NHS cyberattack

[Angua]

Apparently a bunch of hospitals in the NHS have been hit by a cyber attack - locking people out of computers and demanding $300 in bitcoin.

It doesn't seem to have hit my hospital (I'm not in work today). I can't say that I'm surprised given that most hospital computers I've come across force you to use out of date windows explorer. Still, it's pretty awful and is going to be super disruptive.

edit - #curseofthefridayafternoon

[Mutex]

Isn't practically the whole NHS using XP still?

[sardia]

Don't most businesses just pay the Ransom and hope it goes away? It's cheaper and easier than actually updating all the It systems.

[Mutex]

Provided this is only affecting the desktop PCs and not the servers the important data is on, they could probably just format and reimage the affected PCs.

EDIT: Maybe not - http://www.bbc.co.uk/news/health-39899646

[Angua]

I don't think the NHS has the money to pay the ransom....

And yeah, at least half of the computers are still using XP. At my old hospital they were trying to upgrade them, but had to leave some computers not upgraded because the theatre op note system couldn't work on the upgraded systems.

[Zohar]

Wait, $300? That's a really low amount. Is that per computer? I feel like I'm missing something.

[Angua]

Apparently that was what was coming up on the screens? But it seems to be more disruptive than that looking through other articles - maybe they have just repurposed something else? I don't think it's clear yet what the extent of what's going on is???

[sardia]

Wait, $300? That's a really low amount. Is that per computer? I feel like I'm missing something.

It's an easy attack that costs almost nothing. Just send a spear fishing malicious email, and you'll probably get the money in even half the cases. The small amount means people will pay it. If it's too high, people will just report it as a total loss. This let's you have repeat income.

[KnightExemplar]

Apparently a bunch of hospitals in the NHS have been hit by a cyber attack - locking people out of computers and demanding $300 in bitcoin.

CryptoLocker schemes are incredibly common.

It doesn't seem to have hit my hospital (I'm not in work today). I can't say that I'm surprised given that most hospital computers I've come across force you to use out of date windows explorer.

CryptoLocker hit the Mac Community as well. Hackers be hacking, no matter what your operating system is. Be it Android, Windows, Mac, iPhone... I mean, they're all different viruses probably done by different groups. But it doesn't change the fact that every device is an attack surface.

The solution is to provide offline backups. Its impossible to protect against a Zero-day, since nobody knows of Zero-days except for hackers. And simpler attacks (ie: Spear Phishing) are surprisingly effective at making people run .exe files they really shouldn't. If you have offline backups however, you can just wipe out all the infected computers, restore the backups and be set.

The various CryptoLocker (and clone) hacking groups have various levels of "customer support". Some will NOT restore your files. Others have "slow" customer service, and may take weeks before they respond. And others still restore your files immediately. So if you're thinking of paying the ransom, best to do a bit of research to see if other people actually was "served well" by the virus's customer support.

In any case, CryptoLocker cannot damage a computer that is turned off. So any data stored in an offline storage mechanism is safe.

Amusingly, this "virus" has gone full circle. There are fake Cryptolockers that claim they hacked your files, but all they really did was put up an annoying screen that bothers you each time you turn on your computer. These fake-Cryptolockers hope to trick people into sending them money...

[morriswalters]

Wait, $300? That's a really low amount. Is that per computer? I feel like I'm missing something.

300 Bitcoin instead?

[KnightExemplar]

Wait, $300? That's a really low amount. Is that per computer? I feel like I'm missing something.

These things are generally highly automated.

You turn on your virus server, and then force thousands of people to pay you $300. You gotta handle a bit of "customer support" (ie: have an email address to handle an influx of people who don't know what a bitcoin is...) but otherwise, you want the value to be relatively low so that most of your "forced customers" actually do pay the ransom.

Then you leave your computer on while you go to work at your day job.

[Angua]

Why did no one tell me that I had forgotten to link the news article in my first post???

Anyways, thebbc article has been updated with more details on the nature of the attack so far.

