Massive Worldwide Cyber Attack - UK NHS atacked !

[GTI]

seriously not looking forward to this weekend

grrr

You're doing a great job bud

[Undertaker]

initial vector was most likely some muppet downloading an "Invoice", from there it spread like wildfire. NHS organisations are interconnected through N3 network

Can understand the delay in patching vulnerabilties but I can't understand why the anti virus didn't pick it up.

windows 7 mostly in our hospital. many got encrypted but our core systems work on unix such as the Patient Administration System (PAS),

the register had a good break down on the ransomware , it worth a read if anyone want

also gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 worth a read

[muttleymacclad]

What av were you using undertaker?
What I find odd, is how vulnerable win7 is to this yet there's very little mention of win 7 in the press releases. It's all xp.

Sent from my D5803 using Tapatalk

[Raptor]

Another major cyber-attack could be imminent after Friday's global hit that infected more than 120,000 computer systems, security experts have warned.
A UK security researcher known as MalwareTech, who helped to limit the ransomware attack, warned of "another one coming... quite likely on Monday".
The virus, which took control of users' files, spread to 100 countries, including Spain, France and Russia.
In England, 48 NHS trusts fell victim, as did 13 NHS bodies in Scotland.
Some hospitals were forced to cancel procedures and appointments, as ambulances were directed to neighbouring hospitals free from the computer virus.
UK Home Secretary Amber Rudd said on Saturday that all but six NHS trusts' systems had been restored, but that "there's always more" that could be done to protect against computer viruses.
After taking computers over, the virus displayed messages demanding a payment of $300 (£230) in virtual currency Bitcoin to unlock files and return them to the user.
MalwareTech, who wants to remain anonymous, was hailed as an "accidental hero" after registering a domain name to track the spread of the virus, which actually ended up halting it.
'No reason to stop'

The 22-year-old told the BBC: "It's very important that people patch their systems now.
"We have stopped this one, but there will be another one coming and it will not be stoppable by us.
"There's a lot of money in this. There's no reason for them to stop. It's not really much effort for them to change the code and then start over.
"So there's a good chance they are going to do it... maybe not this weekend, but quite likely on Monday morning."
Fellow security researcher Darien Huss, from tech firm Proofpoint, echoed MalwareTech's view.
"I highly suspect that, with the amount of coverage that this incident is getting, there are probably already people that are working to incorporate the exploit that was used for spreading," he said.
Investigators are working to track down those responsible for the ransomware used on Friday, known as Wanna Decryptor or WannaCry.
'Bring them to justice'

The virus exploits a vulnerability in Microsoft Windows software, first identified by the US National Security Agency, experts have said.
Europol described the cyber-attack as "unprecedented" and said its cyber-crime team was working with affected countries to "mitigate the threat and assist victims".
Oliver Gower, of the UK's National Crime Agency, added: "Cyber criminals may believe they are anonymous, but we will use all the tools at our disposal to bring them to justice."
Update not applied

In the UK, critics said the government had known about the threat of a cyber-attack for some time, but hospitals had not made the right upgrades to protect themselves.
A security update - or patch - was released by Microsoft in March to protect against the virus, but it appears many organisations had not applied it or were using an older version of the operating system no longer supported - namely Windows XP.
Kingsley Manning, a former chairman of NHS Digital, claimed that several hundred thousand computers were still running the out-of-date operating system.
Media playback is unsupported on your device

Mr Manning told BBC Radio 4's PM programme: "Some trusts took the advice that was offered to them very seriously and acted on it and some of them may not have done.
"If you're sitting in a hard-pressed hospital in the middle of England, it is difficult to see that as a greater priority than dealing with outpatients or A&E."
NHS Digital said that 4.7% of devices within the NHS use Windows XP, with the figure continuing to decrease.
The Liberal Democrats and Labour have both demanded an inquiry into the cyber-attack.
Get news from the BBC in your inbox, each weekday morning
Let's block ads! (Why?)


BBC News

[Undertaker]

we were using mcafee, the strange thing was in the enterprise environment it kept going on and off last week. I don't know whether that is related or not. Once we are patched the next step is a full root cause analysis and recommendations. atleast there is money coming our way in what is a very under funded department. I'm not core IT but rather application and interface designer.

The MSM keep talking about xp because of past reports about NHS still using non supported machines, they don't understand that certain pieces of software highly specific to NHS devices such as labaratory kit, radiology, UNIX to MS word letter etc have not been ported to windows 7 and above.

Even web applications sometimes dont work with IE9 and above, so we are constantly having to test hundreds of applications before upgrades can take place and still maintain backward compatibility.

Imagine that across the hundreds of NHS organisations across the country and you start to understand why something like wanna cry can creep it. This is not the first and its definately not the last. I believe the next form of attacks are going to be direct hacking as we just let the world know that we are an easy target.

