NHS computer systems hacked!?

It has been predicted by some experts that very soon in the near future there will be an attack on the internet that will take it offline for seconds. (1-30secs).

Also I read that supposedly the attacks on the root DNS servers a few years back where a a probe by hackers for a much larger attack to come.
 
Been a few attempts at large scale BGP attacks, etc. but can't really see the point of it - (other than stuff like IP poisoning to gain control of stuff) - as far as cyber attacks go its kind of weak.
 
It has been predicted by some experts that very soon in the near future there will be an attack on the internet that will take it offline for seconds. (1-30secs).

Also I read that supposedly the attacks on the root DNS servers a few years back where a a probe by hackers for a much larger attack to come.

What is the end goal, just to prove a point or fun?
 
So the open sewer that is the UK tabloid press have carried on trying to dig up information on the MalwareTech guy way past the point that any reasonable person would consider to be in the public interest.

acrFafE.png
 
That is pretty bad if its the case - completely irrelevant to the story, potentially puts the person in harms way - they should be facing legal action and paying the guy significant compensation if its true.
 
On the flipside he was quite happy (unless they've significantly altered the article of their own volition) to tell another publication his full name, pictures of where he lives and that he lived with his parents in Ilfracombe so seems a bit odd if he cared about security that much.
 
It is perplexing that so many people know how this attack could have been avoided - air gaps, upgrading all hardware, migrating to Windows 10, rewriting vast amounts of application software, etc. - whilst it appears that nobody is entirely clear what the initial delivery mechanism was which one might have thought was a key concern.

I look forward to the first suggestion that all routers should be surrounded with cloves of garlic and wrapped in tinfoil.
 
ok i'd like to start this post with i have zero idea about any of this.


so going on posts in this thread/ others that the ransomware side seems "amateurish" could this simply be someone got a hold of the more advanced worm side (sdideloading etc) from the nsa leaks/other sources and simply made a get rich quick scheme he didnt expect to spread so far, or just a "make the world burn" thing?

basically a capable but not strategic thinking person capitalizing on something beyond his level?

It looks to me like a half-way between the two. It is a case of some lesser criminals piggy backing on the NSA's escaped "military grade" arsenal. It's not some kid in a bedroom though. The way it appeared simultaneously in disparate places without apparent travel says it's more than that. But on the other hand, it doesn't require a network of ultra-professionals, either. It looks to me like a group with a decent amount of know how and enough of them to coordinate and think this is a great idea, but that's about it. All IMHO, anyway.
 
It is perplexing that so many people know how this attack could have been avoided - air gaps, upgrading all hardware, migrating to Windows 10, rewriting vast amounts of application software, etc. - whilst it appears that nobody is entirely clear what the initial delivery mechanism was which one might have thought was a key concern.

I look forward to the first suggestion that all routers should be surrounded with cloves of garlic and wrapped in tinfoil.

Indeed in every case they said, executing script, or email or opening files.

Was it spam mail? The same email to all?
Massive amounts of spam sent worldwide
or remote access?
 
Indeed in every case they said, executing script, or email or opening files.

Was it spam mail? The same email to all?
Massive amounts of spam sent worldwide
or remote access?

2-3 different places including IBM's security department and Kaspersky have found very low levels of it in email form (in fact I think some places say they found zero evidence in their email monitoring) - nothing like the amount needed for an attack at this scale. There seems to be some confusion over the remote desktop side of it - which possibly suggests that some infections the backdoor was used to subsequently drop malware that exploited RDP or manual intrusion via RDP (possibly indicating the bigger attack was a smokescreen for a specific target or targets) but other security researchers have found no evidence of RDP functionality in their samples (I'm not sure here if there is a confusion between the dropper and ransomware as a lot just concentrate on the ransomware itself and seem to ignore the dropper for some reason).

The malware is very capable of spreading wormlike via exposed SMB networking and there are way more people vulnerable to that than there should be - however the initial known patterns don't match traditional worm like behaviour (unless it was somehow propagating unnoticed and lying dormant until some trigger) and many of the hit organisations ostensibly have that that avenue locked down for over a decade due to older netBIOS exploits used to remotely crash servers.

As h4rm0ny said the first known signs of it appeared almost simultaneously in spread out places, with no direct connections, before worm like behaviour subsequently kicked in as those vulnerable to the SMB exploit were hit by its worming ability. Almost suggests that either specific targets were hit first and then it was left to spread or that some kind of wifi "war driving" or similar exploit of public hotspots was employed by a number of people or teams in several major cities to infect corporate devices and get the infection inside organisations that way initially (though seems a bit contrived).

A network security guy for one of the UK providers of internet and other backend systems for schools claimed he saw it in emails 3-4 days before the big attack that appeared to be specifically targeted at them that seemed to be designed to exploit the recent vulnerability with MS's Malware Protection Engine where you don't even need to run the attachment and immediately put their network on lock down and appear to have not been hit.
 
Last edited:
Hard to say - very few people seem to be looking at it in any depth (at least publicly).

The whole thing is quite confusing for instance initially it was largely blamed on Windows XP - however:

However, the day after the outbreak Microsoft released an emergency security patch for Windows XP.[3] As of May 2017, less than 0.1% of the affected computers were running Windows XP.[60] However Kaspersky Labs study reports that 98 percent of the affected computers were running Windows 7

Almost everything people are assuming about this outbreak is actually completely wrong but for some reason no one seems to be inclined to check if what they assume is right or look at it any deeper including many who work in this field professionally :(
 
Yes I recall someone quoting the MS paper, where it say win10 was safe, and win7 was the main infected alongside server version.
Yet everyone on here was ranting at tory cuts not allowing the NHS to get rid of XP legacy machines.
Odd, but worth a misplaced rant I suppose.
 
Still isn't known if maybe Windows XP was the initial weakness that let it in to start with and then 7 was the most vulnerable internally on people's networks who knows.
 
The police are investigating but it's very unlikely to have come in via email and rather have exploited a perimeter weakness at one part of the N3/PSN/SWAN networks and then spread where it could. Potentially via RDP or RDP ports as those are sometimes in use between trusts etc.

Not buying the email route, I'd have heard of infections elsewhere if it was. Also xp was not the main reason it hit many companies. That was down to slack patch management, essentially lack of maintenance.
 
The infections are normally only activated if you click the link in a mail if you have vigilant users or decent spam / malware protection then you wouldn't get it through but you need users to be educated. I've seen malware, such as Locky and WannaCry, come in via mail and been allowed because of aging spam filters or spam filters not being correctly configured.

Some infections came about because of exposed SMB ports on the internet (why the hell people would do this I have no idea).

There's slack patch management and then there's testing a patch that you're going to roll out to 100,000+ PC's. It does need testing and sign off. It may be that the patch had been tested and was waiting on a convoluted change approval process.



M.
 
^^ The recent Malware Protection Engine bug potentially could be exploited just by opening the email on a machine with Defender, etc. in active mode without even having to click on the attachement and there was proof of concept for ways to spread it via certain social media platforms, etc. just by getting a certain string to be active in memory that would be scanned by the Windows security system.
 
Back
Top Bottom