Edit: sounds like this attack is bigger than just the NHS, with reports of affected computers worldwide.

[KnightExemplar]

Edit: sounds like this attack is bigger than just the NHS, with reports of affected computers worldwide.

Looks like the name of the virus is "WannaCry".

Various news articles seem to pin the vulnerability on MS17-010, so get your computers patched up ASAP to stop that attack. That's... a very worrying bug. "Critical" and "Remote Code Execution" are two words you don't want to see together in a description of a problem, especially when it affects all versions of Windows between Vista and 10.

That implies that the virus can infect your computer without you doing anything. I'm having flashbacks to "Conflicker". Its very rare for an attack to be this incredible. This is a serious bug, but fortunately the problem has been fixed in Microsoft's March update two months ago.

[Angua]

Ah yes, the mythical thing that can happen to computers. Updates.

[KnightExemplar]

Ah yes, the mythical thing that can happen to computers. Updates.

Indeed. Fortunately, it means that IT Teams actually can do something to stop this attack cold. But it also means you gotta act fast, since that virus is going to spread incredibly quickly. Conflicker ended up infecting 15ish-million computers across 190 countries before it was stopped... and that's the last time I'm aware of a "Critical" + "Remote Code Execution" attack happened.

Ironically: Conflicker also updated your computer to prevent Conflicker from affecting it again. It was a nice virus... fixing the issue as it infected everybody. Lol...

[Weeks]

Need some cash...hit someone who has money...let's attack the NHS.

[KnightExemplar]

Need some cash...hit someone who has money...let's attack the NHS.

That's not how the worm works.

A worm of this nature simply attacks everybody indiscriminately. You don't know if you're attacking grandma's cat pictures or the NHS. You just spread the virus around and hope they pay up. I bet you that the entire mechanism is 100% automated without any human interaction directing the attack. They just want to spread the attack as far and as wide as possible.

[Weeks]

I guess it's not really a cyberattack then. I mean the title makes it sound like they got hit by Anonymous or something

[KnightExemplar]

I guess it's not really a cyberattack then. I mean the title makes it sound like they got hit by Anonymous or something

Its an ongoing story. A lot about the attack was learned in the past couple of hours. It probably seemed like an NHS-specific attack this morning, but now that its hitting so many other organizations and companies, it seems more like an indiscriminate attack now.

[elasto]

It's indiscriminate - it's hit at least 12 countries. Russia is the worst affected, apparently, so perhaps the attackers are based there.

Another interesting factoid is that the attack uses an exploit revealed in the CIA leaks earlier this year. Microsoft patched it but many NHS services are still on XP (and can't upgrade because they use internal software that can only run on XP...)

[Chen]

It's indiscriminate. It's hit at least 12 countries.

Another interesting factoid is that the attack uses an exploit revealed in the CIA leaks earlier this year. Microsoft patched it but many NHS services are still on XP (and can't upgrade because they use internal software that can only run on XP...)

Does the vulnerability mentioned above affect XP though? The KB article starts with Vista though I don't know if that's just because its the earliest OS that is still being supported or what.

[elasto]

XP is no longer supported with patches. Support ended in 2014. link

---

The Agence France-Presse news agency reports that, in Spain, employees at the telecom giant Telefónica were told to shut down their workstations immediately through megaphone announcements as the attack spread.

Forcepoint Security Labs said that “a major malicious email campaign” consisting of nearly five million emails per hour was spreading the new ransomware.

The group said in a statement that the attack had “global scope”, affecting organisations in Australia, Belgium, France, Germany, Italy and Mexico.

[Soupspoon]

especially when it affects all versions of Windows between Vista and 10.

One wonders whether old faithful XP is immune ('pre-vulnerable') or just not 'worth mentioning'. edit: never mind

Not that my XP (or even my 2K) is going to get touched by this problem, for other reasons.

