Hornbill Blog

Security: Big News in the UK today - NHS hit with Cyber-Attack

I was watching with interest today how the media reported this story, the dramatisation of the story manifested in statements put out on national news would lead you to believe that there is some international conspiracy somehow linked to the NSA, it certainly makes better headlines than the truth, because the truth is less like an intricate James Bond movie plot and much more like a scene from the IT Crowd!

We are a cloud company so cyber security attacks are always of great interest, as soon as the story was first reported we were already looking past the movie in the news at the details, primarily because we must identify any risk or exposure we ourselves might have. For those of you that want a less exciting version of the dramatic mass media reports, this is what is happening.

What is it?

A short time ago security firms identified a back-door Trojan which exploits a known vulnerability in Microsoft Windows SMB networking protocol to install an implant by injecting malicious code into the operating systems DLL calls. This is reported to have originated (and possibly even stolen) from the NSA.  The implant is known as DOUBLEPULSAR is a back door which is implanted using a an exploit in the Winfows SMB software, this exploit is know as ETERNALBLUE, and it works using quite advanced kernel DLL injection techniques to implant itself into the fabric of the operating system creating a back door allowing remote network calls to execute programs on the compromised computer.  This is not going to cause any direct problem but once deployed it can sit there undetected until someone decides to use the backdoor.  Compromised computers can be identified by malicious programs by issuing a special type of ping request to its IP address.

Now while DOUBLEPULSAR is the tool being used, it is not the actual attack. The specific attack being reported is known as a ‘ransomware’ attack dubbed WannaCrypt.  Ransomware is a simple program that once executed on a computer will encrypt data files it can find, leaving you instructions on your desktop requesting payment (a ransom) to decrypt the files again.  The problem with this type of attack is it is not just limited to the infected computer – if the computer is networked and has access to files on other computers via a network share then the data on these computers can also be encrypted, even of that computer has already been patched and its self is not vulnerable.

What computers are compromised?

The injection technique used is specific to the Windows operating system and requires SMB networking to be enabled. Microsoft published a patch on March 14th MS17-010 which patches pretty much all Windows versions including Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016 and Server Core. Windows XP and Server 2003 versions are also vulnerable but Microsoft has not provided a patch for these operating systems, this I expect has more to do with Microsoft’s desire to drive operating system updates rather than a technical inability to provide a patch.

Who is affected?

It made prime time news here in the UK for the NHS because the response to this compromise by the NHS was to turn off all computers which left the NHS apparently only “coping” with delivering healthcare services.  A computer getting infected by a virus is boring and not a great headline, but a nation not getting adequate healthcare because of a sinister cyber-attack is a great headline.   The truth is though any organisation that have either failed to patch for this or are using XP or server 2003 are vulnerable and may already be compromised just waiting for the next exploit to take advantage.  The NHS like many other public sector organisations here in the UK are stuck with old operating system versions, citing things like cost and compatibility with other systems as reasons not to keep things updated. Just because the NHS made the news today, the truth is many more organisations are probably already vulnerable.

[EDIT] So significant was the impact of this problem Microsoft today have been forces to respond with patches for XP and Server 2003. You can read more about this and get links for the download here

How can you prevent being compromised?

It is sad to say that this apparent national panic could have been easily avoided if compromised organisations simply follow common-sense best practice approach to their IT strategy.

  • Make sure all operating system versions are always patched.  Stop trying to “manage” patching yourself, if you have chosen Microsoft operating systems, leave the patching to Microsoft, they provide the service, its automatic and its free, all too often “enterprise” likes to be in control of this – trust me when I tell you that the best way to deal with security patching is to let Microsoft do it, and likewise if you are using Apple OSX computers, let Apple patch and update the OS.
  • If you are using an OS version such as XP or Windows 2003, just stop… or isolate the computer from any network and stop people from using it (the current NHS panic strategy).
  • Configure your networking properly, only grant the minimum access rights required to each user.
  • Backup your data properly, if your data is important and you lose that data because your backup strategy is bad you cannot really point the finger anywhere else.

How is Hornbill affected?

We use Windows on our internal networks but we keep everything patched and we do not have any unsupported operating system version in use that cannot be patched. In addition, for Windows computers we also have aggressive anti-virus controls in place.  For the most part our cloud services run on a Linux based software stack and our other operating systems like OSX are not vulnerable to compromise from this attack. 

I hope that the IT teams in the NHS organisations around the country get on top of this quickly and I wish them well in their endeavours over the coming days.  I also hope that the budget holders learn from this. If you have chosen to work with Microsoft for your OS needs, listen to them when they tell you that the OS you are using is no longer supported, by ignoring this you are making yourself vulnerable to exactly this sort of problem – I imagine the cost of running around to sort this now will be significantly greater to your organisation than taking preventative measures would have been – false economy?

Useful Resources:

 

Latest Posts

  • We are getting ready for INSIGHTS 19

    Feb 12, 2019
    News Item

    I am excited to tell you that we have been busy at Hornbill, planning and organizing our next annual conference, INSIGHTS 19. This event is the highlight of our year at Hornbill, as we create it for our community. It brings our customers, prospects,...

  • Love me Tender

    Jan 22, 2019
    Collaborative Service Management

     Although Elvis Presley and Vera Matson were given the credit, the principal writer of “Love me tender” was Ken Darby. At the time, Elvis’ publishing deal demanded that writers concede 50% of the credit for the song if they wanted Presley to record...

  • Be the change you so desperately seek!

    Sep 23, 2018
    Blog Posts

    I love the idea of this quote, attributed to the wise man Mahatma Gandhi this simple quote is profound because it strikes right at the heart of human behavior.   In every part of our lives, there is change, and most of it is outside of our control;...

  • Why do people struggle to follow processes?

    Aug 27, 2018
    Blog Posts

    Many a great manager has asked themselves the time-honored question; How do you make people follow procedures and not miss things?  Having more or less documented the processes, and having put them into your knowledge base tool, and having created...

  • Release Roundup - Customer Feedback

    Jul 30, 2018
    Release Roundup

    Hornbill is deployed using Continuous Delivery, and this means we typically make multiple incremental releases every week. As well as providing essential fixes, we also release new features as and when they become available. To supplement the more...

Subscribe to our mailing list and keep up with our latest software updates.