Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3 4 ... 6

Author Topic: NHS hit by ransomware!  (Read 4241 times)

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29977
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #15 on: May 13, 2017, 03:32:42 PM »

According to the British Medical Journal earlier this week, 90% of NHS computers still run XP.
In April 2015 the Government Digital Service decided not to extend essential extended support and security updates crucial for keeping hackers at bay.  Thus saving 5.5m.   Quote
Technology leaders met last month and took a collective decision to not extend the support arrangement for 2015. The current support agreement ended in April 2015.

Wow that was some false economy!!!  :-X



How ironic that the BMJ warned on the 10th of May 2017 the prospect of hospitals being held to ransom.
Quote
"We should be prepared: more hospitals will almost certainly be shut down by ransomware this year."
It would appear similar cases were already starting to occur in the US with hospitals supposedly being held to ransom for several $million.

http://www.bmj.com/content/357/bmj.j2214
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29977
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #16 on: May 13, 2017, 03:34:07 PM »

Some very interesting reading about the WannaCrypt ransomware here:-
https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

Note how the code contained a kill switch.
A researcher registered the domain name yesterday which has caused a drop off of new cases being propogated, otherwise this could be much bigger globally.   Bit late for the NHS though. :(

Quote
I'm yet to see a good analysis on why the kill switch existed in the first place and why discovery and circumvention was so simple. It seems entirely counter-intuitive to the goal of infecting as many machines as possible as quickly as possible and I hope we see some good analysis of that soon. The important thing here though is that based on the analysis we're seeing, this variant shouldn't be spreading any further however... there'll almost certainly be copycats.

« Last Edit: May 13, 2017, 03:44:24 PM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4612
Re: NHS hit by ransomware!
« Reply #17 on: May 13, 2017, 03:45:42 PM »

kitz since it was zero day I think they still would have been vulnerable anyway.

The microsoft patch has been issued "after" the NHS compromise.

Looking at that page you linked to, the SMB protocol is likely they spread via windows file sharing, which I expect is likely enabled on a huge chunk of NHS machines, so my speculation of it spreading over LAN I expect is correct, of course its unlikely the first machine got infected via SMB hence my question of how did the first machine get infected.

Those of us with pfsense machines I can think of an idea, but not sure how to implement it.

Basically figure out a way to make the resolver always reply with the rfc1918 ip that routes to the local blank page for any domain name that exceeds a certian length.  Meaning if any variant of this is relaunched into the wild but still has a kill switch on a new random domain the kill switch would be activated.
« Last Edit: May 13, 2017, 03:54:24 PM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29977
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #18 on: May 13, 2017, 04:12:56 PM »

kitz since it was zero day I think they still would have been vulnerable anyway.

According to Microsoft, any [XP] machines with extended support should be OK as long as they installed the security update available to them in March.
The following applies to Windows platforms in custom support including XP, Windows 8 and Windows Server 2003

Quote
In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability.

It looks like yesterday Microsoft made a decision to release the Security update and make it available to all who run one of the operating systems still in custom support regardless if they have purchased extended support or not.  Still too late for the NHS :/

See   https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4612
Re: NHS hit by ransomware!
« Reply #19 on: May 13, 2017, 04:25:08 PM »

ok thanks for the correction.

The NHS with its problems, I can sympathise with the low priority IT maintenance has been given.  The money to payout to microsoft I know is a tiny % of the overall NHS budget, but if you think of it another way, how many tablets does it buy, how many operations dees it fund, how many staff does it pay? its understandable why the shortcut was made.  They may have even laid off the IT staff that would have carried out this work as well, wouldnt surprise me.
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29977
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #20 on: May 13, 2017, 04:25:45 PM »

Re the killswitch, I think that's just given a bit of breathing space to some machines which could have become infected.

The way I read things from what others were saying that as long as WannaCrypt could reach the domain then the machine was not infected.    However, like you say... that does not stop any future similar virus changing the domain.  By all accounts it appears that it was a manually typed domain rather than random generated.

