Davey Winder: risks of ransomware attack were well known and avoidable
- 16 May 2017
You don’t need me to tell you that large swathes of the NHS have been hit by a ransomware attack. You might be forgiven for thinking that it was a targeted attack against the NHS, if you have been watching the TV news or reading the newspapers.
Actually, it was nothing of the sort, and those surgeries and trusts impacted by this were victims of a global attack. Organisations in around 190 countries, and ranging from universities to telecoms providers, postal services to the railways, have all been hit.
NHS not targeted, or attackers would have set sights higher
That this wasn’t targeted at the NHS was pretty obvious from the get-go, not least as the ransomware involved (WannaCrypt0r to be precise) is a known threat and the ransom demanded of between £230 and £460 is equally generic. If the attack was truly targeting an organisation the size of the NHS, even at a more local Trust level, you might imagine the actors involved would have set their sights a little higher. Especially given the huge risk they are taking. Attacks on this scale do not go without in-depth investigation, and the chances are the attackers will be caught, tried and likely jailed.
This was not an attack that was unexpected either, at least not by anyone with half a clue when it comes to IT security. Obviously, I don’t include the NHS Trust c-suites with control over budgets, or government, in this description.
Warnings had been coming thick and fast
The warnings have been coming thick and fast for years and not just from us here at Digital Health either. That said, I did warn about precisely such an event just days before the attack hit…
I’ll come on to how vulnerable the NHS was (and still is) as a whole to this kind of threat in a moment, but first let’s take a look at the threat itself.
First let’s look at the malware involved, a ransomware variant known as WannaCrypt0r (aka WannaCrypt and Wcry). There is nothing particularly virulent or special about WannaCrypt0r, truth be told; it’s bog standard ransomware when all is said and done. Once installed it will encrypt every file that it comes across and demands a ransom for the decryption key.
That ransom is initially $300 (£230) in Bitcoin but if you haven’t paid by the time the countdown reaches zero in 72 hours it doubles to $600 (£460) – again, all familiar territory in the ransomware world. As is the threat to delete the files after a week, although that’s something of a pointless threat if they are encrypted and unusable anyway.
Virulent ransomware delivered by worm
Less familiar territory for ransomware is the distribution mechanisms used to spread the malware payload. Rather than go in through the usual social engineering route of a phishing email, or spear-phishing in a truly targeted attack, this WannaCrypt0r threat employed something far more virulent and successful: it adopted the worm approach. How it turned itself into a ransomware worm is both interesting and frightening in equal measure. You see WannaCrypt0r exploited a vulnerability that enabled it to spread from network to network, LAN to WAN, and pretty much with impunity.
Usually when such a vulnerability is discovered, one of two things happens: it either gets disclosed to the vendor concerned and fixed by way of a patch, or becomes a 0day that is sold on the underground ‘dark market’ for criminal or state-sponsored usage. In the case of EternalBlue, as the vulnerability is known, it’s a mixture of things.
NSA developed the original exploit code NHS was hit by on Friday
For start, it was developed for, and presumably used by, the NSA (National Security Agency) in the US. Unfortunately, the NSA couldn’t keep the exploit code secure and it was released as part of the Shadow Brokers hacking group exposure of such things in April.
The vulnerability was in the Server Message Block protocol, specifically as found in Microsoft Server Message Block 1.0 (SMBv1) server. Using a specially crafted message, this could exploit how Windows machines communicated with the file system over the network allowing remote code execution. Once one machine is infected, it rapidly propagates to any others that are connected and vulnerable. This is how a worm works, and it worked well in the case of WannaCrytp0r.
NHS would have been protected by applying 14 March Microsoft MS-17-010 security update
But it didn’t have to be that way as Microsoft had already patched the vulnerability long before Shadow Brokers released the exploit code. The 14 March Microsoft MS-17-010 security update for SMB Server fixed the problem, but you had to have installed the patch of course. And that’s where the NHS amongst others fell short.
NHS legacy machines should have been behind a firewall
You’d think that a couple of months would be plenty for even the most risk-adverse (in the sense of risk from a patch causing problems) organisation to roll out a critical security update. But no, apparently not. But patching isn’t the only problem here. Systems, and in the case of the NHS legacy machines, that had not or could not be patched should have been behind the firewall at the very least.
Yet the spread of this thing suggests that those firewalls were not properly configured, with ports 139 and 445 being open, with those hosts listening to inbound connections including the WannaCrypt0r message. Of course, all it takes is a single, solitary firewall to be incorrectly configured for such a worm to quickly propagate post-infection to other machines.