[Raptor]

Cyber-attack has hit more than 200,000 victims in 150 countries, says Europol chief, warning of "escalating threat"
This breaking news story is being updated and more details will be published shortly. Please refresh the page for the fullest version.
If you want to receive Breaking News alerts via email, or on a smartphone or tablet via the BBC News App then details on how to do so are available on this help page. You can also follow @BBCBreaking on Twitter to get the latest alerts.
Let's block ads! (Why?)


BBC News

[Raptor]

Media playback is unsupported on your device

Hospital trusts were repeatedly warned about cyber threats before the attack on computer systems on Friday, defence secretary Michael Fallon has said.
He told BBC One's Andrew Marr Show the NHS was given 'a large chunk' of money to improve its security.
Labour leader Jeremy Corbyn said on Saturday that an annual £5.5m deal with Microsoft to protect NHS devices had been renewed in 2014 but not since.
A handful of trusts are still dealing with disruption caused by the hack.
The ransomware, which locked users' files and demanded payment to allow access, spread to 150 countries, including Spain, Russia, the US and China.
In England, 48 trusts reported problems at hospitals, GP surgeries or pharmacies and 13 NHS organisations in Scotland were also affected.
Some hospitals were forced to cancel treatment and appointments and, unable to use computers, many doctors resorted to using pen and paper.
'Large chunk' of funding

Asked by Andrew Marr if the government had failed to give the NHS proper support and failed to pay for 'crucial' upgrades to security in 2015, Mr Fallon said £1.9bn had been set aside for UK cyber-protection - when cyber-attacks were identified as one of three main threats to the UK's defences.
Of that, he said: "We're spending around £50m on the NHS cyber systems to improve their security. We have encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP.
Fewer than 5% of the trusts used XP now, he said.
"We want them to use modern systems that are better protected.
"We warned them, and they were warned again in the spring. They were warned again of the threats.
However, Kingsley Manning, a former chairman of NHS Digital, - which provides the health services's IT systems - told the BBC on Saturday that several hundred thousand computers were still running on Windows XP.
Europol head Rob Wainwright warned on ITV's Peston on Sunday there was an escalating threat from the virus, known as Wanna Decryptor or WannaCry, as people returned to their workplace computers on Monday.
Security experts have warned another major cyber-attack could be imminent after 125,000 systems across the globe were affected on Friday.
UK security researcher "MalwareTech", who helped to limit the ransomware attack, has predicted another one coming as the new week begins.
'Kill switch'

MalwareTech, who wants to remain anonymous, was hailed as an "accidental hero" after registering a domain name to track the spread of the virus, which actually ended up halting it.
But he and fellow security researcher Darien Huss from tech firm Proofpoint, have warned the attack could happen again, without a "kill switch" in the virus that they say helped to stop its progress.
The cost of the attack is unknown, in the UK or beyond, but BBC analysis of three accounts linked to the ransom demands suggest hackers have already been paid the equivalent of £22,080.
The Liberal Democrats and Labour have both demanded an inquiry into the cyber-attack.
Get news from the BBC in your inbox, each weekday morning
Let's block ads! (Why?)


BBC News

[Undertaker]

sooo,

the aftermath

one example

server that deals with interfacing messaging to a number of critical systems, patch applied, rebooted, can't get the software working. 2 hours, scratching head, checking config etc. Windows server 2003 box. eventually figured it but thats a typical example of how patches cause knock on effects.

luckily most of our windows systems are on a virtualised environment, anything thats infected is gonna get killed and the whole VM image restored back to Friday morning. Somethings are going to be out sync but we gonna have to deal with it somehow,

the cost is immense,
Overtime payments are gonna rocket
never mind all the missed operations for patients

[Raptor]

Media playback is unsupported on your device

Cyber-attacks that have hit 150 countries since Friday should be treated by governments around the world as a "wake-up call", Microsoft says.
The computing giant said software vulnerabilities hoarded by governments have caused "widespread damage".
The latest virus exploits a flaw in Microsoft Windows first identified by US intelligence.
There are fears of further "ransomware" attacks as people return to work on Monday.
Many firms have had experts work over the weekend to prevent new infections. The virus took control of users' files, demanding payments to restore access.
The spread of the virus slowed over the weekend but the respite might only be brief, experts have warned. More than 200,000 computers have been affected so far.
A statement released by Microsoft on Sunday criticised the way governments store up information about security flaws in computer systems.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.
"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen."
Media playback is unsupported on your device

It added: "The governments of the world should treat this attack as a wake-up call."
Microsoft said it had released a Windows security update in March to tackle the problem involved in the latest attack, but many users were yet to run it.
"As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," the company said.
Temporary fix

