UK hospital meltdown after ransomware worm uses NSA vuln to raid IT UK hospitals have effectively shut down and are turning away non-emergency patients after ransomware ransacked its networks. Some 16 NHS organizations across Blighty – including several hospital trusts such as NHS Mid-Essex CCG and East and North Hertfordshire – have had their files scrambled by a variant of the WannaCrypt, …
Surely a threat detection system can notice that a lot of files are being encrypted and pop up a warning to block that process and let you know.
So why is there no universal endpoint protection system that does this, in fact this should be baked in to the OS by now.?
I remember someone wrote a piece of software that put a honeypot file in every directory and checked them for changes. If they changes then the user account would be blocked immediately.
Hopefully a major incident like this will spur some action from someone.
@AC
"So why is there no universal endpoint protection system that does this, in fact this should be baked in to the OS by now.?"
Because when Windows XP was being developed in 2001 no-one thought it was important (and I believe a lot of the NHS still uses that). Of course that doesn't excuse weaknesses in Win 10.
No need for messing about with clever detection routines that use up valuable system resources and still won't catch it early enough to protect everything - just backup your shit, ffs. There's so many lightweight endpoint backup solutions out there, there's no excuse - just roll back to a date/time just before the attack and carry on with your day.
A backup is a start and will help you recover a few user docs that have aged a little, but if you believe that will save you from any issues you are clueless.
Roll back your DB to your last backup 24hours ago, or 5 hours ago or even 5 minutes ago and for some people you may as well not have a backup at all unless there is also systems in place to recover the data from then until a few seconds ago.
If you think the issues being experienced today by the NHS could be solved just by putting last night's backup tape in and everything will be back to normal, why not go and knock on their door they would love to hear from you - similar to all the other organisations which may or may not be having a similar nightmare day today. You'll earn a fortune as a consultant.
In fact why not hire yourself out as a consultant and guarantee that any company who hires you will never get into any serious trouble as you'll install a backup system for them. You better have a pretty good insurance policy backing you up on your claims though.
"that is in any way accessible by a clueless user who can manage to get it infected with a virus, then my friend, you deserve all you get"
Of course, it's all so easy. There is no way anything could run a privilege escalation attack on system process and then propagate through the network to trusted resources. Or open a hole in a previously secure protocol or hijack a privileged app updater routine, or etc etc.
Life isn't so easy in the security arena. Anyone who thinks it is isn't responsible for systems security at anything approaching a large organisation.
SQL Filestream anyone.......
Equally clueless, and before the Linux advocates start honking on, the OS of the backend system is totally and utterly irrelevant. If it has SMB or CIFS available then it can be compromised. The same goes for any NAS appliance or anything else. This is a client driven attack.
Roll back your DB to your last backup 24hours ago, or 5 hours ago or even 5 minutes ago and for some people you may as well not have a backup at all unless there is also systems in place to recover the data from then until a few seconds ago.
I worked on systems with this capability over two decades ago. This isn't rocket science.
If you put your transaction logs on a secure server then you can load the last backup and run through the transaction logs o get to the same pace as you stopped. Of course if you are silly enough to put the logs on the same machine then they will probably be useless as they would be if you have a fire or a flood.
There probably are clueless people about that do keep them on the same machine but lets hope they learn.
"Surely a threat detection system can notice that a lot of files are being encrypted and pop up a warning to block that process and let you know. So why is there no universal endpoint protection system that does this, in fact this should be baked in to the OS by now.?"
Malwarebytes claims that their Endpoint Security product for businesses will do this. They also have a free anti-ransomware product for desktops (beta for past year).
"... it also meant that the Trust’s telephone system is not able to accept incoming calls."
Is that because they use VoIP?
"My wife is a GP and their systems were just shut down ..."
Is there not local storage and caching for local patient data? Either it's not very resilient or this is a massive attack.
Well, yes, but who knows how far the ransomware/attack has penetrated so it's better to disconnect/shutdown and prevent further contamination/corruption while you assess the situation, fix the holes and recover.
As for phones, plenty of DoH and NHS systems are using IP telephony that's dependent on the PCs being up, the phone number follows the user's network login so shutting down the PC means you lose telephony as well.
Unified Comms anyone? No handsets just a headset attached to the computer via USB or Bluetooth for the execs.
What could possibly go wrong?
Maybe critical infrastructures should use a separate dedicated network for voice using non compatible with tcp / ip protocols to connect handsets to hardened gateways that can then connect to a providers phone network, but crucially using the same physical connections as the data network.