[ObsessoMom]

If you're interested what RT has to say about the NSA's share of the blame for this, quoting Edward Snowden and Julian Assange, here's a link:

Leaked NSA exploit blamed for global ransomware cyberattack

(CAVEAT: Whether it's accurate to characterize WikiLeaks as "Russian WikiLeaks," as Hillary Clinton recently did, is debatable, but RT is indisputably Putin's propaganda mouthpiece, so be aware of that bias.)

[morriswalters]

You have to wonder why the so called innovators that gave us the largest modern companies in the world can't fix this. They're so busy making money off idiocy that they leave users at high risk. I'm sure that people will call me an idiot, but this is precisely why I don't believe in the fantasy that people have spun out about AI. It frightens me that I can do everything by the numbers and still be at risk.

I hope nobodies dies over this.

[Thesh]

You have to wonder why the so called innovators that gave us the largest modern companies in the world can't fix this. They're so busy making money off idiocy that they leave users at high risk. I'm sure that people will call me an idiot, but this is precisely why I don't believe in the fantasy that people have spun out about AI. It frightens me that I can do everything by the numbers and still be at risk.

I hope nobodies dies over this.

I'm scared shitless about the direction of technology as everything becomes more and more connected to the internet, and we seem to be on a race to the bottom in terms of quality as everyone rushes to get their own app on the market. We need to completely restructure the hardware and operating system markets to put solid engineering principles and design it from the ground up with security in mind. The problem is that it takes a massive effort but any attempt by for-profit companies to fix it will end up a mess of patents and proprietary components that prevent it from ever moving forward.

[elasto]

I'm scared shitless about the direction of technology as everything becomes more and more connected to the internet, and we seem to be on a race to the bottom in terms of quality as everyone rushes to get their own app on the market.

What is just as bad is that apps can't get to the market fast enough, with the NHS forced to use a 16yo O/S because they have apps that can only run on it.

---

An “accidental hero” has halted the global spread of the WannaCry ransomware, reportedly by spending a few dollars on registering a domain name hidden in the malware.

The ransomware has wreaked havoc on organizations including FedEx and Telefonica, as well as the UK’s National Health Service (NHS), where operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.

However, a UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and activated a “kill switch” in the malicious software.

The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

It's incredible how quickly it has spread far and wide and, honestly, only reinforces my view that the security services should be sharing zero-day bugs as soon as they discover them, and not sit on them in the hope they can exploit them for surveillance; The risk to world infrastructure and the world economy is just too great.

Hopefully it also puts to bed the argument that we shouldn't have strongly secured devices by default, even if that means government can't eavesdrop at will.

---

Also it's to be applauded that Microsoft has released a patch for XP too; And while it's understandable that they don't want to feel obligated to maintain obsolete software indefinitely, it's a shame they didn't choose to patch this exploit anyway given how severe it is (remote execution of arbitrary code).

[Angua]

I'm confused by why that article calls the person who stopped the malware an 'accidental' hero. Makes it sound like they were just randomly registering domain names for shits and giggles and happened to run into that one.

[elasto]

The registration was deliberate, but he had no idea at the time that it would disable the malware.

Here's his blog post on how yesterday went down: link

Especially important is his warning about the true purpose behind the malware disabling itself - he doesn't believe it was meant to be a killswitch:

All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits.

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly importiant that any unpatched systems are patched as quickly as possible.

[Diadem]

That's interesting. Thanks for link / quote.

Does that mean that you could liberate an already ransomed machine by hooking it up to a router that returned an IP for any url lookup? That would still work even in the malware looks up random urls.

[EdgarJPublius]

Don't most businesses just pay the Ransom and hope it goes away? It's cheaper and easier than actually updating all the It systems.

In my experience, infected businesses have been able to restore from offline backups, and the conventional wisdom I've always heard about ransomware attacks is that it's a crapshoot at best whether paying will actually unlock your data.

[Mutex]

That's interesting. Thanks for link / quote.

Does that mean that you could liberate an already ransomed machine by hooking it up to a router that returned an IP for any url lookup? That would still work even in the malware looks up random urls.

I understand the check is done before it encrypts the filesystem, so it would be too late at that point.

