Waikato DHB Under “Cyber Attack”
According to this report <https://www.nzherald.co.nz/nz/breaking-major-cyber-attack-at-waikato-district-health-board-all-clinical-services-affected/Y4W3S3LOQECJLU5Q6KCACS7DSE/>, clinical services at all hospitals under the Waikato DHB are being impacted by some “major cyber attack” of unspecified nature (DDOS? Ransomware?), forcing the cancellation of patient appointments. Even their landline phones are not working.
Don't be surprised if the demands (if ransomware) include the threat of mass-doxing of patients' sensitive personal clinical data. On Tue, 18 May 2021 at 13:06, Lawrence D'Oliveiro <ldo(a)geek-central.gen.nz> wrote:
According to this report < https://www.nzherald.co.nz/nz/breaking-major-cyber-attack-at-waikato-distric...
, clinical services at all hospitals under the Waikato DHB are being impacted by some “major cyber attack” of unspecified nature (DDOS? Ransomware?), forcing the cancellation of patient appointments. Even their landline phones are not working.
wlug mailing list -- wlug(a)list.waikato.ac.nz | To unsubscribe send an email to wlug-leave(a)list.waikato.ac.nz Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
I wrote:
... clinical services at all hospitals under the Waikato DHB are being impacted by some “major cyber attack” of unspecified nature ...
A little bit more detail <https://www.nzherald.co.nz/nz/waikato-dhb-outage-could-take-days-to-fix-union-says-after-cyber-security-attack/V2Q3ESGHZC3KPHUUQ7R7PNNRWU/>: all phones and computers are down, and a doctors’ union is saying it could take days to fix. The Ministry of Health is describing it as an “attempted cyber incident” that happened overnight. It’s not clear what was being “attempted”, given the “attemptors” have already successfully knocked out major critical systems for a significant duration.
Further report <https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/> says “The attack disabled all IT services except email”. Kind of ironic, since that appears to have been the channel of attack ... Also: Several ransomware operators have pledged that they will not target medical organizations during the current pandemic, but apparently both honor and consistency is lacking among thieves.
On Wed, 19 May 2021, at 4:51 PM, Lawrence D'Oliveiro wrote:
Further report <https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/> says “The attack disabled all IT services except email”.
Kind of ironic, since that appears to have been the channel of attack
The MX records would suggest the e-mail is hosted by SMX ( https://smxemail.com/ ) a well known e-mail hosting company based in NZ. They also do hosting for all @xtra.co.nz (Spark Internet) addresses ( https://smxemail.com/our-company/blogs-news/press-releases/spark-brings-emai... ). As for the cause of the DHB issues, I suspect the it-came-from-e-mail answer is pure speculation at this stage. -- Simon
Anyone know if they've found the C&C servers yet? On Wed, 19 May 2021 at 19:01, Simon Green <mail(a)simon.green> wrote:
On Wed, 19 May 2021, at 4:51 PM, Lawrence D'Oliveiro wrote:
Further report < https://www.theregister.com/2021/05/19/new_zealand_hospitals_taken_down/> says “The attack disabled all IT services except email”.
Kind of ironic, since that appears to have been the channel of attack
The MX records would suggest the e-mail is hosted by SMX ( https://smxemail.com/ ) a well known e-mail hosting company based in NZ. They also do hosting for all @xtra.co.nz (Spark Internet) addresses ( https://smxemail.com/our-company/blogs-news/press-releases/spark-brings-emai... ).
As for the cause of the DHB issues, I suspect the it-came-from-e-mail answer is pure speculation at this stage.
-- Simon _______________________________________________ wlug mailing list -- wlug(a)list.waikato.ac.nz | To unsubscribe send an email to wlug-leave(a)list.waikato.ac.nz Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
The hacker exercises "control". To implement this, the server sends "commands" when they get polled by the infected networks. On Wed, 19 May 2021 at 20:39, Lawrence D'Oliveiro <ldo(a)geek-central.gen.nz> wrote:
On Wed, 19 May 2021 19:24:09 +1200, David McNab wrote:
Anyone know if they've found the C&C servers yet?
