Ireland’s Health Service Executive (HSE) was nearly crippled with ransomware after a single user opened a malicious file attached to a phishing email, a damning report from a consulting firm has revealed.
Released today, the report from PWC (formerly PriceWaterhouseCoopers) stated that the extremely dangerous Conti ransomware infection was due to infosec’s simplest known attack vector: spam.
PWC said, in the summary of the report:
“Malware infection is the result of the user clicking and opening the Patient Zero workstation a malicious Microsoft Excel file attached to a phishing email sent to the user on the 16th March 2021. “
Worse yet, PWC said that HSE staff spotted the infection-causing WizardSpider team operating on HSE networks – but “this did not result in a cybersecurity incident or investigation initiated. by the HSE “.
“As a result, opportunities to prevent the successful detonation of the ransomware have been missed.”
PWC also stated that the WizardSpider criminal team that pawned the HSE likely “exploited a known, unpatched vulnerability” to gain access to the Active Directory domain of the HSE. The vuln was not identified in its full report, potentially suggesting that it may still exist in corners of the HSE network.
HSE President Ciarán Devane said in a statement today: “It is clear that our IT systems and our cybersecurity readiness are in need of a major transformation. This report highlights the speed at which the sophistication of cybercriminals has grown, and it contains important lessons for public and private sector organizations in Ireland and beyond.
The HSE was found to be flawed in its own after action review, including the executive summary can be downloaded here as an 18-page PDF. The full report is 157 pages long (PDF) and also includes colorful graphics and graphics.
Ireland’s National Cyber Security Center (INCSC) named the ultimate payload, run two months after initial access was established, as Conti v3; a 32-bit executable that encrypts everything within its reach.
Two months after gaining access, Conti pressed the big red button: Much of the Irish health service lost their computer systems as responders struggled to contain the ransomware infection. Prior to that, however, the antivirus on the HSE endpoints detected both Cobalt Strike and Mimikatz being deployed to the Patient Zero workstation.
During a five-day period in early May 2021, WizardSpider had compromised systems at five separate hospitals, breaking three more by May 12. Although the hospital’s internal security team was notified by its external “cybersecurity solution provider” of unusual alerts, no action was taken until WizardSpider deployed its main conti le ransomware payload. May 14.
We saw, we came, we conquered
There was a belated chance to stop the ransomware extortionists which was missed, as PWC recounted:
The antivirus vendor was not named in the PWC report.
Meanwhile, another hospital has launched its incident response plan. This resulted in resetting 4,500 passwords, changes to the firewall configuration, and many similar security-related activities. Unfortunately, although the hospital told the central HSE team that it had identified suspicious activity on two HSE servers, the HSE “incorrectly concluded in an email between the HSE teams that the suspicious activity originated from from Hospital A, rather than the other way around “.
The report, an exceptionally candid document due for release, will be fascinating read for any organization trying to better prepare for one of the world’s worst security threats. Without a doubt, this will also be useful to infosec managers when their organizations switch to budgeting mode for 2022. ®