Forum menu
Here's a turnup. The crypto may be broken, seems the private keys are vulnerable. It's potentially decryptable without paying.
https://twitter.com/khast3x/status/863114999736225793
Advice & Guidance hmm unless someones job is on the line it wont be taken seriously, private industry the board will perhaps loose something on their share options, Gov depts nothing. Look at the ICO with fines for loosing data one Gov dept fining another whats the point.
This will no doubt be spun out to be a "sophisticated attack from a nation state" only for two years down the line to be found to be a single spotted faced teenage youth pulling out the standard defense tactic. Hopefully a few successful extraditions to Gitmo Bay will add a bit of risk for them.
Winds me up something silly on the toerags who get their kicks on SWAT calls, if there is anyone worth having at the minimum a good Thomas A Smith Electric Rifle experience from the wrong side of the crosshairs.
I've just twigged, this isn't true. EternalBlue is an SMBv1 exploit. If you're stuck with XP, switch it off!
Update, I've just been fairly reliably informed that the remote code execution code "apparently" won't run on XP, so this may be a non-issue.
Patient Admin System - there's this new fangled thing called "the Web"
You can even emulate operating systems in web browsers, so input some text and get some output text could be done. So being lazy on your existing estate no need for file shares, printers all you need is a locked down PC even to the point of epoxy in the USB ports with just a browser.
[quote=Cougar ]Here's a turnup. The crypto may be broken, seems the private keys are vulnerable. It's potentially decryptable without paying.
> https://twitter.com/khast3x/status/863114999736225793
br />
Interesting - where has that come from? Is the PEM (including the private key) somewhere in the payload?
Exactly that, AIUI. (My original source had more info but the Tweet was deleted for some reason.)
cyber criminals with poor cyber security then (hopefully) - who'd have thunk it?
Advice & Guidance hmm unless someones job is on the line it wont be taken seriously, private industry the board will perhaps loose something on their share options
The evidence for this is somewhat limited.
NHS are the headlines here. Elsewhere in the world various corporations are headlining.
Patching is a nightmare especially when you are running a whole bunch of old systems since you have essential legacy software on it.
I dont think anyone is claiming it is a nationstate attack. Although it does seem to be using some of the NSA exploits that were released a couple of months back.
I work for a global outfit of about 130K users I suspect that one of our countries has had a hit (rumour only at present) totally agree patching is a nightmare. If you think PC's are bad welcome to the world of networks, I've seen switches and routers with 10+ years uptime aka no updates at all!
Thing is the lack of patching is usually not down to the IT/Comms teams, its usually the business either refusing downtime to update or more likely not giving any budget for it.
Some PHBs will get the bullet for this but they are fall guys, I'm now getting increasingly bolshy when in meetings with our and theirs (customer) lawyers when it comes to system updates to defend my position on it all.
Usual outcome 12-18 months down the line the customer eventually awakens and becomes aware they need to do something and sends in a change request that results in an 7-8 figure number to sort out the crap they have let build up for the last 5-10+ years. If they are awash with money they can defer against taxes they'll spend it, if they have a national regulator breathing down their necks they'll spend it or they will quibble over every single nut bolt and washer never mind the large bits and we will just reduce or more likely exclude items/sites from SLA's and then when it hits the fan they will bluster we will do our best and then they will mutter and dip their hands in the pocket for a limited tactical fix, said tactical fixes over time will add up to lots more than doing it properly in the first place.
Aaaaand it looks like it has a killswitch.
https://twitter.com/GossiTheDog/status/863160534308454400
[img] 
[/img]
I've seen switches and routers with 10+ years uptime aka no updates at all!
Part of the issue here is that commands and functionality can change with new releases, it's not as simple as "apply the patch". Roll out a new firmware, you might need to rewrite a config to deal with deprecated / obsolescent syntax. That's a big deal if you've got hundreds of units out there.
Those moaning about healthcare still using XP. I'm currently involved in writing software for a very popular radiotherapy system used worldwide. Want to guess what the OS is?
Legacy stuff is everywhere in this kind of stuff because writing new software to replace safety critical stuff that has worked well for 15 years is an unnecessary risk.
[quote=Cougar ]Aaaaand it looks like it has a killswitch.
Stranger and stranger - it appears that simply stops the propagation rather than the infection. However according to the twitter thread, the domain is owned by a cyber security company and went live sometime today. It's not apparent whether it's chicken or egg though - is the domain owner involved, did somebody spot that in the code and make it live, or is it just a coincidence?
[quote=GrahamS ]Legacy stuff is everywhere in this kind of stuff because writing new software to replace safety critical stuff that has worked well for 15 years is an unnecessary risk.
