This is not what we need in these final chapters of 2020 with COVID cases spiking.
> Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.
This is what terrorism looks like in 2020. Horrifying, terrifying, disgusting.
The hospital chain I work for was hit with ransomware last month. Door locks, time clocks, and photocopy machines still worked, but all computers were down. We use paper records, but it was frustrating and inconvenient. We're not allowed to pay due to laws. Corporate started slowly building us a brand new, but terrible, network 5 weeks after the old one went down. Definitely caused a little staff burnout, but not more than corporate's relentless attempts to extract additional profit from us at the expense of our patients and our wellbeing.
Wasn't there a ransomware case in Germany recently where when they advised the hackers that they'd hit a hospital, the hackers immediately turned over the unlock keys, without a ransom?
Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
I wonder at what threshold asymmetric responses get put into play, with these actors clearly focused on basic terrorism.
At what point is a ‘kinetic response’ to a cyberattack warranted ?
Terrorism is almost, but probably not exactly the right word, but it's 'of that level of concern'.
If Hospitals nation-wide are under attack, it's a massive national security issue.
We need to figure out some kind of new way to secure general purpose devices - and also - there needs to be much more investment in thwarting and retaliating against these people.
If some random hackers and do this - imagine how badly and quickly a foreign state actor with deep pockets could shut things down.
Does anyone else feel that any organization that isn't doing regular secure backups with a way to restore that data deserves for this to happen? It like an airplane running out of gas because the pilot forgot to fill up the tank. Its kind of step one of working with computers.
Interesting that DHS's public twitter has no word of this, and instead is a full-time campaign ad for the border fence.
It's also ironic that for all the pervasive government surveillance of the internet, this stuff just flies right under the radar. I thought the whole point of this surveillance was for our protection?
The regulatory environment in the Heath Care industry is based on the premise that any change risks patient safety. Changing a single line of CSS literally takes 6 months to test, validate, document and get approval for, so everyone's afraid to change a thing. You can't automate anything because the current process survived 7 audits and regulatory is afraid changing it might raise an alarm. You'd be stunned at the number of hospitals still running Windows XP. Most systems use a plain text messaging protocol designed in the 80's -- no encryption or authentication anywhere to be seen, and half of them write messages to disk because "it's safer".
If ever there was an example of well intentioned regulation gone horribly wrong this is it. The whole industry is a cyber security nightmare waiting to happen.
My hospital offline for a whole week because they got hit by a ransomware attack, and they use Epic. I asked someone I knew at Epic what she knew about it, and confirmed that my hospital was up-to-date on the latest version of their software and following most of their security protocols. My initial thought was they had weak IT security and now I’m not so sure.
If there's a zero day, there's not a lot you can do. NHS got hit so bad because they were running very old Windows versions. A lot of embedded systems have no upgrade paths (MRIs running embedded XP should probably not be on the network at all).
Hospitals need full backup machines and with health care costs already through the roof, that will just add more. Even if you have all your order entry machines setup to not make external Internet connections except to update servers, one bad e-mail getting through and you could be in trouble.
In general, regulated entities are required to regularly prove that their change-management processes are sufficiently heavy as to make regular patching a non-starter.
As diabolical as this is, you wouldn't really need state level actions to take down hospitals.
Anyone who has been to one in the last year, pre-covid even, understands the ferris wheel of nurses and doctors that churn through the butter of what goes on there.
These weren't exactly hardened targets to begin with.
If you don't nurture a wound, you'll get an infection. If you don't clean your hands before eating or you eat something foul, you get diarrhea.
The outside world is a dangerous place, and if you wish to interact with it, you should have your defences in order and take necessary precautions. And then still bad actors will get through, such as the yearly flu, so you must deal with that as well.
You won't defeat the outside world with offense, there's just too much out there, adapting too fast.
If this attack results in actual loss of life, I firmly believe the US should ensure that there are real-world physical consequences for these criminals. They cannot be described as anything less than the worst humanity has to offer. A failure to respond with meaningful and severe consequences for those responsible (assuming this is attack can be confidently attributed to a particular threat actor) opens the floodgates. Time to find out how seriously the US takes its own cyber doctrine.
This is truly appalling per se, even more so during a global pandemic.
If I can be of any help to stop this, disrupt these guys or whatever I'm ready to give a few of my days and nights to it.
Contact email in my about.
I'm a professional developper with a dormant interest in ethical hacking. Been following EH courses, done some CTFs ranging from basic web pen testing to crypto and assembly debugging and been reading/watching keenly everything I saw on cyber-security in the past 5-6 years.
> Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
I guess it will be another "for decades we didn't care about security because no obvious short term profits, now we will have to pay a great price" moments.