I never understood why you need two Cs. One stands for “Command”, the other stands for “Control” -- what’s the difference? _______________________________________________ wlug mailing list -- wlug(a)list.waikato.ac.nz | To unsubscribe send an email to wlug-leave(a)list.waikato.ac.nz Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
Media is full of BS... And their sources are people who don't understand what's happening. Speculation and roomers don't help. Park the gossip for now. On Wed., 19 May 2021, 9:10 pm Lawrence D'Oliveiro, <ldo(a)geek-central.gen.nz> wrote:
On Wed, 19 May 2021 21:02:24 +1200, David McNab wrote:
The hacker exercises "control". To implement this, the server sends "commands" when they get polled by the infected networks.
Actually the term comes from military usage. _______________________________________________ wlug mailing list -- wlug(a)list.waikato.ac.nz | To unsubscribe send an email to wlug-leave(a)list.waikato.ac.nz Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
On Wed, 19 May 2021 23:20:44 +1200, Gregory Machin wrote:
Media is full of BS... And their sources are people who don't understand what's happening.
One of the TV channels gave quite a reasonable description of a ransomware attack yesterday. And their sources are people like Paul Brislen.
And the crims are cranking up the hostilities, with the release of confidential patient material to media outlets <https://www.nzherald.co.nz/nz/waikato-dhb-cyber-attack-confidential-patient-notes-sent-to-media-by-alleged-hackers/7IUV5PHBRJZJEE44YZ55DTWAEM/>. Mostly they seem to be coping with pencil-and-paper technology, but at least one key service, radiotherapy, is simply out of commission for the duration.
According to this evening’s news, a total of 680 servers were knocked out of action by the ransomware attack. Of these, apparently 200 have been restored so far. Obviously not (yet) enough to handle the cancer patients, who are having to be sent elsewhere in the country for now. Though they are apparently being considered a priority. Hard to believe a single attack could have compromised so many machines. Seems the individual who clicked on that wrong link had a worryingly high level of access to the entire system.
On Thu, 27 May 2021 at 18:31, Lawrence D'Oliveiro <ldo(a)geek-central.gen.nz> wrote:
Hard to believe a single attack could have compromised so many machines. Seems the individual who clicked on that wrong link had a worryingly high level of access to the entire system.
That, or the hackers were extremely patient to escalate very limited initial access to full root run-of-network over what could have been months. _______________________________________________
wlug mailing list -- wlug(a)list.waikato.ac.nz | To unsubscribe send an email to wlug-leave(a)list.waikato.ac.nz Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
On Thu, 27 May 2021, at 19:25, David McNab wrote:
That, or the hackers were extremely patient to escalate very limited initial access to full root run-of-network over what could have been months.
^^ Yeah this. There's every chance the initial compromise was months ago, and the criminals have been working quietly for weeks to elevate their privileges. Also likely that this group who initiated the ransomware aren't the same group that got the initial entry, nor the same group that escalated to domain admin. E -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Thu, 27 May 2021, at 19:25, David McNab wrote:
On Thu, 27 May 2021 at 18:31, Lawrence D'Oliveiro <ldo(a)geek-central.gen.nz> wrote:
Hard to believe a single attack could have compromised so many machines. Seems the individual who clicked on that wrong link had a worryingly high level of access to the entire system.
That, or the hackers were extremely patient to escalate very limited initial access to full root run-of-network over what could have been months.
_______________________________________________ wlug mailing list -- wlug(a)list.waikato.ac.nz | To unsubscribe send an email to wlug-leave(a)list.waikato.ac.nz Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
wlug mailing list -- wlug(a)list.waikato.ac.nz <mailto:wlug%40list.waikato.ac.nz> | To unsubscribe send an email to wlug-leave(a)list.waikato.ac.nz <mailto:wlug-leave%40list.waikato.ac.nz> Unsubscribe: https://list.waikato.ac.nz/postorius/lists/wlug.list.waikato.ac.nz
participants (5)
-
David McNab -
Eric Light -
Gregory Machin -
Lawrence D'Oliveiro -
Simon Green