Using unsupported software with documented and unpatched security holes is an unnecessary risk! At some point people need to bite the bullet and upgrade the OS, because it's only going to get worse (there might be a point where most people no longer bother attacking XP - it appears it isn't actually targeted in this attack - but whilst people still use it it's going to be a tempting target for some). The only exceptions can be for completely isolated systems with no contact at all with the outside world - but you'd better be damn sure there is a complete air gap.
What really grinds my gears though is designing software specific to an OS - apart from extremely specialist stuff which needs low level access anything written properly originally for an XP platform should also work on later OS versions.
Parent of one of the guys at work got caught. Paid the fee and was given the de-encryption code.. Has to be entered for every file individually... 😯
Stranger and stranger - it appears that simply stops the propagation rather than the infection. However according to the twitter thread, the domain is owned by a cyber security company and went live sometime today. It's not apparent whether it's chicken or egg though - is the domain owner involved, did somebody spot that in the code and make it live, or is it just a coincidence?
I don't have the answers (yet?) but it's both weird and interesting, isn't it.
Parent of one of the guys at work got caught. Paid the fee and was given the de-encryption code.. Has to be entered for every file individually...
Should've wiped it and restored from their offline backups.
Etc, etc.
The thing that grips me most about this is the angle that is being portrayed by the media as a bunch of people willing to totally shut down our health services for their own profit, which as has been said, isn't the case at all.
My analogy is of having a gate protecting your valuable assets, when it was new it was ok, but over time the years have weathered your gate an planks are falling off and there's holes in it everywhere - and you use this gate every day, and every day you open and close it, maybe you mutter to yourself 'should really do something about fixing this gate one day' and then one day you discover the gate wide open and your stuff is gone.
If this was a STWer leaving their bike unlocked and complaining it got stolen they would get a lot less sympathy.
The NHS were undoubtedly aware of these problems.. they've been widely reported on for years -
2014 - http://www.theregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss
2016 -
http://www.theregister.co.uk/2016/12/08/windows_xp_nhs_still/
2017 -
http://www.theregister.co.uk/2017/01/17/nhs_ransomware/
The failed NHS IT programme -
https://www.theguardian.com/society/2013/sep/18/nhs-records-system-10bn
would undoubtedly have pointed out these potential issues as well.
Basically at some point the decision was made that getting rid of these ancient vulnerabilities was not a priority, and that is what we should be outraged about, not some script kiddie doing the equivalent of strolling down the street trying every car door to see whats been left unlocked
/rant
Microsoft still offer security patches for large organisations, if they pay.
The government stopped paying for this "service."
Ransomware you say?
Some links from back in the day:
https://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector
https://www.theregister.co.uk/2015/05/26/uk_gov_bins_extended_windows_xp_support_contract/
So Microsoft are behind it then 😉
So Microsoft are behind it then
Private company, working in [b]OUR[/b]* NHS? What did you expect?
😉
* Obligatory waffle as spouted by politicians these days. Never just "the NHS", is it?
This doesn't really come as a surprise to anyone. Glad it's getting extensive media coverage as it should be a kick up the ass to people (whether that's gov. or whatever) to invest in the security of data/systems - at least take security advisories seriously.
Microsoft behind the attack? Of course not, but this vulnerability is, in order of importance, down to…
UK government
NSA
Microsoft
Microsoft now rolling out a security fix for all old OS to all.
A fix already offered to those paying for extended support?
Ransomware you say?
[i][ edit: can't find anything to back this up, just heard it on BBC radio without any supporting cite, so pinch of salt time ][/i]
Have read so many articles and opinions but tbh much of what I am reading is ill informed. Without knowledge/experience of vulnerability management across a 70yr old organasiation / dependencies / risk involved in simply updating it is hard to really understand. E.g should they have updated all XP machines to Vista when it was launched? That would have caused an either bigger / more expensive issue. Do they update hardware to windows 10 making it obsolete? Interesting to read what Telefonica did - announce over megaphone for all staff to power down network connected hardware to stop. Bit harder at NHS when someone's life potentially on the line. Is everyone still running Windows 7 also guilty for not upgrading to 10. I have nothing to do with NHS but wish everyone working to get this resolved the best, sure they are working their backside's off right now. Not taking any view / comment re tech team at NHS as I don't personally know anyone there, just trying to pose some questions / give a little more background. From my experience where this is well managed, every update was assessed and was a risk vs reward decision. The goal of IT security is not to make a network impenetrable as this is impossible but to make it hard enough that attackers give up. Sometimes your decision can simply fall on the wrong side, be blocked or changed due to other influences at this scale.
I can't help thinking that a financially stretched NHS is a very vulnerable NHS.
