Tag Archives: vulnerability

NHS cyber-attack: hospital computer systems held to ransom across England

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hospitals across England have been hit by a large-scale cyber-attack, the NHS has confirmed, which has locked staff out of their computers and forced many trusts to divert emergency patients.

The IT systems of NHS sites across the country appear to have been simultaneously hit, with a pop-up message demanding a ransom in exchange for access to the PCs. NHS England has declared a major incident. NHS Digital said it was aware of the problem and would release more details soon.

Details of patient records and appointment schedules, as well as internal phone lines and emails, have all been rendered inaccessible.

NHS Digital said: “A number of NHS organisations have reported to NHS Digital that they have been affected by a ransomware attack which is affecting a number of different organisations.

“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.

“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.

“This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

“Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available.”

According to reports, affected hospitals include those run by East and North Hertfordshire NHS trust, Barts Health in London, Essex Partnership university NHS trusts, the university hospitals of Morecambe Bay NHS foundation trust, Southport and Ormskirk hospital NHS trust and Blackpool teaching hospital NHS foundation trust.

More reports of affected hospitals are continuing to stream in, as well as claims that GP surgeries are coming down with the virus, which demands a payment of $300 to release files it claims have been encrypted. The NHS has been unable to give a full list of the sites affected.

British law enforcement believes the attack is criminal in nature, as opposed to be a cyber attack by a foreign power, and is being treated as serious but without national security implications.

The National Crime Agency, which is Britain’s version of the FBI, was taking the lead in dealing with the investigation into the attack. Investigators believe the attack is significant with many computers affected across the country.

A spokesman for the National Cyber Security Centre said: “We are aware of a cyber incident and are working with NHS digital and the NCA to investigate.”

In a message to a Guardian reporter, one NHS IT worker said: “At approximately 12.30pm we experienced a problem with our email servers crashing. Following this a lot of our clinical systems and patient systems were reported to have gone down.

“A bitcoin virus pop-up message had been introduced on to the network asking users to pay $300 to be able to access their PCs. You cannot get past this screen. This followed with an internal major incident being declared and advised all trust staff to shut down all PCs in the trust and await further instructions.

“This is affecting the east of England and number of other trusts. This is the largest outage of this nature I’ve seen in the six years I’ve been employed with the NHS.”

Another NHS worker, who works at an Essex hospital but asked to remain anonymous, said: “We got some ransomware that came through on the computers at about 2pm. We were told to shut down, take out network cables and unplug the phones. A message came up for just one of our team about the fact that all the files would be wiped in two hours unless we gave $300 in bitcoins.”

She confirmed that the image that appeared on her colleague’s screen was the same as one that has already been circulated on Twitter, which says: “Ooops, your files have been encrypted!

“Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”

The screen tells users to send $300 worth of bitcoin to a bitcoin wallet address. It adds: “You only have three days to submit the payment. After that the price will be doubled. Also if you don’t pay in seven days, you won’t be able to recover your files forever.”

A Barts spokesman said it was experiencing “major IT disruption” and delays at all four of its hospitals, The Royal London, St Bartholomew’s, Whipps Cross and Newham. He said: “We have activated our major incident plan to make sure we can maintain the safety and welfare of patients.

“We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible. Ambulances are being diverted to neighbouring hospitals.”

GP surgeries across Liverpool and parts of Greater Manchester also appeared to have been affected by the cyber-attack.

The NHS Liverpool clinical commissioning group said: “Please be aware the NHS is experiencing serious IT problems today. Please only contact your GP surgery or hospital in a genuine emergency.”

One Liverpool GP, John Caldwell, said he had “no access to record systems or results” and described the disruption as “very limiting”. Dr Chris Mimnagh, a GP in Liverpool, told the Guardian that his surgery had “severed links” to the wider NHS network as a precaution.

He said: “Unable to access our clinical system – as a precaution our area has severed links to the wider NHS, which means no access to our national systems, no computers means no records, no prescriptions, no results, we are dealing with urgent problems only, our patients are being very understanding so far.”

A spokesman for the Royal Liverpool and Broadgreen university hospitals trust said it was “aware that there’s an issue nationally and we’re reviewing our IT systems”.

A spokeswoman for Central Manchester university hospitals, the largest NHS trust in Greater Manchester, said she was “genuinely not sure” if they had been affected and that they were investigating.

A GP surgery in Bury, Greater Manchester, said all networks in the region had been affected. Peel GPs said on Twitter: “All Greater Manchester networks down – we cannot access any patient info plz RT @NHSBuryCCG.”

Doctors have been posting on Twitter about what has been happening to their systems.

