WannaCry’s anniversary: have we learned our malware and cybersecurity lessons?

Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).

The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates. 

Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk.  “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech. 

Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News

Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

The malware siege of Northern Lincolnshire and Goole NHS: a preview of more? (UK)

By now our UK readers are well aware of the shutdown due to malware starting Sunday 30 Oct, only resolved today, of the Northern Lincolnshire and Goole NHS Trust hospitals: Diana, Princess of Wales; Goole and District; Scunthorpe General.

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/11/nhsalert-940×445.png” thumb_width=”300″ /] (NHS website via Krebsonsecurity.com, click to enlarge)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/11/nhsalert2.png” thumb_width=”300″ /] (NHS website, click to enlarge)

It is estimated that it affected approximately 1,000 patients over the three shutdown days. Most patients were diverted to neighboring hospitals, according to The Guardian.

The Health Services Journal (paywalled) broke as an exclusive the NHS‘ high priority warning to providers around the country. Yet it seemed equivocal. According to The Sun, while NHS Digital marked the message as ‘severity: high’ and warned that “… we would like to remind all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”, it was tempered with “We have no evidence that this is anything other than a local isolated incident but we will continue to keep health and care organisations informed.” Also according to The Sun, the Department of Health has noted that this has not been the first incident.

As our Readers know, US and Canadian hospitals and healthcare organizations have been subject of late to malware and its latest iteration, ransomware, with a large outbreak this summer. (more…)

Ransomware alert up in US, Canada: more details

Ransomware threats are now the subject of a joint alert in both the US and Canada, with at least 14 hospitals under attack on both sides of the border. Ten of the hospitals are part of MedStar in Maryland [TTA 26 March, updated], and as your Editors have noted, it’s not just hospitals but also Mac iOS under attack and now, reportedly, even police and cafes (Telegraph.ukNPR). $24 million was lost to ransomware in 2015 in the US alone, according to the FBI. Healthcare IT News reports a new variation called PowerWare which is delivered through MS Word documents, but goes further than Locky in mimicking legitimate files and activities without writing new files on the system, which makes it hard to detect. It invades PowerShell which is used by system admins for task automation and configuration management.

If you are catching up and want a useful overview, see Wired. The headline states the obvious, at least to this Editor. Hospitals and their often-flawed IT managed by overworked staffs are the perfect target for ransomware and multiple viruses as lives are at stake, not widget production. Like most malware and internet Bad Things, ransomware originated in Eastern Europe (where else?) back in 2005. Most attacks include instructions on how to access bitcoin, the untraceable payment method demanded by the hospital hostage-takers.

How to prevent or mitigate? NPR cites Peter Van Valkenburgh, director of research at Coin Center, a digital currency advocacy non-profit, that hospitals can take safeguards including HTTPS encryption, two-factor authentication and implementing file backups on a separate server.