Meanwhile Europol's chief told the BBC that that the ransomware was designed to allow "infection of one computer to quickly spread across the networks", adding: "That's why we're seeing these numbers increasing all the time."
Although a temporary fix earlier slowed the infection rate, the attackers had now released a new version of the virus, he said.
A UK security researcher known as "MalwareTech", who helped to limit the ransomware attack, predicted "another one coming... quite likely on Monday".
MalwareTech, who wants to remain anonymous, was hailed as an "accidental hero" after registering a domain name to track the spread of the virus, which actually ended up halting it.
Becky Pinkard, from Digital Shadows, a UK-based cyber-security firm, told AFP news agency that it would be easy for the initial attackers or "copy-cat authors" to change the virus code so it is difficult to guard against.
"Even if a fresh attack does not materialise on Monday, we should expect it soon afterwards," she said.
In England, 48 National Health Service (NHS) trusts reported problems at hospitals, doctor surgeries or pharmacies, and 13 NHS organisations in Scotland were also affected.
Other organisations targeted worldwide included Germany's rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, French carmaker Renault, US logistics giant FedEx and Russia's Interior Ministry.
Let's block ads! (Why?)


BBC News

[Raptor]

The public has been urged to use the NHS "wisely" as it discovers the full impact of Friday's global cyber-attack.
NHS England said there was a "complex emerging picture", amid concerns over thousands of computers being switched back on after the weekend.
Seven trusts out of 47 that were hit are still facing serious issues, but patients have been told to turn up for appointments, unless advised otherwise.
Some GPs are asking people to consider whether they really need appointments.
The virus that hit the NHS in England and Scotland, known as Wanna Decryptor or WannaCry, has infected 200,000 machines in 150 countries since Friday.
'Be patient'

The ransomware, which locks users' files and demands a $300 (£230) payment to allow access, spread to organisations including FedEx, Renault and the Russian interior ministry.
BBC analysis of three accounts linked to the ransom demands suggests hackers had already been paid the equivalent of at least £22,080 by early on Sunday.
In England, 47 trusts reported problems at hospitals and 13 NHS organisations in Scotland were also affected.
Some hospitals were forced to cancel treatments and appointments, and divert ambulances to other sites.
Anne Rainsberry, NHS incident director, said pathology services were the most seriously affected, alongside imaging services, such as MRI and CT scans, and X-rays.
She said despite the issues, patients had continued to be treated throughout the weekend, but asked people to think about the services they needed.
"Remember that [people] can seek help and advice from a range of other sources, such as pharmacies and NHS 111," Dr Rainsberry said.
"Bearing in mind the impact of the global cyber attack, I would urge people to be patient with staff."
Media playback is unsupported on your device

There is particular concern about the possibility of further infections at GP surgeries, many of which were closed over the weekend.
Some practices have advised staff due on shift on Monday not to turn computers back on until further notice.
GPs across the North East and North Cumbria areas of England have asked patients to consider whether they need appointments on Monday and Tuesday, as some practices still do not have full access to patient records, prescriptions, appointment systems and telephones.
The inquest begins...

By Rory Cellan-Jones, BBC technology correspondent
We now know that Friday's ransomware attack was a global cyber-crime, but the most serious impact was here in the UK on the National Health Service. So what made our hospitals so vulnerable?
There are plenty of theories - among them that far too many computers in hospitals were running Windows XP.
The government warned NHS trusts in 2014 that they needed to move away from XP as rapidly as possible.
But did they? At the end of last year the software firm Citrix said that a Freedom of Information request had revealed that 90% of hospitals still had machines running on Windows XP.
Read Rory's full analysis here
The head of Europol, Rob Wainwright, warned that more ransomware cases may come to light elsewhere on Monday as other organisations returned to work.
He told the BBC: "We've never seen anything like this."
The virus exploits a flaw in Microsoft Windows first identified by US intelligence.
Microsoft said Friday's incident was a "wake-up call" and reiterated that it had released a security update in March to protect computers from the virus.
"As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," the company said.
Back-up data

The UK's National Cyber Security Centre advised companies to keep software security patches up to date, use proper anti-virus software and back up the data that matters so they cannot be held to ransom for its return.
The government is insisting that the NHS had been repeatedly warned about the cyber-threat to its IT systems.
Defence Secretary Michael Fallon said £50m of £1.9bn set aside for UK cyber-protection was being spent on NHS systems to improve their security.
Sir Michael said trusts had been encouraged to "reduce their exposure to the weakest system [Windows XP]", with fewer than 5% of trusts using it now.
Government cuts?

