HSE/Department of Health Hack (1 Viewer)

error type 11

Well-Known Member
Joined
Mar 12, 2001
Messages
1,492
Location
Cork
Website
www.fnarr.net
Noone gives a flying fuck about security or backups until something like this happens.
Surely they are in major trouble unless there are recent backups offline somewhere on tape. And if the exploit is a time bomb that's been sitting there a while they could potentially restore the problem from a backup as well surely. It's potentially tens of thousands of systems. Nightmare stuff
 

magicbastarder

Well-Known Member
Joined
Sep 14, 2006
Messages
8,131
Website
stroma.org
i was in a meeting about a year ago, and one of the guys there said 'i was working in maersk - actually in the operations room when we were hit' and there was an audible intake of breath from nearly everyone there.
that nearly sank maersk (pun unintended) - IIRC what saved them was a domain controller which had been taken offline for maintenance before the attack and was still clean.
 

Cormcolash

Well-Known Member
Joined
Aug 20, 2002
Messages
22,731
Location
THIS IS SPARTA!!!
Website
geocities.com
i was in a meeting about a year ago, and one of the guys there said 'i was working in maersk - actually in the operations room when we were hit' and there was an audible intake of breath from nearly everyone there.
that nearly sank maersk (pun unintended) - IIRC what saved them was a domain controller which had been taken offline for maintenance before the attack and was still clean.
Those pesky Somalians!!
 

rettucs

Well-Known Member
Supporter
Joined
Apr 18, 2006
Messages
23,334
Solutions
2
Location
Post of the week winner: 22nd March, 2013
i had a meeting with broadcom/symantec during the week, about other issues, and they specifically warned us about conti.
I read up about conti there. So they get onto the systems and encrypt the shit out of as much shit, as quickly as they can.

But then I also heard on the news yesterday that the systems may have been hacked days ago, and their uninvited 'guests' may have been on there all that time.

conti seems like something anyone can do once they have access to the system.

If someone gets onto one of my systems I will know about it in seconds, so what the actual fucking hell are they doing if they are unaware for days?

A couple of others eluded to it yesterday, but I've also heard from someone who has worked on a HSE IT project. He said that no one in the HSE wants anything to do with. If they need something new/changed, they ring their bosses who put out a tender to consultancy firms to get that change made. Different bits of different systems were cobbled together by different companies and different teams, none of whom work for the HSE. It sounds like a shitshow.

I'm curious to see if the story runs for long once they have it sorted. Like, I'm sure a security audit will happen, but will they let the public know if it's gonna make them look bad. Probably not.

One of the lads I saw talking on the news was from a company called Smarttech. They're Cork based. We use those and they are absolutely great. They've kept us on the straight and narrow forever, and I sincerely hope someone of that caliber is in helping get this mess straightened out.
 

rettucs

Well-Known Member
Supporter
Joined
Apr 18, 2006
Messages
23,334
Solutions
2
Location
Post of the week winner: 22nd March, 2013
Incidentally, I've worked with different SIEM systems over the years too. I remember the first time I did, and got visibility into the scale of attempted attacks on our infrastructure. We could get hit up to 1.5 million times a day. Admittedly these were mostly from bot farms, and their methods were very basic. Most of these attacks originated from the USA. Second would be China, followed by Russia.
 

rettucs

Well-Known Member
Supporter
Joined
Apr 18, 2006
Messages
23,334
Solutions
2
Location
Post of the week winner: 22nd March, 2013
I mean, there would be ways for them to get on without it setting it off the alarm. But entry from anywhere even remotely outside of where we expect people to connect from, will trigger an alert.

I worked remotely from Latvia for a few days in December 2018 and it caused a security alert.
 

magicbastarder

Well-Known Member
Joined
Sep 14, 2006
Messages
8,131
Website
stroma.org

AFAIR, about ten telcos were infiltrated by APT10. and a bunch of high profile tech companies (dell, HP, etc.) were also compromised to some extent by them. i was surprised that didn't get higher publicity at the time.

the bigger and more complex your organisation, obviously the more endpoints you'll have which will be in some way uncontrolled.
 

Cornu Ammonis

Well-Known Member
Supporter
Contributor
Joined
Feb 1, 2011
Messages
8,440
Solutions
1
Location
Dublin
Website
brainwashed.com
what the actual fucking hell are they doing if they are unaware for days?
I know most data is sensitive but considering Tusla have also been affected, you’d hate to think what data is out there now that should be kept safe. And the fact that their referral system is down is a major risk for kids in need of help right now.
 

rettucs

Well-Known Member
Supporter
Joined
Apr 18, 2006
Messages
23,334
Solutions
2
Location
Post of the week winner: 22nd March, 2013

AFAIR, about ten telcos were infiltrated by APT10. and a bunch of high profile tech companies (dell, HP, etc.) were also compromised to some extent by them. i was surprised that didn't get higher publicity at the time.

the bigger and more complex your organisation, obviously the more endpoints you'll have which will be in some way uncontrolled.
interesting, thanks for posting. This bit struck me

The attack began with a web shell running on a vulnerable, publicly-facing server

they don't elaborate on how it was vulnerable. You could argue it's being public-facing in the first place, makes it vulnerable. But, for example, anything public facing in my setup cannot be accessed without someone owning a private ssh key, after authenticating via 2fa. For a hacker to get in, they would need both the key, and the person's phone (or just their laptop I suppose, if the user is running something like Lastpass).

