Discussion:
[wlug] Waikato DHB Under “Cyber Attack”
Lawrence D'Oliveiro
2021-05-18 01:06:09 UTC
Permalink
According to this report
<https://www.nzherald.co.nz/nz/breaking-major-cyber-attack-at-waikato-district-health-board-all-clinical-services-affected/Y4W3S3LOQECJLU5Q6KCACS7DSE/>,
clinical services at all hospitals under the Waikato DHB are being
impacted by some “major cyber attack” of unspecified nature
(DDOS? Ransomware?), forcing the cancellation of patient appointments.
Even their landline phones are not working.
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/
David McNab
2021-05-18 01:19:57 UTC
Permalink
Don't be surprised if the demands (if ransomware) include the threat of
mass-doxing of patients' sensitive personal clinical data.
Post by Lawrence D'Oliveiro
According to this report
<
https://www.nzherald.co.nz/nz/breaking-major-cyber-attack-at-waikato-district-health-board-all-clinical-services-affected/Y4W3S3LOQECJLU5Q6KCACS7DSE/
,
clinical services at all hospitals under the Waikato DHB are being
impacted by some “major cyber attack” of unspecified nature
(DDOS? Ransomware?), forcing the cancellation of patient appointments.
Even their landline phones are not working.
_______________________________________________
https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Lawrence D'Oliveiro
2021-05-18 04:33:46 UTC
Permalink
... clinical services at all hospitals under the Waikato DHB are being
impacted by some “major cyber attack” of unspecified nature ...
A little bit more detail
<https://www.nzherald.co.nz/nz/waikato-dhb-outage-could-take-days-to-fix-union-says-after-cyber-security-attack/V2Q3ESGHZC3KPHUUQ7R7PNNRWU/>:
all phones and computers are down, and a doctors’ union is saying it
could take days to fix. The Ministry of Health is describing it as an
“attempted cyber incident” that happened overnight. It’s not clear what
was being “attempted”, given the “attemptors” have already successfully
knocked out major critical systems for a significant duration.
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug
Lawrence D'Oliveiro
2021-05-19 06:51:40 UTC
Permalink
Further report
<https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/>
says “The attack disabled all IT services except email”.

Kind of ironic, since that appears to have been the channel of attack
...

Also:

Several ransomware operators have pledged that they will not target
medical organizations during the current pandemic, but apparently
both honor and consistency is lacking among thieves.
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list
Simon Green
2021-05-19 07:01:28 UTC
Permalink
Post by Lawrence D'Oliveiro
Further report
<https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/>
says “The attack disabled all IT services except email”.
Kind of ironic, since that appears to have been the channel of attack
The MX records would suggest the e-mail is hosted by SMX ( https://smxemail.com/ ) a well known e-mail hosting company based in NZ. They also do hosting for all @xtra.co.nz (Spark Internet) addresses ( https://smxemail.com/our-company/blogs-news/press-releases/spark-brings-email-home-to-new-zealand/ ).

As for the cause of the DHB issues, I suspect the it-came-from-e-mail answer is pure speculation at this stage.

