Reply to" address.

It depends on what systems you are using and if they are all on a network, if you are using MS Exchange as a company email system then there are settings\policies built in that you can set to block certain email types and i am sure it can block all attachments etc, but this can then become a hinderance if set to a block all setup.

e: If your systems run AD policies then there are all kinds of things you can block\stop\allow whatever to your hearts content, in other words locking the user\systems down to only what the user actually needs for them to work efficiently

https://technet.microsoft.com/en-gb/library/hh147307(v=ws.10).aspx

 

[MikeTheNative]

Is there something you can do about people opening seemingly legit emails then?

I only ask because I have seen some VERY plausible looking SCAM/Phishing emails; there was a reference to one in this very thread.

I have had any number of emails, seemingly from people I know well, whose email contact lists had been hacked. I even had one that referred to a skiing holiday I had been on with one of them. People need to be INCREDIBLY cautious where emails are concerned. If there is an attachment and the emails looks less than 100% genuine, I frequently contact the "sender" to confirm that it was really they who sent it - after looking carefully at the "Reply to" address.

There are some very good phishing emails, a pay pal one nearly got me until I checked the address. Which as you said is the only way people can really tell. Best thing is to get them to report it to IT if the email doesn't seem right. I have sympathy if it's a decent looking email, but I've seen people open ones with broken English and an attachment with random letters and numbers.

 

[ChrisD.]

AV/Malware cannot protect against users, however application whitelisting can. If the hash isn't on the list then the program simply cannot run.

 

[Rroff]

There are some very good phishing emails, a pay pal one nearly got me until I checked the address. Which as you said is the only way people can really tell. Best thing is to get them to report it to IT if the email doesn't seem right. I have sympathy if it's a decent looking email, but I've seen people open ones with broken English and an attachment with random letters and numbers.

Yeah - had a BT one the other day that looked really realistic - even came from an email address hosted by BT the links lead to a domain that was only one character (lower case l instead of an i) different to the proper BT one - wasn't planning on entering any information via it anyway but it was only by instinct I worked out it was a phishing one.

 

[V F]

All press is disgusting, stop reading them and they'll disappear.

People cannot help themselves with that either since people thrive on gossip and speculation.

 

[Arazi]

There are some very good phishing emails, a pay pal one nearly got me until I checked the address. Which as you said is the only way people can really tell. Best thing is to get them to report it to IT if the email doesn't seem right. I have sympathy if it's a decent looking email, but I've seen people open ones with broken English and an attachment with random letters and numbers.

I had a very good one from paypal, they are getting better

 

[MikeTheNative]

I had a very good one from paypal, they are getting better

I honestly couldn't tell the difference, it looked completely legit. What got me suspicious though, instead of a check your balance, it was something about my account being suspended.

 

[mysticsniper]

Yeah but that doesn't explain the scale of it alone - some of the places hit almost certainly didn't have port 445 exposed. It seems like each infection also just started randomly scanning on port 445 to try and further spread it - but again many of these organisations even with relatively vulnerable systems have port 445/SMB hard locked down at their gateway. (In some cases there might have been vulnerabilities via personal devices that had both network access and their own internet connection but that is not uniformly the case).

There is talk that the Telefonica breach was because of a RDP brute force, but Chema Alonso is denying this happened. Wouldn't surprise me if the NHS had RDP externally open as well.

 

[V F]

There is talk that the Telefonica breach was because of a RDP brute force, but Chema Alonso is denying this happened. Wouldn't surprise me if the NHS had RDP externally open as well.

The more you find out about the NHS setup I find it disgracefully embarassing how incompetent their setup really is.

 

[Rroff]

There is talk that the Telefonica breach was because of a RDP brute force, but Chema Alonso is denying this happened. Wouldn't surprise me if the NHS had RDP externally open as well.

Below is an image of the process flow.

The image still doesn't really cover the initial attack vector though. Externally exposed RDP breaches might go some way to explaining it - wonder if there is any correlation with teamviewer in the mix - that has been compromised a couple of times now.

 

[Caged]

What a tremendously ****** thing for them to do. The Mail, The Sun, The Telegraph and the Mirror. You would hope at least that the Telegraph would have been less of a click-beggar. Apparently not.

It's time for me to provide my public service where I remind people that the Telegraph is a bad paper. Thanks for your time.

 

[mysticsniper]

The image still doesn't really cover the initial attack vector though. Externally exposed RDP breaches might go some way to explaining it - wonder if there is any correlation with teamviewer in the mix - that has been compromised a couple of times now.

You only have to goto Shodan.io to see how many domains have port 445 open to the internet

There is a good write up over at malwarebytes

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

 

[Rroff]

You only have to goto Shodan.io to see how many domains have port 445 open to the internet

There is a good write up over at malwarebytes

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

Already read a lot of that stuff - sure there are a lot of systems with port 445 exposed to the internet but still doesn't seem to quite match this one - some of the organisations infected definitely won't have port 445 open from any part of their normal infrastructure which would mean that a system had to be in the mix that was both connected to the internal network and had internet access other than via the corporate backbone or might be where the phishing angle comes in but I'm still not convinced that entirely explains it.

(EDIT: Also possible people picked up the infection elsewhere before joining their device to a corporate network - but again very low infection rate in private individuals so unlikely to have been picked up at home unless its floating around exploiting public wifi, etc. to get onto corporate laptops and so on - but then I'd have thought we'd have seen higher rates of private individuals infected also).

 

[Malevolence]

All press is disgusting, stop reading them and they'll disappear.

Not true. I stopped reading scummy newspapers many years ago and, as this proves, they're still around and they're still scummy.