Tag Archives: hackers

NHS cyber-attack: hospital computer systems held to ransom across England

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hospitals across England have been hit by a large-scale cyber-attack, the NHS has confirmed, which has locked staff out of their computers and forced many trusts to divert emergency patients.

The IT systems of NHS sites across the country appear to have been simultaneously hit, with a pop-up message demanding a ransom in exchange for access to the PCs. NHS England has declared a major incident. NHS Digital said it was aware of the problem and would release more details soon.

Details of patient records and appointment schedules, as well as internal phone lines and emails, have all been rendered inaccessible.

NHS Digital said: “A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organisations.

“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.

“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

“Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”

According to reports, affected hospitals include those run by East and North Hertfordshire NHS trust, Barts Health in London, Essex Partnership university NHS trusts, the university hospitals of Morecambe Bay NHS foundation trust, Southport and Ormskirk hospital NHS trust and Blackpool teaching hospital NHS foundation trust.

More reports of affected hospitals are continuing to stream in, as well as claims that GP surgeries are coming down with the virus, which demands a payment of $300 to release files it claims have been encrypted. The NHS has been unable to give a full list of the sites affected.

British law enforcement believes the attack is criminal in nature, as opposed to be a cyber attack by a foreign power, and is being treated as serious but without national security implications.

The National Crime Agency, which is Britain’s version of the FBI, was taking the lead in dealing with the investigation into the attack. Investigators believe the attack is significant with many computers affected across the country.

A spokesman for the National Cyber Security Centre said: “We are aware of a cyber incident and are working with NHS digital and the NCA to investigate.”

In a message to a Guardian reporter, one NHS IT worker said: “At approximately 12.30pm we experienced a problem with our email servers crashing. Following this a lot of our clinical systems and patient systems were reported to have gone down.

“A bitcoin virus pop-up message had been introduced on to the network asking users to pay $300 to be able to access their PCs. You cannot get past this screen. This followed with an internal major incident being declared and advised all trust staff to shut down all PCs in the trust and await further instructions.

“This is affecting the east of England and number of other trusts. This is the largest outage of this nature I’ve seen in the six years I’ve been employed with the NHS.”

Another NHS worker, who works at an Essex hospital but asked to remain anonymous, said: “We got some ransomware that came through on the computers at about 2pm. We were told to shut down, take out network cables and unplug the phones. A message came up for just one of our team about the fact that all the files would be wiped in two hours unless we gave $300 in bitcoins.”

She confirmed that the image that appeared on her colleague’s screen was the same as one that has already been circulated on Twitter, which says: “Ooops, your files have been encrypted!

“Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”

The screen tells users to send $300 worth of bitcoin to a bitcoin wallet address. It adds: “You only have three days to submit the payment. After that the price will be doubled. Also if you don’t pay in seven days, you won’t be able to recover your files forever.”

A Barts spokesman said it was experiencing “major IT disruption” and delays at all four of its hospitals, The Royal London, St Bartholomew’s, Whipps Cross and Newham. He said: “We have activated our major incident plan to make sure we can maintain the safety and welfare of patients.

“We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals.”

GP surgeries across Liverpool and parts of Greater Manchester also appeared to have been affected by the cyber-attack.

The NHS Liverpool clinical commissioning group said: “Please be aware the NHS is experiencing serious IT problems today. Please only contact your GP surgery or hospital in a genuine emergency.”

One Liverpool GP, John Caldwell, said he had “no access to record systems or results” and described the disruption as “very limiting”. Dr Chris Mimnagh, a GP in Liverpool, told the Guardian that his surgery had “severed links” to the wider NHS network as a precaution.

He said: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results, we are dealing with urgent problems only, our patients are being very understanding so far.”

A spokesman for the Royal Liverpool and Broadgreen university hospitals trust said it was “aware that there’s an issue nationally and we’re reviewing our IT systems”.

A spokeswoman for Central Manchester university hospitals, the largest NHS trust in Greater Manchester, said she was “genuinely not sure” if they had been affected and that they were investigating.

A GP surgery in Bury, Greater Manchester, said all networks in the region had been affected. Peel GPs said on Twitter: “All Greater Manchester networks down – we cannot access any patient info plz RT @NHSBuryCCG.”

Doctors have been posting on Twitter about what has been happening to their systems.

