Connect with us

Technology

What’s going on with the HSE cyberattack?

Published

on

What is Conti ransomware? Who is Wizard Spider? Here’s what you need to know about the HSE cyberattack.

Overnight last Thursday (13 May), the Irish Health Service Executive (HSE) suffered a “significant and serious” cyberattack.

Said to be the most serious cyberattack ever to hit the State’s critical infrastructure, healthcare services across the country were impacted. Forced to shut down their IT systems on Friday, hospitals and other HSE services were left without access to electronic health records, causing significant disruption.

Disruption continued through the weekend and the HSE continues to provide updates on the impact of the attack via HSE.ie.

As of today (17 May), most healthcare appointments will continue as planned. However, the HSE advised that x-ray appointments in particular are severely affected.

Covid-19 vaccination services continue to operate with no disruption. Emergency health services across the country are also continuing as usual, however there may be delays in service provision.

What happened?

Investigations into the HSE cyberattack are ongoing but what we do know so far is that Cobalt Strike Beacon, a tool that can give remote access to hackers, was found on the HSE’s IT system. This enabled attackers to move within the computer network and execute their malware.

The malware unleashed by the hackers is a form of ransomware known as Conti.

What is Conti ransomware?

“Conti is designed to be operated by the attacker, rather than via an automated process, and it contains unique features that allow a more targeted and quicker attack,” said Patrick Wragg, cyber incident response manager at Integrity360.

“Conti’s ransomware operations have targeted a wide variety of sectors globally, which include construction, manufacturing, and retail,” Wragg added.

Ransomware encrypts the files on a system and demands payment to restore access. The information being held to ransom in this case could include patient data, though this has not yet been confirmed. However, if hackers have gained access to sensitive information such as this via the attack, the HSE could be doubly vulnerable.

Conti is known as ‘double-extortion’ ransomware, meaning that as well as holding access to systems to ransom, the malware might also steal information stored on the system. Hackers can then threaten to release this private information online if a payment is not made.

Has the HSE cyberattack infiltrated other systems?

On Thursday, the National Cyber Security Centre (NCSC) was made aware of the HSE cyberattack as well as an attempted attack on the Department of Health.

The NCSC implemented a response plan that included the suspension of some functions of IT systems as a precautionary measure. In the case of the Department of Health, the attempt to execute the ransomware was detected and prevented by the cybersecurity measures in place.

This attack and the HSE cyberattack are still under investigation by the NCSC, alongside An Garda Síochána, the Office of the Government Chief Information Officer and third-party contractors.

Who is behind the HSE cyberattack?

Wizard Spider, an organised group of cyber-criminals based in eastern Europe, is reportedly behind both the HSE cyberattack and the attempted attack on the Department of Health. This group has taken to targeting large organisations with high ransoms in recent years.

“What we’ve seen in our line of work is that the people behind these ransomware attacks are typically organised crime syndicates,” said Smarttech247 CEO and founder Ronan Murphy.

“Some of the high profile attacks on critical infrastructure in Europe and North America in recent times have been carried out by organised crime syndicates coming out of eastern Europe and Russia.”

Why were HSE IT systems shut down?

Support Silicon Republic

Shutting down the HSE’s IT systems serves both as a precautionary measure and allows cybersecurity teams to investigate the attack.

“In shutting everything down, it would appear HSE were unable to confidently isolate the problem by switching off just part of the network or even just quarantining the problematic IT assets out of the network,” suggested Amit Serper, assistant vice-president of security research at Guardicore Labs.

How long will it take to get HSE services back online?

Currently, specialists are working to clean infected devices and restore the HSE’s IT systems. Brooks Wallace, VP for the EMEA branch of Deep Instinct, explained: “Not only will they have to triage the infected machines, but they will also need to stop the lateral spread, likely using multiple tools, and consoles but with limited resources.”

There is no quick fix. Unpicking this long route out of a tangled web is what has to be done, as the only alternative is to give in to the attackers’ demands. “The more sensible option is to recover compromised data and rebuild systems from scratch, but in some cases this can take weeks,” said Noel O’Grady, director of Sungard Availability Services Ireland.

Why not just pay the ransom?

Paying ransoms for cyberattacks is not advised. “First instinct may be to just give in to demands, but paying hackers sends the message than an organisation is willing to hand over money and can put a target on them for future attacks,” said O’Grady.

Unfortunately, because some victims of ransomware have shelled out big sums to attackers, this has become big business, which leads to more attacks. In the case of the recent Colonial Pipeline cyberattack, it’s reported that the payment of a $5m ransom has only exasperated this escalating problem.