The point being that it is likely everything could have been nipped in the bud at step one.

Its not impossible that someone can get in. Its like locking your bike in public. If someone is gonna steal it, they're gonna steal it, but make it as fucking hard as possible and they might piss off and focus their attention on someone else.

The company I work for were initially in the travel sector. About 2.5 years ago we branched out into the financial services sector. That brings a whole other level of security considerations, particular as we're fully could-based. We were told at the time that it wasn't a matter of 'if' we were attacked (due to having one particular high-profile banking customer), but 'when' we were attacked. So, putting shitloads of effort into stopping them getting in, while warranted, is not enough on its own. Intrusion detection is absolutely paramount. If someone gets in with trusted credentials, from a trusted location, the only thing left to go on to detect an anomaly, is usage patterns. Its one of the most inexact sciences on the planet - I attended several security conferences to hear about efforts being made to detect intrusion based on usage patterns - some decent efforts, but they're not there yet.

We had one semi-successful attack, which happened when someone on our finance team had their laptop hacked while on a public wi-fi network in an airport. But, that alone wouldn't suffice for someone to hack us now, as we've tightened up hugely with every single thing behind 2fa.

And of course you're right about the public footprint - the bigger it is, the more exposed you are. That was something we had to address, and there are still aspects of it that we need to take care of. But, the handful of systems we still have with any ports open to the world, are those we focus on most in terms of security patching, etc.

We're kind of second guessing what might have happened in the HSE. But poor design, vulnerable software and human error are always the first things I would suspect.
 
Last edited:

rettucs

Well-Known Member
Supporter
Joined
Apr 18, 2006
Messages
23,334
Solutions
2
Location
Post of the week winner: 22nd March, 2013
I know most data is sensitive but considering Tusla have also been affected, you’d hate to think what data is out there now that should be kept safe. And the fact that their referral system is down is a major risk for kids in need of help right now.
I doubt the hackers even know what they're dealing with. There are a couple of scenarios that need to be considered.

firstly, is this a case of denying access to the data, and the ransom is to provide the decryption key to recover the data?

or, secondly, was the data exfiltrated?

I haven't heard this said yet. A lot of malware people inadvertently acquire on their personal devices would be the former category. Unless its a phishing attack looking for someone's login credentials to their online banking, or whatever.

If the data has been encrypted, I would sincerely hope that everything was mirrored, or backed up offsite. Any responsible IT operation would do this.

If the data was exfiltrated, its unlikely the hackers have even looked at it, or have any real clue what they're looking at. They are hoping for a quick, effortless buck. While it is very worrying for people's personal medical records to have been hacked in this fashion, other than asking for this ransom, I'm not sure what value the hackers think this data is to them.
 

magicbastarder

Well-Known Member
Joined
Sep 14, 2006
Messages
8,131
Website
stroma.org
scutter said:
But poor design, vulnerable software and human error are always the first things I would suspect.
oh, agreed. i work for a company which gets nation state level attention so a lot of our security guys are shit hot. but we're spread across the world, which means there's always going to be rogue systems unpatched and forgotten about knocking around the place.
i'm responsible for the AV on approx 120k systems but thankfully i'm not on the incident management side of cyber security (means i don't get woken at 2am over an incident). it's more my job to worry about a duff IPS engine update bluescreening systems than it is to worry about what the software is actually detecting.
 

magicbastarder

Well-Known Member
Joined
Sep 14, 2006
Messages
8,131
Website
stroma.org
If the data was exfiltrated, its unlikely the hackers have even looked at it, or have any real clue what they're looking at. They are hoping for a quick, effortless buck. While it is very worrying for people's personal medical records to have been hacked in this fashion, other than asking for this ransom, I'm not sure what value the hackers think this data is to them.
there was a scandinavian mental healthcare provider hacked in a similar way a year or two back, and the hackers knew exactly what they were going for - they were contacting the patients/clients with demands for ransom or the notes from their therapy sessions would be made public.
as per Cornu's comment, the info Tusla have would be an order of magnitude more sensitive than info on whether i have polyps on my gooter.
 

Users who are viewing this thread

Latest Activity

Loading…

We're listening to...

  • The Charisma Years 1970–1978
    Pioneers Over C - Live At The Marquee Club, London, United Kingdom / 1978 / Remastered 2021
    Van Der Graaf Generator
    The Charisma Years 1970–1978

Support thumped.com

Support thumped.com and upgrade your account

Upgrade your account now to disable all ads... If we had any... Which we don't right now.

Upgrade now

Latest posts

Trending Threads

Latest threads

Top