Get set for variant strains of WannaCrypt0r
So what happens now? Well, you’ll have probably read that a young security researcher, from his bedroom, spotted a killswitch in the malware code and with the help of the professionals this was able to be activated. This certainly reduced the overall impact of the attack. It will not, however, have stopped it dead. Things are set to get worse as there are already variant strains of WannaCrypt0r (with that killswitch removed and other tweaks to make it harder to spot and stop) out in the wild. This is not over by a long chalk.
The answer remains: do the basics of security well
And just how *do* you stop this happening again? The simple answer is by doing the basics of security well. Replacing legacy systems where practical, ensuring network separation where not, so that threats cannot leapfrog the whole shebang, getting on top of patch management and, yes I’m going to keep on saying it until I’m blue in the face, making the proper investment in data security. If you want a ‘strong and stable’ NHS from the IT security perspective then it comes at a cost, and that has to be provided by central government.
Look, I understand that patching for a large enterprise (and that’s what NHS Trusts are) is not a trivial thing. I get that software compatibility is rather important when we are talking patient care. I also get that by delaying patching, or not patching at all, the risk increases to the point where something like this can happen. That cannot be the better option, will never be the better option. I also get that money isn’t on tap in the NHS, and that a scanner costing upwards of a few hundred thousand quid that has an embedded legacy OS cannot easily be replaced. However, it can easily be isolated from danger by the use of correctly configured firewalls, by the use of appropriate controls in other words.
These do not need to be a costly exercise to implement, but do need to be addressed as a matter of urgency. At the very least blocking SMB traffic (on ports 139 and/or 445) to any legacy and unpatched system is essential.
Cyber security is not just about systems, it’s about process and understanding.
Cyber security is not just about systems, it’s about process and understanding. This isn’t a case of data being lost, NHS backups will be in place. The problem is more one of restoring that data in a secure manner, protecting from reinfection. That means isolating individual machines, restoring them manually, all things that take time and therefore cost money. A lot of money when the knock-on effect of departmental closures and rescheduling appointments is taken into consideration.
Proper risk management in the NHS has been exposed as severely lacking these last few days. That has to change. It’s all very well for government spokespeople to roll out the ‘NHS information Governance Toolkit’ message but that was, and remains, just a mishmash of legal requirements that doesn’t speak to the technical requirements needed. Direction is essential, and government is only providing soundbytes.
That direction needs to come before the paperless NHS becomes a complete reality, or it will also be a completely insecure mess.
3 Comments
The easiest and quickest security fix is to disconnect each hospital from the rest of the Internet. Maybe some admin computers need to be connected to the Internet, but in that case, these should be disconnected from the rest of the hospital.
Every thing else can be done by fax, txt or text-only email.
Have a look at how organisations that take security seriously, like nuclear weapons submarines, do things.
Wow… a giant step back into the dark ages there! Faxes have in effect been outlawed already, and text messages are of very little use in communicating patient information. One might as easily say that the best security fix is to get rid of all the computers and go back to writing on paper – no worms or malware there.
The correct response as the article says is to take a robust approach to security – sure there will be always be potential zero day exploits but still it will reduce the overall risk to manageable levels. We are beefing up our patching schedule, although we were largely unaffected by this outbreak.
“It’s all very well for government spokespeople to roll out the ‘NHS information Governance Toolkit’ message but that was, and remains, just a mishmash of legal requirements that doesn’t speak to the technical requirements needed.”
The IG Toolkit describes requirements for organisations. Let’s pick one requirement at random, say Information Security Assurance requirement 311 – “Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code”.
Now let’s pick an organisation at random, say, Northern Lincolnshire & Goole NHS Foundation Trust.
For both the 2015/16 and 2016/17 submissions, the Trust has self-certified that they are Level 2, i.e. that approved and documented controls and procedures to mitigate against malware risks have been implemented.
This Trust has been hard-down twice in the last 6 months due to malware so I’m struggling to see how even the Level 1 requirements could have been attained.
The Level 1 requirement?
a) There are appropriate controls and procedures in place to protect against malicious code and unauthorised mobile code for each of the identified information assets.
b) IAOs have established policy and plans for system patching that takes account of known product support expiry.
That TAKES ACCOUNT OF KNOWN PRODUCT SUPPORT EXPIRY.
Comments are closed.