Massive Worldwide Cyber Attack - UK NHS atacked !

[piggzy]

As you are probably aware there is really too much constantly breaking news to simply copy and paste.

So this is more to discuss.
At the moment 74 countries attacked. Russia the worst hit. UK actually not hit as badly as most other but the NHS has ground to a halt in some areas with so far 25 Hospitals hit and without IT completely .

Here is one link: http://news.sky.com/story/live-cyber...-down-10874343

Worst cyber attack in a long while.

Personally the MSM is having a field day and blowing the effects on the NHS way out of proportion.

[Undertaker]

wana cry variant version 2.0 using eternal blue exploit

3 bit coin addresses

https://gist.github.com/Epivalent/e2...5802b025e80e2c
http://blog.emsisoft.com/2017/05/12/...ware-outbreak/


400 of our PC's are goosed and need rebuilding

all because ms17-010 patch wasn't applied

it is not uncommon for enterprises to be behind patches as we need to test before deploying to thousands of machines in just one nhs organisation

exploit propagated quickly because of smb vulnerability

our staff are doing all nighters to apply the patch and also rebuild machines

people are saying the malware not only scans LAN but also internet.

apply your patches, can see this hitting big time on Monday when businesses boot up

[Undertaker]

i'm afraid they are not blowing the effect out of proportion, we shut down the network which means no access to pathology results, no access to medical notes held on computer systems etc

what a nightmare

[Undertaker]

labs having to print out results from analysers then phone them through,
radiology affected as well
on demand medical info accessible in electronic format held in multiple systems not accessible affecting direct patient care

we have contingency plans, but it means the NHS works in emergency major incident mode only. We can get by but because the network has been switched off we may have a lot of systems out of sync

seriously not looking forward to this weekend

grrr

[JonEp]

This was just waiting to happen, when Shadow Brokers released EternalBlue 4 weeks ago.

Microsoft addressed the exploit for support OS's in March without much fanfare.

When the news broke about the Shadow Brokers dump, Microsoft chucked out a press statement effectively telling everyone if your up to date with patches your good.

That's great until you look at all the out of support XP boxes out there still doing their thing many years later, often because the software their running won't run on new versions of windows, or because they just work and for the past 4 weeks have just waiting for the kiss on open port 445.

It just takes one infected PC on the same network and off it goes.


C_pfnkeXcAAm2ZB.jpg

[DJ OD]

Ms and probably a few other big chaps had pre release info as well. That's why the patches were out sharpish.

if ppl don't update...


DJ OD

[Bald Bouncer]

See how untraceable they are now, think you would need very big balls to sit this one out hoping for a ransom payment rather than a knock on the door....

[DJ OD]

Oh yeah.

you know the payload dropped a while ago... pre NSA public release even. As I said M$ and all the big companies had the prerelease.


DJ OD

[Raptor]

Media playback is unsupported on your device

IT experts are "working round the clock" to restore NHS computer systems hit by Friday's ransomware attack.
Ciaran Martin, head of the UK's cyber security agency, said it was doing "everything in our power" to get "vital services" back up and running.
The BBC understands about 40 NHS organisations and some GP practices were hit in England and Scotland, with operations and appointments cancelled.
Theresa May said the NHS had been caught up in an international attack.
Similar computer infections have been reported in a range of organisations in about 100 countries.
Some British hospitals and GPs were unable to access patient data after their computers were locked by the malicious program.
The NHS has not been affected in Wales and Northern Ireland.
'Highly technical'

NHS Digital said there was no evidence patient data had been compromised,
NHS England said patients needing emergency treatment should go to A&E or access emergency services as they normally would.
However, some ambulances have been diverted from affected hospitals and individual trusts have asked people to attend unless it is urgent.
Mr Martin, who leads the National Cyber Security Centre - part of GCHQ - said "thousands of organisations and individuals in dozens of countries" had been hit by the attack.
Those responsible have not been indentified yet.
He told the BBC: "It's important to understand that cyber attacks can be different from other forms of crime in that their sometimes highly technical and anonymous nature means it can take some time to understand how it worked, who was behind it and what the impact is.
"But our commitment is we will be as open as we can be, as soon as we can be, as our investigation continues."
Media playback is unsupported on your device