Basically it was just the quick action of someone buying that domain which gave a temporary reprieve to some [unpatched] machines.

Quote
Infections for WannaCry/WanaDecrpt0r are down due to @MalwareTechBlog registering initial C2 domain leading to kill-switch #AccidentalHero
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29977
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #21 on: May 13, 2017, 04:27:14 PM »


The NHS with its problems, I can sympathise with the low priority IT maintenance has been given.  The money to payout to microsoft I know is a tiny % of the overall NHS budget, but if you think of it another way, how many tablets does it buy, how many operations dees it fund, how many staff does it pay? its understandable why the shortcut was made.  They may have even laid off the IT staff that would have carried out this work as well, wouldnt surprise me.

Ain't that the truth.    :'(
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

NEXUS2345

  • Reg Member
  • ***
  • Posts: 226
Re: NHS hit by ransomware!
« Reply #22 on: May 13, 2017, 04:32:00 PM »

According to Microsoft, any [XP] machines with extended support should be OK as long as they installed the security update available to them in March.
The following applies to Windows platforms in custom support including XP, Windows 8 and Windows Server 2003

It looks like yesterday Microsoft made a decision to release the Security update and make it available to all who run one of the operating systems still in custom support regardless if they have purchased extended support or not.  Still too late for the NHS :/

See   https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

The issue was patched on systems from Windows Vista SP2 through to Windows 10 over a month ago. The fix released yesterday was explicitly for XP and Server 2003. This was not a zero day in any shape or form, although it may appear to be due to the scale of the impact. The issue highlighted here is that many large organisations do not have the systems in place to ensure that every vulnerable device is patched or removed from the network if a patch is not ever going to be available.
Logged
Zen ADSL2+ | HG612 + TP-Link C2600 | Awaiting FTTC (build in progress)

NEXUS2345

  • Reg Member
  • ***
  • Posts: 226
Re: NHS hit by ransomware!
« Reply #23 on: May 13, 2017, 04:33:09 PM »

Re the killswitch, I think that's just given a bit of breathing space to some machines which could have become infected.

The way I read things from what others were saying that as long as WannaCrypt could reach the domain then the machine was not infected.    However, like you say... that does not stop any future similar virus changing the domain.  By all accounts it appears that it was a manually typed domain rather than random generated.

Basically it was just the quick action of someone buying that domain which gave a temporary reprieve to some [unpatched] machines.

Some firewall vendors are now blocking this domain for some reason, so if you are in a business, double check that the site is accessible to ensure your network remains safe if there are unpatched systems.
Logged
Zen ADSL2+ | HG612 + TP-Link C2600 | Awaiting FTTC (build in progress)

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3182
Re: NHS hit by ransomware!
« Reply #24 on: May 13, 2017, 04:38:12 PM »

It looks like yesterday Microsoft made a decision to release the Security update and make it available to all who run one of the operating systems

Now that's good to know, thanks.   :)

I still have an XP box, AV licence long-since expired,  that's called into service once in a blue moon for the odd things that OS X and Linux can't do.   Definitely worth applying that patch.



Logged

tonyappuk

  • Reg Member
  • ***
  • Posts: 586
Re: NHS hit by ransomware!
« Reply #25 on: May 13, 2017, 04:43:07 PM »

I may be living in cloud cuckoo land but after being hit by ransomeware about 3 or 4 years ago I did some searching and found Cryptoprevent. Having read the blurb and other comments I thought it was worth a try and installed it. Although I still visit a lot of sites including naughty ones I have not had a second attack. What do the experts here think of it? It is available for free download from a site called foolishIT
Tony
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29977
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: NHS hit by ransomware!
« Reply #26 on: May 13, 2017, 04:50:14 PM »

I think theres a few of us on here who use Cryptoprevent.   In fact it was one of the guys on here who recommended it and the reason why I use it.   
iirc there was a discussion somewhere in the Windows section about it.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4612
Re: NHS hit by ransomware!
« Reply #27 on: May 13, 2017, 04:52:53 PM »

its a very good security layer.

basically cryptoprevent is a frontend for the very powerful software restriction policy which itself is effectively an anti exe.  Anti exe security policies tend to be a way better means of defense than traditional patching and a/v.