A screengrab of a instant message conversation circulated by one doctor says: “So our hospital is down … We got a message saying your computers are now under their control and pay a certain amount of money. And now everything is gone.”

East and North Hertfordshire NHS trust said in a statement: “Today (Friday, 12 May 2017), the trust has experienced a major IT problem, believed to be caused by a cyber attack.

“Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.

“The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency.

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.”

The attack comes as several Spanish companies, including the telecoms giant Telefónica, were also targeted by a “massive ransomware attack”, according to Spain’s national cyber-security centre. The attack appears to present the same message to users as those targeting the NHS.

In a statement released following an apparent wave of attacks on Friday morning, the National Cryptology Centre said a cyber assault had been launched “against various organisations”, affecting Windows systems and corrupting networks and archives.

The ransomware used in the Spanish attacks is a version of the WannaCry virus, which encrypts sensitive user data, the National Cryptology Centre said. Telefónica confirmed there had been “a cybersecurity incident” affecting the intranet of some computers at its Madrid headquarters.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Amazon AWS S3 outage is breaking things for a lot of websites and apps

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Amazon’s S3 web-based storage service is experiencing widespread issues, leading to service that’s either partially or fully broken on websites, apps and devices upon which it relies. The AWS offering provides hosting for images for a lot of sites, and also hosts entire websites, and app backends including Nest.

The S3 outage is due to “high error rates with S3 in US-EAST-1,” according to Amazon’s AWS service health dashboard, which is where the company also says it’s working on “remediating the issue,” without initially revealing any further details.

Affected websites and services include Quora, newsletter provider Sailthru, Business Insider, Giphy, image hosting at a number of publisher websites, filesharing in Slack, and many more. Connected lightbulbs, thermostats and other IoT hardware is also being impacted, with many unable to control these devices as a result of the outage.

Amazingly, even the status indicators on the AWS service status page rely on S3 for storage of its health marker graphics, hence why the site is still showing all services green despite obvious evidence to the contrary.

We’re monitoring the situation and will provide more info as it becomes available.

Source: https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hacked Jeep USB update criticised

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.

Fiat Chrysler has not yet commented to the BBC.

‘Fishing for victims’

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

He said that using a device like this had wider implications.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.

In July, security researchers Charlie Miller and Chris Valasek demonstrated that it was possible for hackers to control a Jeep Cherokee remotely, using the car’s entertainment system which connected to the mobile data network.

The flaw affected up to 1.4 million vehicles sold in the US.

At the time, Fiat Chrysler issued a voluntary recall so that customers could visit a dealership to have the software updated in affected vehicles. It also made asoftware update available to download from its website for tech-savvy users.

Fiat Chrysler told technology magazine Wired: “Consumer safety and security is our highest priority. We are committed to improving from this experience and working with the industry and with suppliers to develop best practices to address these risks.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Critical Infrastructure at risk

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Critical infrastructure at risk from remotely exploitable NTP flaws

Remotely exploitable Network Time Protocol (NTP) vulnerabilities are leaving critical infrastructure firms open to attack, according to the Industrial Control Systems Computer Emergency Response Team (ICS-CERT).

ICS-CERT issued an advisory on the flaws, confirming it is working with over 20 vendors, including Google, to create fixes.

“As NTP is widely used within operational industrial control systems deployments, ICS-CERT is providing this information for US critical infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” read the advisory.

“These vulnerabilities could be exploited remotely.”

The multitude of flaws exist in all NTP Version 4 releases prior to Version 4.2.8p1 and are the result of “insufficient entropy”, the use of a cryptographically weak pseudorandom number generator (PRNG), a section of code without a return command and weak stack buffer, according to the ICS.

The emergency response team said it is yet to see any evidence any of the flaws are being exploited, but warned:

“An attacker with a low skill and an exploit script would be able to exploit these vulnerabilities. However, a higher-level of skill would be necessary to craft usable exploit scripts.”

It added that assessing the full scale of the flaws’ impact is difficult as it will depend on the individual company’s wider system.

“Impact to individual organisations depends on many factors that are unique to each organisation,” read the advisory.

“ICS-CERT recommends that organisations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

ICS-CERT recommends firms update to new unaffected NTP versions and take a variety of other protective measures.

“Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet,” read the advisory.

“Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

“[Finally] when remote access is required, use secure methods, such as virtual private networks (VPNs).”

The ICS-CERT advisory follows widespread warnings that firms involved in critical infrastructure are dangerously vulnerable to cyber attacks.

US president Barack Obama pledged to bolster the nation’s cyber security and intelligence-gathering powers in a bid to protect critical infrastructure and industry from terrorists during his State of the Union speech in January.

Facebooktwittergoogle_plusredditpinterestlinkedinmail