The HSE, on the other hand, “is absolutely correct in containing the problem”, according to Paul Donegan, Palto Alto Networks country manager for Ireland.

According to a study from Unit 42, the threat intelligence arm of Palo Alto Networks, the average ransom paid more than tripled in 2020 to more than $300,000, while the highest demand from cyber-extortionists reached $30m. This is already heightening in 2021, with average pay-outs almost tripling again and a new record demand of $50m reported by Unit 42.

Should other organisations be on alert for similar attacks?

In a word, yes. The NCSC issued an advisory on the HSE cyberattack which offers guidance for other organisations to detect and prevent a similar attack. This advisory will be updated as more details are revealed through the investigation.

Brian Honan, CEO and founder of BH Consulting and former special adviser on cybersecurity to Europol, strongly recommended all government agencies and private sector companies follow the NCSC guidance and to check systems for the indicators of compromise in its advisory.

Honan also recommended the DFIR Report’s information on Conti ransomware for more indicators as well as the known tactics, techniques and procedures of this cyber threat.

What can be done to effectively guard against such attacks in future?

In response to the HSE cyberattack, some cybersecurity professionals have pointed to the principle of ‘zero trust’ as an answer to these increasing threats from attackers.

“The driving principle of zero trust is ‘trust nothing and verify everything’,” explained Donegan. “It helps those that implement it to defend against all known attack vectors, including malicious insider and phishing attacks, by restricting the attacker’s ability to move through the network and alerting on their activities as they attempt to do so.”

Others have pointed to the dangers of overworked staff present to effective cybersecurity policies. “Given the nature of the industry, healthcare personnel are often severely time constrained, leading them to click, download, and rapidly handle email, while possibly falling victim to carefully-crafted social engineering based email attacks,” said Peter Carthew, director of public sector for UK and Ireland at Proofpoint.

“Nearly all targeted attacks rely on human interaction to work. Educating and training workers on what to watch out for, maintaining offline backups, implementing strong password policies, and developing ransomware response playbooks are vital defences against the numerous threats facing the sector today,” he said.

Oz Alashe, CEO and founder of CybSafe, emphasised this need to focus on the human factors of cybersecurity risk. “It’s crucial that public sector organisations are taking steps to not only raise awareness of such cyber threats, but also provide security training and support that takes this human aspect into consideration in order to help prevent these attacks in future.”

This all-hands approach is one way to alleviate the burden on cybersecurity teams, who are struggling to protect against the variety and strength of attacks out there. A recent Proofpoint survey of global chief information security officers (CISOs) showed that they are feeling overwhelmed by the vast array of threats coming from all angles. With so many threats to protect from, prioritisation becomes an issue, with only 25pc of public sector CISOs listing ransomware in their top three cyber threats.

For further guidance on preventing ransomware, BH Consulting’s whitepaper offers advice on where to start in planning these defences.



Source link

Technology

For a true display of wealth, dab printer ink behind your ears instead of Chanel No. 5 • The Register

Published

on

Printer ink continues to rank as one of the most expensive liquids around with a litre of the home office essential costing the same as a very high-end bottle of bubbly or an oak-aged Cognac.

Consumer advocate Which? has found that ink bought from printer manufactures can be up to 286 per cent more expensive than third-party alternatives.

Dipping its nib in one inkwell before delicately wiping off the excess on some blotting paper, Which? found that a multipack of colour ink (cyan, magenta, yellow) for the WorkForce WF-7210DTW printer costs £75.49 from Epson.

“This works out at an astonishing £2,410 a litre – or £1,369 for a pint,” said Which?.

The consumer outfit also reported that since the Epson printer also requires a separate Epson black cartridge for £31.99, it takes the combined cost of replacement inks for the Workforce printer to a wallet-busting £107.98.

On the other hand, if people ditched the brand and opted for a full set of black and colour inks from a reputable third-party supplier, it would cost just £10.99 – less than a tenth of the price.

Printing has become essential for plenty of workers holed up at home during the pandemic. The survey by Which? of 10,000 consumers found 54 per cent use their printer at least once a week. Which? said it estimates an inkjet cartridge would need to be replaced three times a year.

The report discovered tactics used by the big vendors to promote the use of “approved”, “original”, and “guaranteed” ink supplies.

It found Epson devices, for example, flagging up a “non-genuine ink detected” message on its LCD screen when using a non-Epson cartridge, and HP printers are actively blocking customers from using non-HP supplies.