[KnightExemplar]

You have to wonder why the so called innovators that gave us the largest modern companies in the world can't fix this. They're so busy making money off idiocy that they leave users at high risk. I'm sure that people will call me an idiot, but this is precisely why I don't believe in the fantasy that people have spun out about AI. It frightens me that I can do everything by the numbers and still be at risk.

I hope nobodies dies over this.

Microsoft fixed it in March. Its now the responsibility of IT teams to apply the patches Microsoft distributed in March.

https://technet.microsoft.com/en-us/lib ... 7-010.aspx

It's incredible how quickly it has spread far and wide and, honestly, only reinforces my view that the security services should be sharing zero-day bugs as soon as they discover them, and not sit on them in the hope they can exploit them for surveillance; The risk to world infrastructure and the world economy is just too great.

This was fixed in March, months ago. This wasn't a Zero-day attack, it was a Two-month old attack.

https://technet.microsoft.com/en-us/lib ... 7-010.aspx

Published: March 14, 2017

This is public knowledge, and has been for months. Doesn't mean jack shit however, because IT Teams hold off on updates for their own reasons. NHS was running Windows XP, a system that hasn't received any updates since 2014. This is an utter failure of their organization to smoothly transition to a safer OS (like Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10... all of which received this patch 2 months ago). This is the risk you take when you work with obsolete OSes that no longer receive updates.

As soon as the NSA / CIA leak happened, the bug was no longer a Zero-day by definition. Because the world knew about the attack vector. The Virus writers wrote this attack up within the last two months, which is much faster than defensive IT teams can move.

--------------

BTW: This "attack" is estimated at under 200,000 infections. This is a flash-in-the-pan. Mac OSX's "Flashback" attack hit 2-million computers a few years ago. Security Researchers also found a "kill-switch" (accidentally). In any case, WannaCry is dead as of today.

https://www.malwaretech.com/2017/05/how ... tacks.html

Just another Friday for IT Teams worldwide. This is their job. Yeah: generally complaining about company policies that prevent critical updates on the computers that are under your supervision.

Microsoft has also released a patch for Windows XP, although organizations really need to stop using XP. That system is insecure like all hell.

[ObsessoMom]

Barry Dorrans was talking about the scope of the damage (and why hospitals can't just stop using anything XP). Oy. The mind boggles.

(Also, should I worry that when I try to read those malwaretech.com links above, my browser tells me that malwaretech.com has an expired security certificate?)

[KnightExemplar]

Barry Dorrans was talking about the scope of the damage. Oy. The mind boggles.

But why though?

I mean seriously, this was a network attack. Which means a security router would have prevented it. If you're running a system that hasn't got an update for a fucking decade, put it behind a firewall. That's why they exist.

Holy shit, the incompetence I'm seeing...

[KnightExemplar]

(Double-post to respond to the edit)

(Also, should I worry that when I try to read those malwaretech.com links above, my browser tells me that malwaretech.com has an expired security certificate?)

A certificate only proves the website is who they claim they are. There's a trust-network that all the major web-browsers have. In my case, Firefox (my web browser) trusts Cloudflare (who verified the certificate), and therefore Firefox trusts the website.

Here's the certificate (from my computer): http://i.imgur.com/hrLsqFL.png

Cloudflare is a well known provider of proxy services, so they're trustworthy IMO. The question therefore... is why is it expired for you but not for me ?? Cloudflare could have just been buggy for a minute when you were visiting the page and maybe sent a bad certificate... but I'd have to see what the certificate looks like from your side. More commonly, if you're checking things from work or whatever, your organization may be swapping out certificates on their own proxy network setup.

Basically: something in your trust chain was broken. Maybe the web browser fucked up, maybe Cloudflare fucked up. Maybe the organization that runs your network fucked up (If your network admins are proxying webpages for some reason, they'd have to swap out the certificate for their own certificate, and then install the certificate onto your computer and force Firefox to trust them)

In any case, the certificate is just a trust-chain. It doesn't protect you from anything. It just means that Firefox (or whatever web browser you're using) doesn't think the website is who they say they are. If you're just reading, a bad certificate isn't a big deal. But you should always check the certificate if you're typing in banking data or anything else security-specific.

