pixel_dreams - Fotolia

Cyber attack on Barts NHS trust exploited zero-day vulnerability

A cyber attack that forced parts of Barts NHS trust offline in January 2017 has been blamed on previously unknown malware that was able to bypass the antivirus systems, highlighting a common weakness in cyber defences

The January 2017 cyber attack on England’s largest NHS trust exploited a zero-day vulnerability, which has since been patched by the software supplier concerned.

A zero-day vulnerability is a flaw in software, hardware or firmware that is exploited as soon as or before it becomes generally known to the public.

Shortly after the attack, Barts Health Trust dismissed initial reports that it had been hit by ransomware or malware that encrypts files, saying that a Trojan appeared to be involved.

Although Trojans are typically designed to steal data, the trust said several systems had been taken offline briefly as a precautionary measure and that patient data had not been affected.

Barts Health Trust runs the Royal London, St Bartholomew’s, Whipps Cross, Mile End and Newham hospitals.

Although a “serious incident investigation” is still in progress, the minutes of a 1 March 2017 board meeting reveal some new information.

First, that the malware used in the attack affected all sites, except Whipps Cross, but that the response had been effective, “swiftly” restoring normal business activities.

Second, the virus affected pathology systems, requiring the temporary use of manual systems, but no other IT systems used to deliver clinical care.

Signature-based detection too ‘limited’

Deputy chief executive Tim Peachey, who has board-level responsibility for IT, confirmed that no ransomware had been involved and that no patient information systems had been compromised.

He also explained that the trust’s antivirus software had been up to date, but that the malware involved had not been seen before and took advantage of a previously unknown software vulnerability.

Peachey said a patch had been issued globally by the software supplier involved within 8 hours, protecting other organisations from the malware. However, he did not identify the malware or the software supplier involved.

“Truly new malware is relatively rare but, on a daily basis, we see hundreds of thousands of modified or obfuscated malware samples,” said Tony Rowan, chief security consultant at security firm SentinelOne.

“The clear objective of this process is to bypass the legacy antivirus tools that are primarily based on detecting known-bad malware based on their signatures,” he said.

The incident at Bart, said Rowan, yet again shows that the signature-based approach is very limited and needs replacing with methods capable of detecting the attributes and behaviours of malware, rather than depending entirely on “knowing” the sample from other affected sites.

Andy Norton, risk officer for Europe, Middle East and Africa at SentinelOne, said the incident also shows that despite the fact that the existing antivirus system was up to date, malware was still able to execute unhindered.

“This is because the volume of new variants of malware far outstrip the ability of the antivirus system to keep up to date,” he said.

Increase in ransomware attacks on hospitals

At the time of the attack, security commentators said it further underlined the importance of cyber security at healthcare organisations and raised renewed fears about NHS legacy IT systems

Hospitals are an increasingly popular attack target either as a source of revenue by encrypting crucial data and demanding ransom for its release or as a source of valuable personal data of patients.

In October 2016, three hospitals run by the Lincolnshire and Goole Foundation Trust were forced to cancel patient appointments and shut down systems for repairs after a ransomware attack. The affected systems were reportedly restored without paying any ransom to cyber attackers.

The number of ransomware attacks worldwide increased rapidly in 2016, affecting a wide range of organisations, including several hospitals.

The trend is expected to continue in 2017, but security experts say ransomware attacks are likely to become more sophisticated and more targeted.

In response to a Freedom of Information request by NCC Group in 2016, 47% of NHS trusts in England admitted they had been targeted, just one trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality.

A survey by security firm Sophos found that 75% of NHS organisations believed they were “protected against cyber crime”, and 84% said encryption was becoming a necessity. However, only 10% said encryption was “well established in the organisation”. 

Since the Northern Lincolnshire and Goole ransomware attack, several trusts have been reviewing their cyber security and bolstering their defences.

Read more about zero-day exploits

  • Google disclosed an unpatched Windows zero-day vulnerability, which Microsoft claims is actively being exploited by a Russian APT group connected to the DNC hack.
  • Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft released a security update.
  • Exploits of latest Adobe Flash Player zero-day vulnerability highlight threat to the enterprise of web-based exploit kits, such as Angler.
  • The hacking black market is outbidding legitimate IT companies for disclosure information on zero-day exploits, according to a report from thinktank Rand.

Read more on Hackers and cybercrime prevention

Data Center
Data Management