Adam French, a consumer rights champion at Which?, reckons this situation is simply unacceptable.

“Printer ink shouldn’t cost more than a bottle of high-end Champagne or Chanel No. 5,” said French. “We’ve found that there are lots of third-party products that are outperforming their branded counterparts at a fraction of the cost.”

In a rallying call to consumers he said that third-party ink should be a personal choice and not “dictated by the make of your printer.”

“Which? will continue to make consumers aware of the staggering cost differences between own-brand and third-party inks and give people the information they need to buy the best ink for their printer,” he said.

Which is exactly what the Consumers Association said almost 20 years ago when it reported that printer ink cost around £1,700 a litre. Then – as now – the Consumer Association advised consumers to steer clear of brand-name printer cartridges and pick cheaper alternatives instead.

The survey by Which? found that 16 third party brands beat the big brands in terms of ink prices.

Epson wasn’t the only printer biz to be singled out for sky-high ink prices. Canon, and HP were fingered too.

For its part, Epson said customers “should be offered choice… to meet their printing needs” and listed a number of options including its EcoTank systems and a monthly Ink Subscription service.

And in a nod to anyone looking to save money by using a third party, Epson said: “Finally, as non-genuine inks are not designed or tested by Epson we cannot guarantee that these inks will not damage the printer. Whilst Epson does not prevent the use of non-Epson inks, we believe that it is reasonable, indeed responsible, that a warning is displayed as any damage caused by the use of the inks may invalidate the warranty.”

As part of its investigation, Which? found that some HP printers use a system called “dynamic security” which recognises cartridges that use non-HP chips and stops them from working.

HP has tried to battle against third party ink makers trying to capture supplies sales by overhauling the model of its printer business: by shifting to ink tanks printers that come pre-loaded with supplies for an estimated timeframe; or by selling the printer hardware for more upfront and allowing biz customers or consumers to buy the supplies they want.

In response to Which?, HP said it “offers quality, sustainable and secure print supplies with a range of options for customers to choose from, including HP Instant Ink – a convenient printing subscription service with over 9 million users that can save UK customers up to 70 per cent on ink costs, with ink plans starting at £0.99 per month.”

Reg readers may remember the kerfuffle around HP’s Instant Ink. The free plan was reinstated, sort of. For existing customers.

Over at Canon, a spokesperson said third-party ink products can work with its printers, but the “technology inside is designed to function correctly with our genuine inks which are formulated specifically to work with Canon technology.”

“Customers are encouraged to use genuine inks to ensure the longevity of their printer, and also to ensure that their final prints are of a standard we deem Canon quality. In addition, the use of third party inks invalidates the warranty of the printer.”

With almost four in ten (39 per cent) people saying that they do not use third-party cartridges because of fears that they might not work with their printer, it might go some way to explain why more than half (56 per cent) of the consumers quizzed said they persist with using potentially pricey original-branded cartridges despite cheaper alternatives being available. ®

Source link

Continue Reading

Technology

Repligen to create 130 new jobs in Waterford site expansion

Published

on

The project adds to the 74 people already employed at the Artesyn Biosolutions facility acquired by Repligen in 2020.

Repligen Corporation is undertaking an expansion of its Waterford site which will see 130 new jobs created, Tánaiste and Minister for Enterprise, Trade and Employment Leo Varadkar, TD, has announced.

The life sciences company is building a new 3,000 sq m facility which will be a centre of excellence for single-use consumable products used in bioprocessing applications. The site currently hosts a 1,000 sq m facility employing 74 people, which was established by Ireland’s Artesyn Biosolutions before that company was acquired by Repligen last November.

Repligen Corporation is a multinational that produces bioprocessing products for use in the pharmaceutical manufacturing process. Headquartered in Massachusetts, the company has sites across the United States and in Estonia, France, Germany, Sweden and the Netherlands, as well as here in Ireland.

According to the company, the new building will be certified silver on the Leadership in Energy and Environmental Design (LEED) rating system from the US Green Building Council. The consumable products manufactured there will be used in filtration and chromatography systems during the production of vaccines and other biopharmaceutical products.

Commenting on the announcement, Varadkar said: “This is excellent news from Repligen with the creation of 130 new jobs in Waterford. It comes on foot of a major jobs announcement by Bausch and Lomb. Waterford is on the move as a centre for jobs and investment.

“I wish the team the very best with their expansion plans.”