Maybe that's too radical an idea?
@Blotto
When we converted to VOIP, we set up physical IP phones, and put them and the VOIP servers on their own network segment firewalled off from the corporate network. We're talking about a separate physical network, not VLANS! The VOIP trunks have their own path to the internet.
The firewall between networks only allows for an HTTPS connection originating from the corporate LAN to the VOIP servers for administration. And that's only allowed from two workstations.
All of the IP phones are POE, and the POE switches are powered by an enterprise class 17KVA UPS.
If our data network goes down, we still have phones!
Um, no, it's the other way around - the phones will work quite happily without the PC as long as the switchboard is up, but the PC is just a paperweight if the phones go down (especially if someone thought it was a good idea to use decent-spec PCs as dumb terminals running Shitrix with Windows on the servers. I thought we did away with mainframes years ago but apparently not...)
"Is there not local storage and caching for local patient data? Either it's not very resilient or this is a massive attack."
My wife used to work at a Housing Association where he office (and all the others) were connected onto a single network with main servers in head office. Meant that if anything went wrong with head office or the networks between their and the regional office then while they might have some data stored locally on their PC they couldn't print anything as the print server controlling the printer in their office was in the head office!
"Is there not local storage and caching for local patient data? Either it's not very resilient or this is a massive attack."
Ever since data breaches became a big ticket item, local data storage became a no-no. You can't secure all GP's office computers, so you make sure they don't hold any data - the classic security bind.
It's not just IP telephony. When the KCL system went down, it took out the virtual machine that was running the mapping of the circuit switching I/O cards in the exchange to the telephone number being dialled. The more they overthink the plumbing, the easier it is to stop up the drain.
I believe (having worked in the NHS) that it was safer when all the data was stored at individual GP practices. Firstly, this prevented a massive treasure trove of data being collected which will inevitably be stolen (if it has not already). Rather than numerous small troves which had to be individually gone after and thus weren't pursued by intelligence agencies or criminals. Secondly, it inherently partitioned the data according to need. Someone couldn't find the sexual history of their partner or look up the address of someone they were stalking just because they worked at ANY GP practice. When we pointed this out, they told us only people who had agreed to strict privacy controls were given access. By this they meant the bit of paper that every GP secretary and anyone else signs without reading. We pushed and were told that all accesses were logged but we investigated and at the time they weren't (not that this takes the place of restricting access). I.e. they lied to some of the people actually responsible for this stuff! Maybe those controls are implemented now but the principle that far, far more people have access to this data than need it remains in place.
So no, I don't think it has made it safer even in principle. A thousand boxes, each individually locked and each containing a pittance. Or Smaug's heap of gold entrusted to whichever company's director is mates with the Health Secretary of the day. I know which I think is safest in principle.
I take if that you've either been on a different planet or asleep under a rock whilst the variety of USB VID/PID control products hit the market then ?
Its trivially simple to control USB device insertion to only approved device types / types & Serial numbers and/or to specific users
One of the simplest, things to do on machines is to disable autoruns on all drives, a primary access method for malware. Teach users to delete any emails that they don't recognise, disable script and stick to plain text emails only.
The stupidity anmd cluelessness of this amazes me. All critical infrastructure should be on private networks with no direct access to the internet. Where access is needed, it should be via a single point, with firewalls and mail and attachment scanners that actually work. Those resposible for all this must be asleep at the wheel, unbelievable...
@Tridac - "Teach users to delete any emails that they don't recognise"
So do you open the email with the subject, "Please change my appointment"? Anyone whose job is to interact with the public can be targeted by a suitable email. Sure, dumping any email client with scripting support is good (if you disable it, do you trust that the next update doesn't turn it back on silently, for whatever reason), but how do you force the public to only send plain text?
Opening an email doesn't run anything if scripting is disabled and if you click on an attachment without being sure who it's from then it's your own fault :-). For linfrastructure and large arganisations, secure setup can be handled via initial machine provisioning and automated, with application software settings locked down. The OS config should be bare bones, with all but needed services disabled by default. Perimeter firewalls should have all but needed ports blocked by default, ideally with separate hardware firewalls between each internal subnet. Wouldn't surprise me to hear that they have smb shares across the global internet with no vpn, but that's a worse case scenario.
Even Win Xp is fine in a properly configured and protected environment, but the whole system must be configured to design out the vulnerabilities. Assume that any network can be broken, given enough resources. Think systems engineering...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