But Labour criticised the Conservatives, saying they had cut funding to the NHS's IT budget and a contract to protect computer systems was not renewed after 2015.
Shadow health secretary Jonathan Ashworth also pointed to a report from the National Audit Office six months ago.
It highlighted how, in February 2016, the Department of Health had "transferred £950m of its £4.6bn budget for capital projects, such as building works and IT, to revenue budgets to fund the day-to-day activities of NHS bodies".
Get news from the BBC in your inbox, each weekday morning

---

Are you a patient or an NHS employee? Are you still being affected by the cyber attack and its aftermath? Share your story with us by emailing haveyoursay@bbc.co.uk.
Please include a contact number if you are willing to speak to a BBC journalist. You can also contact us in the following ways:

• WhatsApp: +44 7555 173285
• Send pictures/video to yourpics@bbc.co.uk
• Upload your pictures / video here
• Tweet: @BBC_HaveYourSay
• Text an SMS or MMS to 61124 (UK) or +44 7624 800 100 (international)

Let's block ads! (Why?)


BBC News

[doughboy]

https://www.renditioninfosec.com/201...h-tearst0pper/

Sent from my SM-N910F using Tapatalk

[Undertaker]

what a nightmare this turned out to be

over 1000 user pc's infected. a number of servers

servers rebuilt, sql databases restored but moved to newer servers meaning reconfig of accounts, jobs etc
gone patch crazy, everything is getting patched, and if it can't its getting isolated

things are getting better slowly,

the crazy thing is, people are stupid. Its obvious the computer is affected, yet users still plug the computer back into the network. We went as far as disabling the network points so they then attempt to connect over the wifi. plonkers

[Over Carl]

@ Undertaker, I hear you, and reading between the lines it seems the problem can be summed up as underfunded leading to underresourced and understaffed, which is part of a much deeper problem of IT not being taken seriously by the people who allocate resources/funding in many organisations.

Hypothetically speaking though it shouldn't be this big a mess.

In theory yes you should be fully testing out patches as soon as they come out. If you haven't got resources, define some test users (e.g. some workers who happen to be very IT literate so they can send you decent fault reports, who happen to have alternative machines available in case it goes wrong, and who are reasonably near you in case you end up having to reimage their machines). I remember even setting up a few dual boot systems for ultra critical desktops so if shit totally fucked up we could revert to the other drive/partition in a few moments (obviously the "other" partition had drive letter removed so could not access the "other" drive/partition).

Then use WSUS to keep them bang up to date. If anything goes wrong, roll back the updates that were last applied and do some more testing in IT dept, if no issues reported then roll out to everyone.

With regards to XP being unsupported, this may be true for domestic users like me. However I'm pretty certain MS said they would support XP for organisations willing to pay for it. So the only sensible choices I can see are to pay MS for extended support, pay to replace kit that is still perfectly functional but has major security issues, run the insecure kit totally offline with USB ports disabled and floppy/DVD drives removed, or contain the old insecure machines on a separate (v)lan that can't access the rest and accept that one compromised XP machine could easily knock out everything else around it.

I also remember being massively let down by McAfee when Conficker came out (this was before I was on top of updates). Funnily enough I had been suggesting we move to a decent AV solution for a couple of months prior to this. I remember on that day I asked my boss for permission to shut down all VPN's to contain the infection, permission was denied until one machine at a remote office got infected within approx. 1 hour of the head office being infected.

With regards to the suspected initial vector being an emailed fake invoice - this is where decent anti-virus (maybe in a UTM type device) is needed to scan before it even lands at the mailbox.

I remember doing the above as part of a massively understaffed and underresourced 2 man IT dept, and implementing such practices and methods that I thought of on my own initiative, and often staying back late so once I had finished "firefighting" I could crack on with this kind of serious stuff.

I remember towards the end of that job I was looking into Network Access Control which could automatically stop unpatched/infected machines from even being allowed on the network. Even though I thought I was dreaming way beyond what the company was willing to pay out for, I could see strong justifications. Never actually got round to that as I got sacked by my boss who then got sacked few months after he fired me, but if I was still there I would have at least tested the ideas and let the higher ups refuse my suggestions.

Another technique that could mititgate such attacks that I never got round to implementing was remotely reimaging machines, so in the case of a dead/infected machine it could easily be remotely restored in say an hour, instead of waiting for me to come over and swap the machine out.

I was only looking after 1 head office and up to 18 remote sites, max total of approx. 7-800 devices. I can't believe that an organisation the scale of the NHS does not have at least one whole team, if not regional/divisional teams to seriously work on security, in order to make sure a respectable effort is made.

This is just from my few years as an IT tech which ended a while ago. I'm guessing there is probably even newer and better stuff out now which probably goes beyond my thoughts.

I'm guessing this whole experience has not been fun for you, I hope once this is over you get to smile when you find out how much extra you made in overtime.