Tag Archives: WannaCry

NSA Offers Gift That Keeps on Giving

Sometimes the gift that keeps on giving is good.  Other times, it is not so good.

In this case, it is not so good.

You may remember the Wannacry ransomware attack last year.  That virus, which took many organizations back to the stone age of computing (i.e., a pencil and paper), infected and took down organizations like the UK’s National Health Service, parts of Fedex, Hitachi, Honda and hundreds if not thousands of other organizations, many unknown, was enabled by a gift written by the NSA called ETERNAL BLUE.  Eternal Blue was designed to be a gift given to our enemies, but managed to get out in the wild and be used by the bad guys to infect hundreds of thousands of computers in at least 150 countries and cost companies billions of dollars to fix.

If it weren’t for Eternal Blue, this attack would not have worked.  Funny thing is that, like the Equifax breach, the vendor (in this case Microsoft) had released a patch months before the attack.

Of course, some people are good about applying patches while others are not so good.

A year later, the NSA gift called Eternal Blue is still giving.  There are still at least a million computers that are not patched and hackers are using Eternal Blue to launch a new attack.  After all, why bother to use new, unknown attacks and risk them being discovered, when the same old attacks as last year still work.

Right now, today, the attackers are using this attack to mine crypto currency on the infected computers.  However, if that stops being profitable.  ENOUGH profitable.  Well then, these computers are already zombies, so the zombie controller could just turn this into a massive denial of service attack or a massive ransomware attack.  Or whatever.  Or more than one thing.

The simple thing is that there are Windows patches available to be installed.  Also, you can disable the protocol that the attack uses.

Either way, there is no reason why this attack should still work.

But, since people aren’t really diligent about patches and especially patches on phones, tablets and IoT devices, the hackers will continue to have a field day and businesses will lose millions.  Some are already going out of business due to ransomware attacks.  

Just think about that for a minute.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

The Cost of Cyber Breaches

Earlier this week Merck said that the NotPetya is going to cost them and the numbers are staggering.

In last Friday’s earnings call Merck said that NotPetya has impacted third quarter results to the tune of around $300 million.  That includes $135 million in lost sales and $175 million in costs.

But that is not all.  They also said that they anticipate a similar impact to revenue and costs in the fourth quarter.

That means in just this year alone, it could cost Merck $600 million plus. It is likely that the costs will not end with the turning of the calendar page to January.

Also likely is that they have cyber insurance, but that might pay $100 million and could be a whole lot less than that.  That could leave Merck with having to write a check for a half billion dollars. Or more!

Moving on to the Wannacry attack, The Guardian is reporting that hackers moved 108,000 British Pounds out of a few Bitcoin wallets that people paid ransoms into.  Note that this is not what it cost people to deal with Wannacry, but rather what they paid the attackers.

Since Bitcoin is not anonymous (in fact it is anything but, which is why, months later, we know exactly each and every withdrawal from the Bitcoin wallet virtually instantly), the police are tracking those transactions and may be able to figure out who is moving the money.

As the British Health Services (NHS) are doing an after attack review from Wannacry, the story that is coming out is that they could have avoided the attack if they had implemented basic cyber security practices.

As far back as 2014 the Department of Health and the Cabinet told NHS that they needed a robust plan to migrate away from old software (like Windows XP) and in March and April 2017 (a month or two before the attack) NHS Digital issued a critical alert for NHS organizations to install the patches needed to stop Wannacry in its tracks.  Those patches were not installed.  NHS blamed cost cutting measures from reducing resources needed to manage their systems.

NHS Digital had conducted on site assessments of 88 out of 236 of the health trusts in England.


But NHS Digital has no enforcement powers to make anybody fix the problems.

Bottom line is that these attacks can be tremendously costly and in many cases, simple measures would have mitigated the attacks, possibly completely.

Information for this post came from Tech Republic, The Guardian  and another Guardian article.

Facebooktwitterredditlinkedinmailby feather

When Medical Devices Get Hit With Ransomware

Is it possible that North Korea used stolen NSA hacking tools to infect medical devices at U.S. hospitals?  Forbes says, yes it is.

When the WannaCry ransomware spread out of control last week infecting 48 hospital trusts in the UK and unnamed medical facilities in the U.S. for the most part U.S. businesses were not affected.  Except for some.

For those people who work in offices, the effects of ransomware are annoying and if there are not sufficient backups, it can lead to losing data and losing customers.  And lawsuits.

But when it comes to hospitals, in addition to all of the above, it can lead to people dying.

Forbes was given an image of a Bayer Medrad power injector (shown below) that manages the injection of MRI contrast die into patients.

Many of these medical devices in hospitals are connected to Windows PCs and those PCs are often connected to email and the Internet.  When they are – and even if they are not – they can get infected with malware.  Think Iran and Stuxnet.  Those centrifuge controllers were not connected to anything and we still infected them.

Bayer acknowledged that at least two devices were infected here in the U.S., but they were able to restore them in 24 hours.

Microsoft released a patch for the bug that allows the ransomware to work in March.  Bayer said that it plans to release that same patch to its customers “soon”,  That means that hackers – say, perhaps, the North Koreans – have at least three months, maybe more after the patch is released to reverse engineer the patch and use that knowledge to infect medical devices.  From what I have heard. three months from vendor patch release to medical device patch release is super speedy.  And don’t forget that you have to add the time it takes the hospital to approve deploying that patch.

While this particular attack would, if effective, take the machine offline and not directly kill anyone, that is only THIS particular malware.

We have already seen demonstrations of hacking changing the settings inside drug infusion pumps.  If that bit of maliciousness propagated in the wild, it could change the dosage of drugs being dispensed to patients without any obvious indication externally (set it to 10 and it dispenses 50 for example) and then people would die.

In the case of that brand of infusion pumps, after beating up the vendor and the FDA for a year, the FDA finally issued a warning.  Hackers don’t use that kind of time scale.  You have to be able to warn hospitals in hours and the FDA and medical device industry are no where near the capability to do that.

Lets say that instead of locking up Windows PCs, the WannaCry worm instead infected infusion pumps.  Granted the same bug would not work in infusion pumps, but lets say there was a different one.   Think about how fast that worm spread around England, Scotland and a hundred plus other countries.  Could the national medical device regulators in all of those countries respond to that kind of event before people died.  Sadly, I don’t think so.

According to the article, the medical device manufacturers rushed out an alert telling hospitals that they were working on a patch and would release it sometime in the future.

HITRUST, a private company that helps the medical industry deal with cyber security issues said that it had reports of both Bayer and Siemens being affected.  Siemens said it could not confirm or deny reports of their machines being infected.

The Department of Homeland Security’s Computer Emergency Response Team (CERT) said that many industrial control systems vendors are issuing alerts also.  They said that ICS devices were infected and did have impact.

While this particular attack didn’t have deadly consequences, unless the medical device and industrial control industries up their cyber security game, it is just a matter of time before something bad happens.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather