WannaCry last year put ransomware high on the agenda for NHS IT professionals, but that effort is – rightly – focused on preventing and mitigating against attacks. What may be less obvious is carrying out ransomware attack can be easy as a few keystrokes, as Vivienne Raper discovered at last year’s Public Cyber Security (PCS) conference.
It took Gary Colman 20 minutes to hack into an unprotected Windows 7 PC during his presentation at Digital Health’s inaugural Public Cyber Security Conference. He said it would have taken him two minutes had the audience not been there.
As head of IT audit and security services at the Information Security and Assurance Service (ISAS) provided by West Midlands Ambulance Service Foundation Trust, it’s Colman’s job to test how easily NHS computer systems can be breached.
And, as his PCS demonstration showed, the answer is often ridiculously easily. Among the tricks in his toolbox is demonstrating how the EternalBlue exploit – a security vulnerability in Windows – was used to spread WannaCry across the NHS.
Creating a beachhead
Colman explained the initial infection by WannaCry was through a Server Message Block (SMB) port facing the internet: “That’s the port that the EternalBlue exploit attacks.” Giving a simple example where the entire NHS was behind a firewall, he said that just one vulnerable PC contactable via an SMB port would allow the WannaCry ransomware to get behind the firewall and begin encrypting data.
“Just one pinhole in the firewall can become a beachhead onto the network and potentially compromise more devices.” Once behind the firewall, “where NHS organisations trusted each other, their firewalls also trusted each other, and that permitted the attack to spread.”
15 minute cybercrime
During his PCS presentation, Colman used two hacking tools during his PCS demonstration. Fuzzbunch and Empire can both be freely downloaded from the internet.
The former is a hacking toolkit originally stolen from America’s National Security Agency (NSA) and leaked onto the internet. You can instruction manuals for it online and, in any case, using it is not difficult. “You fire up Fuzzbunch and literally type in the IP address of the PC you want to attack. Then you tell it what operating system you think it’s running.”
Fuzzbunch “literally walks you through” the process of attacking the PC using the EternalBlue exploit and then installing DoublePulsar, a backdoor implant tool – in other words, a piece of code which allows the hacker to access the computer and send commands to it. That includes installing software.
Doing what you shouldn’t
Asked what a cybercriminal might want to run, apart from WannaCry, Colman’s response: “You can do what you like.” When you run an exploit like EternalBlue, you inherit the user permissions of whatever you’ve exploited. And unlike hacking someone’s web browser, where you might only have limited user permissions, EternalBlue lets you inherit system-level permissions.
“You can start looking in memory for passwords, if you have system-level permissions.”
The good news, according to Colman, is that WannaCry served as a wake up call to the NHS. It raised awareness of the EternalBlue exploit. “This time last year, we were finding Windows 7 boxes that were vulnerable, but these days it’s very unlikely.”
Get ready for Meltdown
Looking to the future, Colman explained the latest development in ransomware is cryptocurrency mining. Instead of encrypting devices and demanding a ransom, cybercriminals use compromised PCs to mine cryptocurrency – giving them a continuous income.
Another cyber threat that’s getting IT experts worried is Meltdown and Spectre, he said, two bugs in modern computer processors that allow attackers to steal information data from a computer. He explained that a recent study by antivirus testing company AV-TEST uncovered more than 130 new pieces of malware designed to move Meltdown and Spectre from proof-of-concept to full-blown attacks.
He warns that patching against Meltdown and Spectre is a big job as both software and firmware updates are needed.
“The good thing is NHS Digital has now been pushing everyone and patching is much higher on the organisational agenda.”
Patch, patch, patch
His message to fellow NHS IT professionals is to “do the basics and patching is one of them. As soon as patches come out, get them as soon as you can”. He explains that, out of the NHS trusts he works with, only one was hit by WannaCry.
“We were going around telling trusts to start patching”, he says, as they had several months’ notice of their vulnerability to the EternalBlue exploit. The trust that got hit was the one who’d ignored his team’s advice.