Good post sillysilly. Personally, I think blaming anyone for not constantly updating OS is a lazy, but persistent response. Unrealistic/practical to do so in many cases. As soon as the NSA exploit was exposed, Microsoft should have been offering patches for all OS, the damage done in the last 24 hours was avoidable. Of course, the patch wouldn't have been applied universally, but at least give your users a chance.
I've only just read up on the kill switch for this one… love that someone spotted and registered the domain before realising what it would do… accidental hero? Imagine if had been a trigger for something worse rather than a kill switch though…
https://m.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/
Microsoft now rolling out a security fix for all old OS to all.
A fix already offered to those paying for extended support?Ransomware you say?
[ edit: can't find anything to back this up, just heard it on BBC radio without any supporting cite, so pinch of salt time ]
Found it…
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download...
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
We only moved on from Windows XP because it was reaching end of extended support. We will only move on from Windows 7 when the same approaches. Anything that has to run XP for legacy reasons had to be removed from the network.
But then we have 7500 employees in the UK, not 1.4 million like the NHS.
You pays your money, you makes your choices. Running with known vulnerabilities carries a risk that has now materialised.
A know vulnerability that Microsoft already had a patch for (in this case).
Predictable BS from those trying to make political capital.
Firstly "the Government" doesn't run the NHS. The NHS decides how to spend the budget it agrees with the Government.
Secondly major corporations like FedEx, Telefonica, Renault etc have all been equally affected.
Look everyone Jamba is here.
Government decision :
Can't help but think cases like these are good examples a why organisations that expect to run software for potentially decades should now only use Open Source software.
The advantage being they have control over the source code and will be able to keep it patched etc. Obviously might not be cheap but would avoid the risk of not being able to do much when company X goes under or stops providing support for product Y.
I know of utility companies that are going the other way and replacing some FOSS systems with MS because hiring skilled staff was easier and cheaper for the latter - IMO it seems shortsighted given these systems have a Lifetime beyond the standard MS support dates.
Predictable BS from those trying to make political capital.
So you're denying that government policy and funding has any affect upon the resources to maintain the NHS?
Deluded.
Useful analysis for anyone interested to understand scale / how it works:
Backup / fallback / disaster recovery gets interesting at this scale.
Microsoft now rolling out a security fix for all old OS to all.
Which is all very well for this bug, but they've known about it and had a patch for months - what about the next exploit they find? Will they wait until that causes major damage before doing the same?
If Cougars source is right about the exploit not running on XP (even though the bug is there) it's all irrelevant though.
IMO it seems shortsighted given these systems have a Lifetime beyond the standard MS support dates.
As I suggested above, the problem is actually with having systems reliant on a particular OS version. Most stuff written for XP (heck even stuff written for NT) will still run on 10. This should in any case become less of an issue now 10 is supposedly the last version of Windows - I'm not quite sure how future updates will work but presumably something similar to Linux updates which aren't so fundamental (and you can update in place).
Which is all very well for this bug, but they've known about it and had a patch for months - what about the next exploit they find? Will they wait until that causes major damage before doing the same?
[b]aracer[/b], I made it clear that my comments about Microsoft holding back a patch only applied to this vulnerability. That they had a patch, had supplied it to those who have paid but not to others, and that the exploit was developed by a USA government department and then posted for all due to a leak, means that there are questions to answer by the three groups I mentioned (UK Gov, NSA & Microsoft in that order). "Should have upgraded", while true, is shutting down the debate about why action wasn't taken by Microsoft and other to reduce the impact of this event, and others using the same exploit.
What should they do about other exploits? Don't know, point me to a non-hypothetical one and I can have an opinion.
Even patches can cause issues, the latest office 2016 and Skype one created issues with discharge letters in our PAS system. This needs to be tested across all critical clinical systems before release.
Of course, we could spend tens of millions upgrading our PAS system but the business case won't get through......
Of course, we could spend tens of millions upgrading our PAS system but the business case won't get through
Quite.
And then you've got the STP benchmarking stuff where they've compared the cost of IT per employee in each trust and the cheap ones (because in some cases they're muddling along on old, outdated systems) are being held up as examples of "efficiency" and everyone else is told to be like them.
A website launched weeks before the attack. 😕
I'm going to stick up for Microsoft here. The vulnerability was shared with them, they released a fix for it on supported OS's in April. Now people on unsupported OS's got hit and it's somehow MS's fault. Sorry running an unsupported OS is like playing Russian Roulette, eventually you're going to lose.
Fair play to MS and the security industry at large, patches have been released for unsupported legacy OS's and details about the malware shared.
As others have said hopefully it will be a wake-up call to everyone in general. We supply software systems to the NHS. Our customers quite often have varying reasons for running old OS's. We only support supported OS's on our software but it will work on Windows 2000 plus. It's certainly going to be good ammunition when a customer says "But why won't you support your software on Windows XP?".