subaqua
What’s the point
- Location
- Leytonstone
Well if it's any consolation, the UK nuke sub fleet run on XP ......
NHS! Attacked
- Thread starter screenman
- Start date
Page may contain affiliate links. Please see terms for details.
slowmotion
Quite dreadful
- Location
- lost somewhere
Perhaps not "complacent" but "wary"? Patches have a tendency to throw up other problems in unexpected places. If you have many tens of thousands of PCs in your organisation, I can quite see why the IT department might take the attitude "If it ain't broke, don't fix it."
Remember the Bic Pen / lock scandal where a Bic pen could unlock some cylindrical locks.
Allegedly the US subs used these keys on the Nuclear Launch System
Armageddon by pen!
I’d agree. There are lots of IT departments like that. For example, the ones in the NHS..... :-)
It’s all about balance. You need to treat security patches as urgent. Maybe not deploy everywhere on day 1, but at least get them into test environments and deploy without undue delay.
It’s all about balance. You need to treat security patches as urgent. Maybe not deploy everywhere on day 1, but at least get them into test environments and deploy without undue delay.
midlife
Legendary Member
I like to write Take Thou, Let it be written and Send on my prescriptions.
. In Latin . None of our computers can do that .....Shaun
The Jogger
Legendary Member
- Location
- Spain
Where has that Hunt got to, has he even made a statement?
Last edited:
Nigel-YZ1
Guru
- Location
- Somewhere else... maybe soon.
I can vouch for this.
I've just been logged in to my company network checking that machines are up to date. One that wasn't has failed to restart after taking the latest update roll-up. I've fired a few 'wake on lan' packets at it but it's still dead - so there's a job for me on Monday morning.
classic33
Leg End Member
Someone has to sign the order.
slowmotion
Quite dreadful
- Location
- lost somewhere
Does it matter? OK, some people might be made happier if he stands up and earnestly spouts some platitudes and reassurances, but would it actually achieve anything apart from feeding some ghastly media machine? He's probably got some computer experts beavering away somewhere.
The conservatives already did. In 1990
classic33
Leg End Member
Note the time, in bold.
"So finally, I've found enough time between emails and Skype calls to write up on the crazy events which occurred Friday, which was supposed to be part of my week off (I made it a total of 4 days without working, so there's that). You've probably read about this on several news sites, but I figured I'd tell my story.
I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant...yet. I ended up going out to lunch with a friend, which is when everything started to kick off.
When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off that this was going to be big. Although ransomware on a public sector system isn't even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don't open phishing emails which suggested to me that something this widespread was something else). I was quickly able to get a sample of the malware through Kafeine, a friend and fellow researcher, which I instantly noticed queried an unregistered domain, which I promptly registered.
With Cisco Umbrella, we can actually see query volume to the domain prior to our registration of it which shows the campaign started at around 8 AM UTC.
While the domain was propagating, I ran the sample again in my virtual environment to be met with WannaCrypt ransom page; but more interestingly was that after encrypting the fake files I left there as a test, it started connecting to random IP addresses on port 445 (used by SMB) extremely quickly. The mass connection attempts immediately made me think exploit scanner, and the fact it was scanning on the SMB port caused me to think back to the recent ShadowBroker's leak of NSA exploits containing...and SMB exploit. Obvious I had no evidence that it was definitely scanning SMB hosts or using the leaked NSA exploit, so I tweeted out my findings and went to tend to the now propagated domain.
Now one thing that's important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I'm always on the lookout to pick up unregistered malware control server (C2) domains. In fact, I register several thousand of such domains in the past year."
https://www.ncsc.gov.uk/blogs-feed-author/370
"So finally, I've found enough time between emails and Skype calls to write up on the crazy events which occurred Friday, which was supposed to be part of my week off (I made it a total of 4 days without working, so there's that). You've probably read about this on several news sites, but I figured I'd tell my story.
I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant...yet. I ended up going out to lunch with a friend, which is when everything started to kick off.
When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off that this was going to be big. Although ransomware on a public sector system isn't even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don't open phishing emails which suggested to me that something this widespread was something else). I was quickly able to get a sample of the malware through Kafeine, a friend and fellow researcher, which I instantly noticed queried an unregistered domain, which I promptly registered.
With Cisco Umbrella, we can actually see query volume to the domain prior to our registration of it which shows the campaign started at around 8 AM UTC.
While the domain was propagating, I ran the sample again in my virtual environment to be met with WannaCrypt ransom page; but more interestingly was that after encrypting the fake files I left there as a test, it started connecting to random IP addresses on port 445 (used by SMB) extremely quickly. The mass connection attempts immediately made me think exploit scanner, and the fact it was scanning on the SMB port caused me to think back to the recent ShadowBroker's leak of NSA exploits containing...and SMB exploit. Obvious I had no evidence that it was definitely scanning SMB hosts or using the leaked NSA exploit, so I tweeted out my findings and went to tend to the now propagated domain.
Now one thing that's important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I'm always on the lookout to pick up unregistered malware control server (C2) domains. In fact, I register several thousand of such domains in the past year."
https://www.ncsc.gov.uk/blogs-feed-author/370
.... and the fact that such an attack is Home Office territory, as Amber Rudd has made clear