The article you linked is absolutely fascinating. Because network security improvements didn't grant higher ups "bonuses" they didn't make the slightest effort to do what engineered desperately asked.
> The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
it is definitely not always eol windows, most ransomware I have seen rune on modern os, fully patched with you to date av. it is not hard to creat or distribute or to mutate and keep active. it is not just windows either, I have seen it for osx and ubuntu, even cloud services like office365, Dropbox, etc.
99% of the time the hole in the system is the phishing email that the employee clicks on. you will be amazed how many link clicks, redirects warning messages and notices people will just click through because "hr" needs to verify you payroll information or other nonsense that doesn't even make sense.
That's messed up if true, but why would a ransomware operator target them? I mean like, they don't really target, they just wait for people to install something right?
Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
Ransomware shops don't sit passively by, waiting for someone to install a trojan. Some of them are actually outsourcing the actual penetration, according to Krebs:
While the initial infection of a single workstation is often done by pray-and-spray phishing attacks, the common practice for modern ransomware attacks is that this is followed by a manually controlled attack by skilled teams, spreading throughout the network and servers is not done by an automated virus, it's done by controlled malware; and the encryption is manually triggered when they think that the preparations are complete to do maximum damage, backups have been disabled/corrupted, etc.
So they do target the extortion; already the decision to move on from that initial foothold will be based on the understanding of what institution it is and how much they would be willing to pay. In this case, they have intentionally targeted hospitals.
Do all these hospitals have backups that ransomware and automation can not tamper with? Is anti-tampering a requirement in their audits, or just detection? Have any hospitals started implementing secured workstations in kiosk mode? i.e. Windows 10 LTSC with all the hardening options enabled and AD permissions locked down and treating workstations as ephemeral devices.
The actors responsable are doing an all out attack to maximize profits as US Large corps and military are currently targeting their networks to prevent election tampering. These botnet networks have prooven difficult to disrupt even fort hem. This is a profit maximization effort for them and probably one they'll do right before folding and disappearing as the last time hosptials and police were directly targeted national governments began disappearing the perpitrators.
What'd be heartless is if the malware, such as the ryuk ransomware in December of 2019, had a bug in it that prevented the decryption key from working and all it did was garble and trash data.
Be forwarned, a few groups deploying ransomware are on sanctions lists which carries direct liability if you pay them. If you're the IT staff, make the CFO\CEO pay them and wash your hands of it.
InsurTechnix's founders experienced the effects of cyber attacks on multiple hospitals at our previous start up. That's one of the reasons we founded InsurTechnix.
US hospitals are ripe to attack. They make huge profits and use extremely outdated tech or use new (untested) software.
I take this opportunity to complain about regulatory capture and the medical cartels. Their constant irresponsibility (opioid epidemic, coronavirus response) affects everyone. Yet they still are paid more than any other industry.
[+] [-] haswell|5 years ago|reply
> Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.
This is what terrorism looks like in 2020. Horrifying, terrifying, disgusting.
[+] [-] Thorrez|5 years ago|reply
Isn't ransomware profit-motivated? I thought with terrorism the goal was fear rather than profit.
[+] [-] uhs-employee|5 years ago|reply
[+] [-] FireBeyond|5 years ago|reply
Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
[+] [-] wrkronmiller|5 years ago|reply
Given the (extra-)legal powers that are activated by that word, I'd be circumspect in using it.
Many crimes are "horrifying, terrifying, [and] disgusting" without rising to the level of terrorism.
[+] [-] Larrikin|5 years ago|reply
[+] [-] dfsegoat|5 years ago|reply
Edit: got to point
[+] [-] jariel|5 years ago|reply
If Hospitals nation-wide are under attack, it's a massive national security issue.
We need to figure out some kind of new way to secure general purpose devices - and also - there needs to be much more investment in thwarting and retaliating against these people.
If some random hackers and do this - imagine how badly and quickly a foreign state actor with deep pockets could shut things down.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] onetimemanytime|5 years ago|reply
That's a play "why do you rob the banks". Some choice those hospitals have
[+] [-] dzhiurgis|5 years ago|reply
[+] [-] kylebenzle|5 years ago|reply
[+] [-] ardit33|5 years ago|reply
https://www.bloomberg.com/amp/news/articles/2020-10-28/u-s-h...
Patients are being turned away: Wyckoff Hospital hit by computer virus
https://www.reddit.com/r/nyc/comments/jju0rp/wyckoff_hospita...
[+] [-] doublerabbit|5 years ago|reply
https://www.bloomberg.com/news/articles/2020-10-28/u-s-hospi...
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] mullingitover|5 years ago|reply
It's also ironic that for all the pervasive government surveillance of the internet, this stuff just flies right under the radar. I thought the whole point of this surveillance was for our protection?
[+] [-] blendo|5 years ago|reply
Perhaps it’s time for hospitals to regularly report their OS versions and patch levels to our local health departments.
[+] [-] Mary-Jane|5 years ago|reply
[+] [-] samename|5 years ago|reply
[+] [-] djsumdog|5 years ago|reply
Hospitals need full backup machines and with health care costs already through the roof, that will just add more. Even if you have all your order entry machines setup to not make external Internet connections except to update servers, one bad e-mail getting through and you could be in trouble.
[+] [-] closeparen|5 years ago|reply
[+] [-] baskire|5 years ago|reply
It is kind of crazy that hipaa compliance isn’t encompassing enough
[+] [-] dheera|5 years ago|reply
[+] [-] bamboozled|5 years ago|reply
[+] [-] therockspush|5 years ago|reply
Anyone who has been to one in the last year, pre-covid even, understands the ferris wheel of nurses and doctors that churn through the butter of what goes on there.
These weren't exactly hardened targets to begin with.
[+] [-] nomercy400|5 years ago|reply
If you don't nurture a wound, you'll get an infection. If you don't clean your hands before eating or you eat something foul, you get diarrhea. The outside world is a dangerous place, and if you wish to interact with it, you should have your defences in order and take necessary precautions. And then still bad actors will get through, such as the yearly flu, so you must deal with that as well.
You won't defeat the outside world with offense, there's just too much out there, adapting too fast.
[+] [-] enahs-sf|5 years ago|reply
[+] [-] EQYV|5 years ago|reply
https://www.reuters.com/article/us-usa-defense-cybersecurity...
[+] [-] latchkey|5 years ago|reply
[+] [-] coolspot|5 years ago|reply
[+] [-] ificanhelp|5 years ago|reply
If I can be of any help to stop this, disrupt these guys or whatever I'm ready to give a few of my days and nights to it. Contact email in my about.
I'm a professional developper with a dormant interest in ethical hacking. Been following EH courses, done some CTFs ranging from basic web pen testing to crypto and assembly debugging and been reading/watching keenly everything I saw on cyber-security in the past 5-6 years.
[+] [-] buzzert|5 years ago|reply
> Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
https://nitter.net/mikko/status/1240225603565105152?lang=en
[+] [-] shostack|5 years ago|reply
https://www.wired.com/story/notpetya-cyberattack-ukraine-rus...
[+] [-] throw_m239339|5 years ago|reply
The article you linked is absolutely fascinating. Because network security improvements didn't grant higher ups "bonuses" they didn't make the slightest effort to do what engineered desperately asked.
> The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
10 billions of damages later...
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] sacks2k|5 years ago|reply
[+] [-] aitchnyu|5 years ago|reply
[+] [-] Beached|5 years ago|reply
99% of the time the hole in the system is the phishing email that the employee clicks on. you will be amazed how many link clicks, redirects warning messages and notices people will just click through because "hr" needs to verify you payroll information or other nonsense that doesn't even make sense.
[+] [-] vmception|5 years ago|reply
[+] [-] throwawaypolicy|5 years ago|reply
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
[0] https://www.zdnet.com/article/first-death-reported-following...
Disclaimer: The company I work for is involved in detecting ransomware as a side business.
[+] [-] _jal|5 years ago|reply
https://krebsonsecurity.com/2020/10/amid-an-embarrassment-of...
And once you're doing that, you're going to minimax for hi-value, low-risk targets.
[+] [-] PeterisP|5 years ago|reply
So they do target the extortion; already the decision to move on from that initial foothold will be based on the understanding of what institution it is and how much they would be willing to pay. In this case, they have intentionally targeted hospitals.
[+] [-] dmix|5 years ago|reply
Thieves must be heartless to go after such desperate targets. But criminals always have ways of justifying things.
[+] [-] __s|5 years ago|reply
[+] [-] LinuxBender|5 years ago|reply
[+] [-] TheBobinator|5 years ago|reply
What'd be heartless is if the malware, such as the ryuk ransomware in December of 2019, had a bug in it that prevented the decryption key from working and all it did was garble and trash data.
Be forwarned, a few groups deploying ransomware are on sanctions lists which carries direct liability if you pay them. If you're the IT staff, make the CFO\CEO pay them and wash your hands of it.
[+] [-] JohnCClarke|5 years ago|reply
Here's an introduction to our ransomware report: https://youtu.be/2yDqp34JN9k
If any hospital CISO and/or IT admin would like a three month free trial - even just to get through the current attacks - please reach out.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] marketingPro|5 years ago|reply
I take this opportunity to complain about regulatory capture and the medical cartels. Their constant irresponsibility (opioid epidemic, coronavirus response) affects everyone. Yet they still are paid more than any other industry.
[+] [-] easton_s|5 years ago|reply