The malware used in the attack is called Wanna Decryptor and attacks Windows operating systems.
It encrypts files on a user's computer, blocking them from view, before demanding money, via an on-screen message, to access them again.
The demand is for a payment of $300 (£230) in virtual currency Bitcoin to unlock the files.
The virus is usually covertly installed on to computers by hiding within emails containing links, which users are tricked into opening.
Security chiefs and ministers have repeatedly highlighted the threat to Britain's critical infrastructure and economy from cyber-attacks.
'Hit the go button'

The former director for intelligence and cyber operations at GCHQ, Brian Lord, told BBC's Newsnight that the NHS was particularly vulnerable to such attacks because of its aging IT systems.
"Also [it has] very, very complex interconnectivity between surgeries, trusts, boards and so on," he said.
"So, as a consequence, there is an awful lot of openings for delivery of this type of basic malware."
Convicted hacker Jake Davis also told the programme: "The most terrifying thing about this is how simple it is.
Media playback is unsupported on your device

"It might have been a sophisticated criminal organisation or it might have just been some kid who hit the go button and a worm has just spread when they went to take a nap."
He said that two months ago Microsoft had issued a patch for the bug exploited by the virus, but some systems had not applied it.
In Russia, the Interior Ministry said about 1,000 computers had been hit.
Global impact

People tweeted photos of affected computers from other countries, including at a local railway ticket machine in Germany and in a university computer lab in Italy.
A number of Spanish firms - including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural - suffered from the outbreak.
Portugal Telecom, delivery company FedEx, a Swedish local authority and Megafon, the second largest mobile phone network in Russia, also said they had been affected.
Get news from the BBC in your inbox, each weekday morning
Are you a staff or a patient in the NHS? Have you been affected by this? If you are willing to do so, share with us by emailing haveyoursay@bbc.co.uk.
Please include a contact number if you are willing to speak to a BBC journalist. You can also contact us in the following ways:

• WhatsApp: +44 7555 173285
• Send pictures/video to yourpics@bbc.co.uk
• Upload your pictures / video here
• Tweet: @BBC_HaveYourSay
• Text an SMS or MMS to 61124 (UK) or +44 7624 800 100 (international)

Let's block ads! (Why?)


BBC News

[JonEp]

A little too late given the events yesterday but MS have now released a patch for XP to block the NSA tool.

https://blogs.technet.microsoft.com/...crypt-attacks/

Personal i think its a disgrace MS did not do this 4 weeks ago when they patched all the supported OS's, of all people they knew the numbers of XP boxes still switched on and connected to the internet. Completely irresponsible given the exploit requires nothing more than an ip address of a vulnerable box on the same network to infect.

[piggzy]

A little too late given the events yesterday but MS have now released a patch for XP to block the NSA tool.

https://blogs.technet.microsoft.com/...crypt-attacks/

Personal i think its a disgrace MS did not do this 4 weeks ago when they patched all the supported OS's, of all people they knew the numbers of XP boxes still switched on and connected to the internet. Completely irresponsible given the exploit requires nothing more than an ip address of a vulnerable box on the same network to infect.

They obviously thought it was a good opportunity to "push" people and business away from unsupported versions of windows onto newer ones. Not that simple in a big business in such a short time.
The Apple & Linux brigades will no doubt use this opportunity.

[muttleymacclad]

See how untraceable they are now, think you would need very big balls to sit this one out hoping for a ransom payment rather than a knock on the door....