[elasto]

It's incredible how quickly it has spread far and wide and, honestly, only reinforces my view that the security services should be sharing zero-day bugs as soon as they discover them, and not sit on them in the hope they can exploit them for surveillance; The risk to world infrastructure and the world economy is just too great.

This was fixed in March, months ago. This wasn't a Zero-day attack, it was a Two-month old attack.

That's not good enough. If the security services had shared details of this bug with Microsoft in private as soon as they discovered it, noone would have exploited it, because they wouldn't even know to look for it.

By selfishly sitting on the bug for as long as possible, details of the exploit eventually became public and hackers had time to work out how to abuse it.

Yes, in an ideal world, every computer on and off the planet gets patched the day Microsoft releases an update, but you and I know we are a long way from that world - not least because Microsoft's updates sometimes bork things up in their own right...

---

The global ransomware cyber-attack that targeted tens of thousands of computers in 100 countries and crippled NHS systems appears to have raised just $20,000 (£15,500) for the criminals behind it, experts working with investigators have told the Guardian.

Tom Robinson, co-founder of Elliptic, a company that identifies illicit activity involving bitcoin and provides services to most major law enforcement agencies in the US and UK, said that at least three bitcoin addresses have been identified as being associated with the malware used in Friday’s worldwide attack.

“Everyone’s efforts at the moment are being focused on getting relevant malware and getting systems up and running again,” Robinson said. “In terms of identifying the attacker, what we can see at the moment is that around $20,000 worth of ransoms have been paid to these addresses.

“There are actually two versions of this malware, there was one that appeared in April and we’ve identified one bitcoin address associated with that, and there’s a second version which appeared on Friday and we’ve identified three bitcoin addresses associated with that.

“These three addresses have received 8.2 bitcoins to date, which is about $14,000 dollars, and all of those bitcoins are still within those addresses. The ransomer hasn’t withdrawn any of the funds yet so there’s no opportunity to trace them.”

[Mutex]

Hackers could work out how to exploit the hole when MS released their patch, knowing it would still affect XP machines that don't receive the patches. This is quite common, MS only released the patch for this for XP because it was so high profile.

[KnightExemplar]

It's incredible how quickly it has spread far and wide and, honestly, only reinforces my view that the security services should be sharing zero-day bugs as soon as they discover them, and not sit on them in the hope they can exploit them for surveillance; The risk to world infrastructure and the world economy is just too great.

This was fixed in March, months ago. This wasn't a Zero-day attack, it was a Two-month old attack.

That's not good enough. If the security services had shared details of this bug with Microsoft in private

Exactly as Mutex said. Hackers look at Microsoft patch notes, and sometimes even the patch code, to build their attacks and viruses.

As long as people don't update their computers ASAP, then regardless any public disclosure of bugs (including the patch-information that Microsoft publishes) will be a source of information for hackers. Its not even that hard: the patches Microsoft issues are usually small in scope and only affect a certain number of files. Any security researcher worth their salt can reverse-engineer the problem from the patch information alone, even if Microsoft didn't document the problem.

The "Hard" part of security is looking for these bugs in the first place. Once the bug is known, then it a race for defensive teams to apply patches before offensive teams exploit the vulnerability.

-------------

This happened not because of any fault in Microsoft. This happened because NHS failed to apply patches in time to a publicly known bug. Well... more specifically, because the OS that they're running no longer supports patches.

[elasto]

For critical exploits, MS should release patches in such a way that they are not reverse-engineerable - for example by bundling them in with patches that make changes to vast numbers of files.

You know what would enable them to do that? Having plenty of time to release the fix because the security services have quietly let them know there's an issue, rather than being bounced into releasing an emergency fix.

There's plenty of blame to spread around here guys, including the Tory government for starving the NHS of funds.

Just because I criticise the security services, doesn't mean others aren't at fault too.