However since this is a worm which doesnt need a human to execute it for infection and we know it spread via SMB, I dont think SRP would have stopped it unless the original machine was infected via a human running an original binary.  The NHS is very unlikely to have SMB open to the internet, so how the first machine got infected remains a curiosity of mine.

The only issue with cryptoprevent is its out of the box config uses a blacklist rather than whitelist approach (for user friendlyness), whitelisting is always more effective than blacklisting.

On my rig, any folder that can be written to by a browser cannot execute a file (via SRP), meaning there is a conundrum for malware, it may make it to the disk, but if it does it wont be able to run.  I also extend this limited permissions to any folder thats writeable by any non elevated process on my entire system covering all drives.  It has meant I have had to whitelist all my games/apps etc. but I feel its worth it.  You can whitelist trusted certificates tho which makes it somewhat more user friendly, so e.g. whitelisting the google cert will allow any google binary to run without a specific whitelist.

Applocker which is the newer version of SRP is way more user freindly, it has a wizard you can run which will scan folders for existing programs and automatically create rules for them, however since windows 8, its on no consumer version of windows, it was useable in windows 7 ultimate.

SRP and Applocker can also block dll injection so e.g. using something like rundll32.exe to load a malware dll can also be blocked by both SRP and Applocker.

SMB can be significantly hardened tho, although I dont know if a hardened configuration would have mitigated this worm.

Typically ransomware aimed at consumers is in the form of a binary, maybe attached to an email or drive by virus in a browser.

Whilst businesses may heavily use shared network drives aka windows file sharing, and as such its clear to me this worm targeted businesses.
« Last Edit: May 13, 2017, 05:00:06 PM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3182
Re: NHS hit by ransomware!
« Reply #28 on: May 13, 2017, 07:44:52 PM »

If it spreads via SMB then I would a very likely way into a 'secure' corporate network with no public access would be...

Member of staff, takes laptop home, where it attaches to his WiFi.

Kids, or Kids' friends, then connect devices of unknown sanitation to same WiFi, malware on said device finds laptop, laptop gets infected.

Next day, laptop is back on corporate network, passes it on....
Logged

WWWombat

  • Kitizen
  • ****
  • Posts: 1468
Re: NHS hit by ransomware!
« Reply #29 on: May 14, 2017, 03:38:36 AM »

I think one of the issues with these systems getting attacked is that they allow too many external connections. I see no reason for much of this as we all know the fewer open ports the less chance of getting attacked, also these systems should not allow any personal use or email and web surfing. All emails should go to one isolated server to be validated prior to being passed on. I remember years ago at one government office I went to they had zero external connections directly into their network and only one PC with external access but no internal access and they had some software which did not allow any usb devices to connect to their networked PCs unless previously processed by one PC to again validate the contents. Another client I had dealings with had one system which was approved as secure by the US Dept of Defense and in order to gain that certification it had zero external connections!

In today's connected world nothing is 100% secure.

The NHS N3 network is, I guess, like a huge corporate LAN. Each GP, clinic, hospital has, effectively, a private leased line into the network. It doesn't look to be accessed, say, via using a VPN over a vanilla internet connection. Email should be going through central servers, and "external access" (outside the LAN) should go centrally too.

But that makes a huge set of locations where, as 7LM says, a member of staff can accidentally introduce some malware from a trip home, which could then feed into the core of the LAN, and onwards.

In such a setup, you'd think the core would firewall each site/trust from the others. And, from the way different trusts have reported their problems, it seems like this has happened.

The way it hit multiple trusts, and places outside the UK, all at the same time, suggests to me that it has perhaps been infecting machines for a while, but only activated the payload yesterday.
Logged
Pages: 1 [2] 3 4 ... 6
 

anything