A screengrab of a instant message conversation circulated by one doctor says: “So our hospital is down … We got a message saying your computers are now under their control and pay a certain amount of money. And now everything is gone.”

East and North Hertfordshire NHS trust said in a statement: “Today (Friday, 12 May 2017), the trust has experienced a major IT problem, believed to be caused by a cyber attack.

“Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.

“The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency.

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”

The attack comes as several Spanish companies, including the telecoms giant Telefónica, were also targeted by a “massive ransomware attack”, according to Spain’s national cyber-security centre. The attack appears to present the same message to users as those targeting the NHS.

In a statement released following an apparent wave of attacks on Friday morning, the National Cryptology Centre said a cyber assault had been launched “against various organisations”, affecting Windows systems and corrupting networks and archives.

The ransomware used in the Spanish attacks is a version of the WannaCry virus, which encrypts sensitive user data, the National Cryptology Centre said. Telefónica confirmed there had been “a cybersecurity incident” affecting the intranet of some computers at its Madrid headquarters.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

AVIATION-RELATED PHISHING PASSWORDS

Facebooktwittergoogle_plusredditpinterestlinkedinmail

A wave of email-based phishing campaigns is targeting airline consumers with messages that contain malware that infects systems or links to spoofed airline websites that are personalized to trick victims into handing over personal or business credentials.

“Over the past several weeks, we have seen a combination of attack techniques. One, where an attacker impersonates a travel agency or someone inside a company. Recipients are told an email contains an airline ticket or e-ticket,” said Asaf Cidon, vice president, content security services at Barracuda Networks. Attachments, he said, are documents rigged with malware or are designed to download it from a command and control server.

Cidon said other aviation-themed phishing attacks contain links to spoofed airline sites. In these types of attacks, adversaries go to great lengths to spoof the airline’s site. In addition, attackers personalize the landing page with the target’s personal information in hopes of coaxing them to log in with either their company or airline username and password.

“It’s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies,” Cidon said.

Recent phishing campaigns, he said, are targeting logistic, shipping and manufacturing industries.

Barracuda’s warning comes a week after the U.S. Computer Emergency Readiness Team issued an alert of similar attacks targeting airline consumers. It warned email-based phishing campaigns were attempting to obtain credentials as well.

“Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information,” according to the US-CERT warning.

The US-CERT warning was based on concerns Delta Air Lines had over a rash of fake websites designed to confuse consumers.

“Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including: fraudulent emails, social media sites, postcards, Gift Card promotional websites claiming to be from Delta Air Lines and letters or prize notifications promising free travel,” according to the Delta Air Lines warning.

Delta said some victims were sent emails that claimed to contain invoices or receipts inside attached documents. Attachments contained either dangerous viruses or links to websites that downloaded malware onto a victim’s computer.

When asked about the warning, Delta declined to comment.

More troubling to Barracuda researchers was the success rate adversaries are having with phishing campaigns it is tracking.

“Our analysis shows that for the airline phishing attack, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails,” Cidon wrote in a research note posted Thursday. “This is one of the highest success rates for phishing attacks.”

In June, Microsoft Malware Protection Center reported a resurgence in the use of Office document macro attacks. Researchers say crooks attempting to install malware and perpetrate credential-harvesting attacks are more likely to use social engineering to trick people into installing malware than to exploit vulnerabilities with tools such as exploit kits.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Your LinkedIn Profile Might Be The Source of Hacker Attacks

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Why is LinkedIn So Attractive to Hackers?
Here’s a look at LinkedIn through a hacker’s eyes. Conducting a search for a specific organization on LinkedIn will turn up any number of professionals’ profiles, some of which will include the person’s business e-mail address. Once a hacker has seen a few e-mail addresses for the same company, he’s learned the company’s e-mail address structure ([email protected] ) and can build an e-mail list of employees to target. In fact, hackers can successfully guess 50 to 60 percent of all employee email addresses using this method.

Next, the hacker will formulate a phishing or social engineering plan. Using his knowledge of your firm’s IT platforms, his scheme could take the form of an e-mail that directs his unsuspecting victims to a webpage requiring them to enter their username and password credentials, for example.