--
Simon
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.n
David McNab
2021-05-19 07:24:09 UTC
Permalink
Anyone know if they've found the C&C servers yet?
Post by Lawrence D'Oliveiro
Post by Lawrence D'Oliveiro
Further report
<
https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/>
Post by Lawrence D'Oliveiro
says “The attack disabled all IT services except email”.
Kind of ironic, since that appears to have been the channel of attack
The MX records would suggest the e-mail is hosted by SMX (
https://smxemail.com/ ) a well known e-mail hosting company based in NZ.
https://smxemail.com/our-company/blogs-news/press-releases/spark-brings-email-home-to-new-zealand/
).
As for the cause of the DHB issues, I suspect the it-came-from-e-mail
answer is pure speculation at this stage.
--
Simon
_______________________________________________
https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Lawrence D'Oliveiro
2021-05-19 08:39:00 UTC
Permalink
Post by David McNab
Anyone know if they've found the C&C servers yet?
I never understood why you need two Cs. One stands for “Command”, the
other stands for “Control” -- what’s the difference?
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/postorius/l
David McNab
2021-05-19 09:02:24 UTC
Permalink
The hacker exercises "control". To implement this, the server sends
"commands" when they get polled by the infected networks.
Post by David McNab
Anyone know if they've found the C&C servers yet?
I never understood why you need two Cs. One stands for “Command”, the
other stands for “Control” -- what’s the difference?
_______________________________________________
https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Lawrence D'Oliveiro
2021-05-19 09:10:47 UTC
Permalink
Post by David McNab
The hacker exercises "control". To implement this, the server sends
"commands" when they get polled by the infected networks.
Actually the term comes from military usage.
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Gregory Machin
2021-05-19 11:20:44 UTC
Permalink
Media is full of BS... And their sources are people who don't understand
what's happening.

Speculation and roomers don't help.

Park the gossip for now.
Post by Lawrence D'Oliveiro
Post by David McNab
The hacker exercises "control". To implement this, the server sends
"commands" when they get polled by the infected networks.
Actually the term comes from military usage.
_______________________________________________
https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Lawrence D'Oliveiro
2021-05-19 23:21:47 UTC
Permalink
Post by Gregory Machin
Media is full of BS... And their sources are people who don't
understand what's happening.
One of the TV channels gave quite a reasonable description of a
ransomware attack yesterday.

And their sources are people like Paul Brislen.
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Lawrence D'Oliveiro
2021-05-26 03:07:58 UTC
Permalink
And the crims are cranking up the hostilities, with the release of
confidential patient material to media outlets
<https://www.nzherald.co.nz/nz/waikato-dhb-cyber-attack-confidential-patient-notes-sent-to-media-by-alleged-hackers/7IUV5PHBRJZJEE44YZ55DTWAEM/>.

Mostly they seem to be coping with pencil-and-paper technology, but at
least one key service, radiotherapy, is simply out of commission for
the duration.
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Lawrence D'Oliveiro
2021-05-27 06:31:27 UTC
Permalink
According to this evening’s news, a total of 680 servers were knocked
out of action by the ransomware attack. Of these, apparently 200 have
been restored so far.

Obviously not (yet) enough to handle the cancer patients, who are
having to be sent elsewhere in the country for now. Though they are
apparently being considered a priority.

Hard to believe a single attack could have compromised so many
machines. Seems the individual who clicked on that wrong link had a
worryingly high level of access to the entire system.
_______________________________________________
wlug mailing list -- ***@list.waikato.ac.nz | To unsubscribe send an email to wlug-***@list.waikato.ac.nz
Unsubscribe: https://list.waikato.ac.nz/postoriu
David McNab
2021-05-27 07:25:34 UTC
Permalink
Post by Lawrence D'Oliveiro
Hard to believe a single attack could have compromised so many
machines. Seems the individual who clicked on that wrong link had a
worryingly high level of access to the entire system.
That, or the hackers were extremely patient to escalate very limited
initial access to full root run-of-network over what could have been months.



_______________________________________________
Post by Lawrence D'Oliveiro
https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Eric Light
2021-05-27 07:44:34 UTC
Permalink
That, or the hackers were extremely patient to escalate very limited initial access to full root run-of-network over what could have been months.
^^ Yeah this. There's every chance the initial compromise was months ago, and the criminals have been working quietly for weeks to elevate their privileges. Also likely that this group who initiated the ransomware aren't the same group that got the initial entry, nor the same group that escalated to domain admin.

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
Post by Lawrence D'Oliveiro
Hard to believe a single attack could have compromised so many
machines. Seems the individual who clicked on that wrong link had a
worryingly high level of access to the entire system.
That, or the hackers were extremely patient to escalate very limited initial access to full root run-of-network over what could have been months.
Post by Lawrence D'Oliveiro
_______________________________________________
Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
_______________________________________________
Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Loading...