https://mobile.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html Kaspersky writeup: https://securelist.com/blog/inciden...sed-in-widespread-attacks-all-over-the-world/ MalwareTech tracker: https://intel.malwaretech.com/botnet/wcrypt
Oops. Here: https://www.wilderssecurity.com/thr...ters-amid-massive-ransomware-outbreak.393952/ I did search for "Wanna" ¯\_(ツ)_/¯
The excuses from Amber Rudd (UK Home Secretary) include that there are many XP systems in use in the NHS. "She added: “Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can’t download the effective patches and anti-virus software for defending against viruses." The reality is that this is a dreadful consequence of many years of prioritising attack over defence. As Edward Snowden said in 2013, clients are "terrifically weak". His comment on this attack: “If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened".
The NHS have a special contract with microsoft for extended support for xp. And pay millions for it and MS didnt issue an xp patch for the NHS? Then what are the NHS paying MS for?
From what I've read, I gather that Microsoft did issue a custom support XP patch. It's just that NHS etc didn't apply it.
Yes I can confirm that. On my XP system (with POS ready tweak) I got update in March that fixed this bug (https://support.microsoft.com/en-us/help/4012598/title)
According to the customer guidance for WannaCry, Microsoft says: We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below). My understanding from that is the patch was not available to XP users in March but is now. Source: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
For regular users patch was not available. For users that pay for support (or those that take advantage of "POS Ready" trick) update was released in March. Since this is a big problem, MS decided to release update for regular users also.
According to https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ "In March, we released a security update which addresses the vulnerability that these attacks are exploiting. " One assumes that the NHS had the MS Custom Support Package, if so would have had the patch available? As @Minimalist pointed out, MS has released the patch for everyone now. However, I now see that Jeremy Corbyn (leader of the Labour party in the UK) has said: "But I’m also very angry that in 2014, there was a one-year renewal of the protection system on the NHS systems which was not renewed after that and not renewed the year after that and so are systems are now not upgraded and not protected." So the systems have been unpatched since 2015. Nominally, back in 2014, the UK govt paid £5.5M for a year's support contract, while the XP EOL notice was back in 2007 - 10 years ago. Stepping back, my view is that the focus on XP and support is a smokescreen - it's egregious that it's still in use in an organisation like the NHS and doubly negligent that it was unsupported, while people including me have been warning the govt for years about this, but I don't believe that we're at all immune from attacks on modern well patched operating systems either. Furthermore, while they claim that patient data has not (as far as they know) been lost, I have no confidence whatsoever that that has not already occurred on the quiet since the systems have been unpatched for years. Nor is it in any way comforting that an independent security researcher/hero apparently slowed the infection rate by registering a domain name - while the (recently) lavishly funded National Cyber Security Centre have been doing retrospective hand-wringing, and funding for security audits on critical infrastructure and particularly open source software, is essentially zero. Nor do the UK have anything equivalent of the Vulnerabilities Equity Process (granted that that seems toothless). In any case, this vulnerability was made available via leaked NSA attack tools. Meanwhile the real focus of government is betrayed by their focus on surveillance and assaults on encryption and demanding backdoors.
As an update to the UK NHS story, NHS Digital claim that they released the patch in April to the various NHS trusts. I'm not clear whether they have a contract with MS, nevertheless it seems like the patch was available to the organisation in April but hadn't been applied. Of course, some of the affected XP machines are controllers for dedicated medical equipment. But then clearly those ought not to be browsing or mailing, and "should" be protected from the great unwashed by firewalls. But I doubt very much that the networks are adequately partitioned and therefore will be vulnerable to Iot and webcams and any other weak clients. A truly dismal state of affairs, with politicians busy downplaying how bad the situation is. The only thing that raised a wry smile is the meaningless reassurances that there was "no evidence" that patient data had been exfiltrated. But, given the obvious level of vulnerability, I'd be extremely confident that data has already been stolen, they just don't know about it.