Exactly, i think it would be safe to assume that if you're infected you're not getting your key to decrypt. Troy Hunt blogged this morning about this and the 3 bitcoin addresses used for payment had only got 48 payments so far. I reckon those bitcoin accounts will be quite closely monitored now and rather too hot to handle.

There's a kill-switch that's also been activated ( via a url in a bit of code - that someone has now registered that wasn't registered before - if the url was reachable then the code would exit and stop), so the spread will eventually grind to a halt. Begs the question, why was this code for a kill switch included in the payload ?

[Soulassassin]

I wonder if anyone will die in hospital due to a cancelled operation or treatment, will this be classed as murder?

[piggzy]

There's a kill-switch that's also been activated ( via a url in a bit of code - that someone has now registered that wasn't registered before - if the url was reachable then the code would exit and stop), so the spread will eventually grind to a halt. Begs the question, why was this code for a kill switch included in the payload ?

Yes some chap registered the domain which massively slowed the attack in the US but apparently it was already too late for Russia and Europe where the damage had already been done.
It allowed a lot in the US to patch in time or so I read.

[MHP]

Has this only affected unpatched XP boxes? What about the server OS's?

[piggzy]

Has this only affected unpatched XP boxes? What about the server OS's?

Have been trying to find answers to the same question. I cannot find a definitive answer but all reports only mention XP so for now I will assume that it must be an XP only issue until I see otherwise.
Shows how in the dark ages some things can be if massive companies and corporations are still massively reliant on an unsupported 16 year old operating system. In one sense I feel the blame cant be solely directed at MS.

[muttleymacclad]

Affects server 2003 aswell. I guess it would encrypt any file on any server if smb v1 is still enabled.

Sent from my D5803 using Tapatalk

[Raptor]

Media playback is unsupported on your device

A security researcher has told the BBC how he "accidentally" halted the spread of ransomware affecting hundreds of organisations, including the UK's NHS.
The man, known online as MalwareTech, was analysing the code behind the malware on Friday night when he made his discovery.
He first noticed that the malware was trying to contact an unusual web address - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - but this address was not connected to a website, because nobody had registered it.
So, every time the malware tried to contact the mysterious website, it failed - and then set about doing its damage.
MalwareTech decided to spend £8.50 and claim the web address. By owning the web address, he could also access analytical data and get an idea of how widespread the ransomware was.
But he later realised that registering the web address had also stopped the malware trying to spread itself.
"It was actually partly accidental," he told the BBC.
What happened?

Originally it was suggested that whoever created the malware had included a "kill switch" - a way of stopping it from spreading, perhaps if things got out of hand.
But MalwareTech now thinks the coder had included a mechanism to stop security researchers analysing the malware, which backfired.
Security researchers often analyse viruses on a virtual machine or "sandbox" - a secured, disposable computer environment with no important files that might be destroyed.
MalwareTech now thinks the software's attempt to contact the mysterious web address - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - was a way of checking whether the malware was being analysed on a sandbox.
On a real computer, the website would fail to load. But a virtual machine might behave differently.
"The malware exits to prevent further analysis," MalwareTech wrote in a blog post.
"My registration... caused all infections globally to believe they were inside a sandbox and exit… thus we initially unintentionally prevented the spread and further ransoming of computers."
Does this mean the ransomware is defeated?

While the registration of the web address appears to have stopped one strain of the malware spreading, it does not mean the ransomware itself has been defeated.
Any files that were scrambled by the ransomware will still be held to ransom.
Security experts have also warned that new variants of the malware that ignore the "kill switch" will appear.
"This variant shouldn't be spreading any further, however there'll almost certainly be copycats," said security researcher Troy Hunt in a blog post.
Let's block ads! (Why?)


BBC News

[Raptor]

[unable to retrieve full-text content]
A total of 48 NHS trusts were hit by cyber-attack, of which all but six are now back to normal, says home secretary

BBC News

[tombott]

I feel for anybody having to clean up this mess.
Just glad all our core servers are Linux.