4 March 2017

Barts NHS trust security breach observations

Barts NHS trust security breach observations

In January 2017 we became informed of a successful attack against the largest NHS trust in England. The media came to conclusion that it was a ransomware attack, which are usual these days. However, the NHS officials disputed these assumptions.

Some new facts were publicly disclosed on March 1 during the NHS board meeting. The original report (available here) says that the attack was carried out by “a new virus not seen previously”. Here is the original quote from the report:

An IT virus had affected the Trust’s networks during January 2017. It was confirmed that this had affected all sites, except Whipps Cross but that the response had been effective and the Trust had swiftly returned to business as usual. The virus had affected pathology systems (requiring the temporary use of manual systems), but no other IT systems used to deliver clinical care. A serious incident investigation was under way and further details would be shared once this had concluded. The Deputy Chief Executive noted some inaccuracies in media reporting about this incident, confirming that this virus had not been a ransomware attack and that the Trust’s patient information systems had not been hacked or otherwise compromised (with no patient data stolen or at risk). He explained that the Trust’s antivirus software had been up to date and that this had been a new virus not seen previously. A ‘patch’ had been issued globally within 8 hours, protecting other organisations from this virus. He thanked teams for their hard work and support to maintain business as usual standards in difficult circumstances. The Chief Executive noted that she had visited Pathology departments to thank them for their work during the affected weekend to oversee contingency arrangements.

Based on this report and other statements, made previously to the media, we may conclude that the only security mechanism in place was a signature-based antivirus software, which did not have signature for this particular malware variant/sample. A little bit of googling revealed that NHS computers use Windows XP operating system, which is no longer supported by Microsoft. This explains why they have to rely on antivirus only.

The attack affected the following hospitals: the Royal London, St Bartholomew’s, Mile End and Newham. Since the IT department had to disconnect network shares and some drives, the malware in question is most likely to be a worm spreading via SMB shares.

Yesterday some media reported that a zero-day vulnerability was used for this attack. We believe that this is a FALSE statement. To avoid any speculations in the future, we do not believe this was a targeted attack either. Most likely this was just a random infection with a random malware. The kind of infection we see on a daily basis in organizations with poorly implemented security controls.

Back to the list

Latest Posts

334 zero-days were used in APT attacks since 2006

334 zero-days were used in APT attacks since 2006

Our research covers vulnerabilities of the most dangerous kind - the ones that are unknown to anybody except the malicious actor.
7 June 2017
Microsoft patched another zero-day – this time in Internet Explorer

Microsoft patched another zero-day – this time in Internet Explorer

Microsoft patched the second zero-day in IE in 2017.
12 April 2017
Zero-day #5 in 2017 targets Microsoft Word users

Zero-day #5 in 2017 targets Microsoft Word users

The vulnerability allows a remote attacker to compromise vulnerable system.
9 April 2017
Featured vulnerabilities
Red Hat update for sudo
High Patched | 27 Jun, 2017
Multiple vulnerabilities in IBM AIX
High Patched | 27 Jun, 2017

Future events
Location: Na Strži 65/1702
Links: http://www.dsw.cz/

Ukládání, zálohování, archivace a obnova dat ve fyzickém i virtuálním prostředí. Moderní trendy v oblasti serverů a storage. Infrastruktura datových center. Cloud, virtualizace, infrastruktura jako služba. Sítě a síťová architektura. Software defined storage, software defined networks. Dostupnost dat a aplikací. Prolínání datových a mobilních sítí. Infrastruktura pro internet věcí.
Location: Hotel Grandior, konferenční centrum,Na Poříčí 42, Praha 1
End date: 2017-10-06

6. října 2016 na Vás čeká bohatý program, v rámci kterého představí své vize a novinky pro rok 2017 přední odborníci české IT scény. Nenechte si ujít důležité informace z oblasti licencování, technologických trendů, cloudových a poradenských služeb či produktových novinek předních světových výrobců softwaru!

Akce se koná v konferenčním centru hotelu Grandior, Na Poříčí 42, Praha 1.

Předběžný program:

Dopolední blok IT Inspiration

  • IT pro firmy nové generace
  • Digitální transformace a internet věcí z pohledu Microsoftu
  • Novinky a trendy v IBM Cloud Computingu

Odpolední blok Advisory & Security

  • Nový licenční program Enterprise Advantage
  • Force audit výrobce: Rizika, prevence a průběh
  • Hybridní licencování
  • Prezentace společnosti Comguard
  • Platforma Pyracloud by SoftwareONE

Blok Cloud

  • Firma As A Service
  • Virtualizace a cloudová řešení VMware
  • Jak na to: Transformace do cloudu
  • Prezentace společnosti Veeam
  • Ochrana informací a správa identit
  • BYOD

Registrovat se můžete na stránkách konference.

CIO Business World je partnerem akce.



Location: Na Strži 65/1702, Praha 4
Links: http://financnictvi.konference.cz/

Technologické inovace ve finančním sektoru (FINTECH). Kybernetická bezpečnost, risk management, decision engine, datová analýza, reporting, platformy bezpečnostních technologií, mobilní aplikace v globálním světě financí, projektové řízení, případové studie.
Location: Bajkalská 25/A, Bratislava
Links: http://bdd.exponet.sk/

Explózia dát je nepochybne sprievodným javom súčasnosti. Preto aj problematika bezpečnosti a dostupnosti dát zaznamenáva prevratný rozvoj a jej obsah a rozsah sa mení tiež v súvislosti s vývojom nových technológií. Ochrana dát sa netýka len jednotlivých zariadení, ale aj sietí, online úložísk a služieb. Množstvo dát, portfólio zariadení a úložisk sa tiež významne rozširuje s nástupom internetu vecí. Konferencia sa zameriava na aktuálne trendy a možnosti lepšej ochrany a efektívnej práce s dátami.
Location: Na Strži 65/1702, Praha 4
Links: http://did.konference.cz/

Konference přinese aktuální témata, vystoupení předních odborníků z praxe i z akademického prostředí, případové studie. V popředí zájmu budou big data, data analytics, propojování interních a externích dat, business intelligence, geodata, open data,  big data ve finančnictví, vzdělávání i astronomii.