The hacker will avoid including IT staffers on his distribution list, as that’s too likely to raise red flags. But customer service, accounting, marketing, and human resources personnel make much more attractive targets. The hacker will create urgency and emotion with his request. And, finally, he’ll send out his bait, hook his targets and voilá: he’s gained a foothold, the first step to getting the access he needs to breach the network and steal valuable credit-card, social-security or other data stores. A company’s worst nightmare has just begun.

As a penetration tester, my best efforts result in me finding a vulnerability like this, and helping companies close this security gap before real hackers find their way through. The scariest part of this scenario is that any company with more than 100 employees is at risk for this kind of stealth attack from an ill-intentioned hacker who has made LinkedIn his or her best friend.

What’s a Business to Do?
So, now that you know why LinkedIn has unwittingly become a hacker’s BFF, what’s a business to do? Companies have competing priorities when it comes to social media and LinkedIn in particular. They want their employees out there promoting the company, recruiting new customers and talent and driving up online visibility. But they also have a driving need to protect their data—especially in regulated industries where a data breach could cost them not only reputation points and customer loyalty, but also countless dollars in fines.

As far as anyone can tell, however. LinkedIn is here to stay. Smart companies will accept this fact, and quickly and effectively find the balance between freedom and security. Employees will continue to post personal data on LinkedIn, but their companies in turn will need to prevent that superficial information from becoming a hacker’s key to their business-critical data stores.

Here are three things your firm can do to protect your business-critical data:

1. Invest in good, frequent social engineering training.
Just because hackers can guess your employees’ e-mail addresses doesn’t mean your people should fall for their schemes and provide their login or other information. A strong social engineering training program can help your employees learn to recognize and resist a phishing scam. And one-and-done is not the way to go here; frequent reminders and follow-up training can help keep employees vigilant.

2. Develop a statement that clearly tells employees how your company will handle network security information.
For example, “We will never ask for your username and password,” or “All network-related communications will come only from this specific e-mail address.” This statement should be well known to all of your people and can prevent employees from sharing usernames and passwords with parties who have malicious intent.

3. Have a clear reporting process for suspicious activity.
Make sure employees know how to report social engineering schemes and suspicious e-mails. Keep it simple, maybe with a catch phrase, for example, like “See something? Say something.” Wallet cards or another physical reference might be a good idea here—anything that makes it easy to recognize a potential hacker and report suspicious activity before it becomes a full-blown network attack.

In today’s social media environment, it’s unrealistic to think that a business can avoid all exposure to hackers who are putting LinkedIn to work for their own purposes. However, educating and equipping your people can go a long way toward keeping your business-critical data safe and sound.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

HACKED: PUB CHAIN JD WETHERSPOON; 500,000+ CUSTOMERS’ RECORDS BREACHED

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pub company JD Wetherspoon has confirmed that its database was the target of a cyberattack. The data breach could potentially affect over half a million customer records from the database.

A database of over 650,000 customers of UK pub chain JD Wetherspoon has been breached by unknown malicious hackers. According to a statement put out by the company, a “very limited” number of customers have had their credit and debit card details stolen, although they are unlikely to be used for fraudulent transactions.

While the card data was not encrypted, only the last four digits of payment card details were stored in the database to begin with, according to CEO John Hutson.

The statement read:

These credit or debit card details cannot be used on their own for fraudulent purposes, because the first 12 digits and the security number on the reverse of the card were not stored on the database.

In a BBC report, it is revealed that the database also held details of 656,723 customers such as:

  • Names
  • Dates of birth
  • Email addresses
  • Phone numbers

The breach is significant, despite the lack of financial information stolen as it is entirely within the realm of possibility that expert malicious hackers could potentially use the breached personal data to engage in identity theft of phishing campaigns.

In a letter to customers, Hutson stressed there was no evidence to show any fraudulent activity from the breached data. Customers are also recommended to stay vigilant against any emails or messages that request them to click or download any files or request any financial and personal data.

An excerpt from the statement read:

We apologize wholeheartedly to customers and staff who have been affected. Unfortunately, hacking is becoming more and more sophisticated and widespread.

The cyberattack struck the company’s old website between June 15 and June 17. The website has since been replaced. Wetherspoon was only made aware of the possible breach on December 1 while confirming it soon after.

The United Kingdom has weathered a blitz of cyberattacks lately with the TalkTalk hack proving to be the most prominent data breach in recent times. Over 4 million users’ personal details may have been compromised with the telecom and broadband provider noting that it might cost the company upwards of $50 million as a one-time financial hit.