James Bylund, senior vice-president at Repligen, added: “We are thrilled to continue the collaboration with the Irish Government and the IDA that was initiated by the Artesyn team. This build-out is an important step in expanding our capacity and establishing dual manufacturing sites for key single-use consumable products used in manufacture of biological drugs.

“With its LEED Silver designation, the facility is closely aligned with our commitment to responsible growth and sustainability.”

Dr Jonathan Downey, managing director at the Waterford facility, said: “Having delivered beyond our commitment in 2019 to bring new jobs to the region through our development of high-end manufacturing capabilities, we are energised and excited about our integration with Repligen and this next phase of growth.

“In addition to our expansion of Artesyn products, and the transfer of manufacturing of certain of Repligen’s current products to our Irish operations, we expect to be utilising the Irish sites to advance additional research, development and innovation programs.”

Source link

Continue Reading

Technology

Emmanuel Macron ‘pushes for Israeli inquiry’ into NSO spyware concerns | France

Published

on

Emmanuel Macron has reportedly spoken to the Israeli prime minister, Naftali Bennett, to ensure that the Israeli government is “properly investigating” allegations that the French president could have been targeted with Israeli-made spyware by Morocco’s security services.

In a phone call, Macron expressed concern that his phone and those of most of his cabinet could have been infected with Pegasus, hacking software developed by the Israeli surveillance firm NSO Group, which enables operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones from infected devices.

The leaked database at the heart of the Pegasus project includes Macron’s mobile phone number.

NSO has said Macron was not a “target” of any of its customers, meaning the company denies he was selected for surveillance using Pegasus. The company says that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.

The Pegasus project could not examine the mobile phones of the leaders and diplomats, and could therefore not confirm whether there had been any attempt to install malware on their phones.

Quick Guide

What is in the Pegasus project data?

Show

What is in the data leak?

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

What does the leak indicate?

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

What did forensic analysis reveal?

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.

Which NSO clients were selecting numbers?

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.

What does NSO Group say?

You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a “target” to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent “targets” of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus. 

What is HLR lookup data?

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.

Thank you for your feedback.

The Macron-Bennett phone call reportedly took place on Thursday, but was first reported by Israel’s Channel 12 News on Saturday evening after the end of Shabbat, the Jewish day of rest.

The prime minister’s office has declined to comment on the phone call or the two leaders’ conversation. According to Channel 12, an unnamed source said Bennett had stressed that the alleged events occurred before he took office in May, and that a commission was examining whether rules on Israel’s export of cyberweapons such as Pegasus should be tightened.

The Pegasus project – a consortium of 17 media outlets, including the Guardian – revealed last week that government clients around the world have used the hacking software sold by NSO to target human rights activists, journalists and lawyers.

The investigation has been based on forensic analysis of phones and analysis of a leaked database of 50,000 numbers, including that of Macron and those of heads of state and senior government, diplomatic and military officials, in 34 countries.

In multiple statements, NSO said the fact a number appeared on the leaked list was in no way indicative of whether it was selected for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO Group in any way.”

But the list is believed to provide insights into those identified as persons of interest by NSO’s clients. It includes people whose phones showed traces of NSO’s signature phone-hacking spyware, Pegasus, according to forensic analysis of their devices. The analysis was conducted by Amnesty International’s security lab, which discovered traces of Pegasus-related activity on 37 out of 67 phones that it analysed.

Q&A

What is the Pegasus project?

Show

The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.

Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.

Thank you for your feedback.

While the rest of the world grapples with the seismic consequences of the revelations, in Israel reaction has been muted. Meretz, a leftwing party long in opposition but now part of the new government coalition, has asked the defence ministry for “clarification” on the issue, but no party is seeking a freeze of export licences or an inquiry into NSO’s close links to the Israeli state under the tenure of the former prime minister Benjamin Netanyahu.

The defence minister, Benny Gantz, has defended export licences for the hacking tools, claiming that “countries that purchase these systems must meet the terms of use”, which are solely for criminal and terrorism investigations.

But as the mammoth impact of the disclosures has become clearer, the diplomatic pressure on Israel is mounting. On Thursday, the senior Israeli MP Ram Ben-Barak – a former deputy head of the Mossad spy agency – confirmed that the Israeli defence establishment had “appointed a review commission made up of a number of groups” to examine whether policy changes were needed regarding sensitive cyber exports.

US defence officials have also asked their Israeli counterparts for more details on the “disturbing” disclosures stemming from the Pegasus project, the Israeli newspaper Haaretz reported on Saturday.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!