Featured image The Flying Standard pub from Shutterstock.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hacked Jeep USB update criticised

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.

Fiat Chrysler has not yet commented to the BBC.

‘Fishing for victims’

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

He said that using a device like this had wider implications.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.

In July, security researchers Charlie Miller and Chris Valasek demonstrated that it was possible for hackers to control a Jeep Cherokee remotely, using the car’s entertainment system which connected to the mobile data network.

The flaw affected up to 1.4 million vehicles sold in the US.

At the time, Fiat Chrysler issued a voluntary recall so that customers could visit a dealership to have the software updated in affected vehicles. It also made asoftware update available to download from its website for tech-savvy users.

Fiat Chrysler told technology magazine Wired: “Consumer safety and security is our highest priority. We are committed to improving from this experience and working with the industry and with suppliers to develop best practices to address these risks.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hacking Drones

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leaked emails between Italian spyware vendor Hacking Team and Boeing subsidiary Insitu revealed that drones carrying malware to infect targeted computers via Wi-Fi by flying over their proximity is close to becoming a reality.

Spyware-carrying drones were being discussed by Insitu, a division of Boeing and now-disgraced malware firm Hacking Team, according to leaked emails from the recent breach of the Italian company which have been posted on WikiLeaks, Engadget reported.

It was only the failure to come to terms over a non-disclosure agreement that kept Insitu and Hacking Team ‘teaming up’ together in order to create the malware infesting drone.

Early conversations took place regarding the inception and the possibility of a spy drone created by Boeing’s aircraft expertise, carrying malware that Hacking Team is notorious for. The concept was designing a drone capable of intercepting communications and hacking on-the-fly, via Wi-Fi. Discussions didn’t get far, however, when lawyers representing both companies couldn’t see eye-to-eye on a viable non-disclosure agreement.

The Talks Behind the Flying, Hacking Drone

Initial discussions kicked off when Giuseppe Venneri, a mechanical engineering graduate from UC and internee at Insitu took notice of Hacking Team’s “Galileo”, a piece of hardware otherwise known as the Tactical Network Injector. This is essentially designed to infiltrate networks and insert the malicious code via Wi-Fi networks to launch man-in-the-middle attacks and other exploits.

Venneri wrote to Emad Shehata, Hacking Team’s key account manager, stating:

We see potential in integrating your Wi-Fi hacking capability into an airborne system and would be interested in starting a conversation with one of your engineers to go over, in more depth, the payload capabilities including the detailed size, weight, and power specs of your Galileo System.

Shehata replied by sending in the standard Hacking Team NDA, to which Venneri responded with Boeing’s own PIA (Proprietary Information Agreement) which the intern noted “must be signed before we engage with potential partners.”

“Signing our PIA (attached) will dramatically shorten the authorization process at our end,” Venneri added. “Let me know if you are willing to sign our document to engage in conversations with us.”

It was at this point when Hacking Team’s Chief Operating Office Giancarlo Russo stepped into the conversation, taking the authority and stating: “I saw your document and it will require additional legal verification from our side regarding the applicability of ITAR and other U.S. Law,” he said. “In my opinion, for a preliminary discussion our non-disclosure agreement should be sufficient to protect both companies and as you will see it is including mutual provision for both parties and it will make things easier and faster for us.”

Venneri’s response was short and succinct: “If you are unable to review/sign our form, know it will take some time on our side to seek approval from our Boeing parent. Are you willing to consider our form?”

Communications went quiet for about a month after this exchange and Venneri sent in another email on 11 May 2015: “We corresponded with you about a month ago and were unsure about the progress going forward with preliminary discussions regarding any future collaborations. If you could please reconsider our mutual PIA, know that the questionnaire at the beginning of the document is just for gathering information and has no impact on the PIA itself. We have lots of Non-US companies under our PIA. If you or your legal team have any requested changes to our PIA please don’t hesitate to add them in the attached document.”

This was the last known correspondence taken from the leaks which came from the data breach two months later in July 2015. All NDAs are have been rendered obsolete and ineffective due to the Hacking Team hack.

Images from Wikimedia Commons and Shutterstock.

Original Source

Facebooktwittergoogle_plusredditpinterestlinkedinmail