Virus Shuts Down Hospitals, Microsoft and Google's Zero Day Spat, and the Shadow Brokers Resurface

Pavel Ignatov

It's just another week in Threatwatch.

This week's cyber incidents include a virus that takes out some hospitals instead of the other way around. Keep up with the latest threats from around the world with Nextgov's Threatwatch

UK Hospitals Cancel Operations Because of Computer Virus

A computer virus caused three English hospitals to cancel operations and outpatient services for days.

Northern Lincolnshire and Goole NHS Foundation Trust, which runs three hospitals, said experts advised it to shut down its systems so the virus could be isolated and destroyed, the BBC reported. A hospital executive said all adult patients’ appointments were canceled unless a patient exhibited a pressing clinical need, and major trauma and high-risk women in labor were sent to other facilities. Other services, such as chemotherapy, continued. 

The trust discovered the virus Oct. 30 and brought most systems back online late Wednesday, but has disclosed few details about it. 

Microsoft Says Russian Hackers Attacked Google-Reported Zero Day

Russia-linked hackers exploited a previously unknown vulnerability in the Windows operating system Google disclosed before Microsoft had a patch ready.

Google on Oct. 31 said a critical vulnerability in a Windows kernel was being actively exploited, and that the announcement comes seven days after its discovery per its policy. Microsoft responded in a blog post Tuesday, and it was not thrilled.

“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Terry Myerson, Windows and Devices Group executive vice president, wrote in the post.

Microsoft also said the threat actor it calls Strontium, but also known as Fancy Bear or APT 28, used the flaw plus two Adobe Flash flaws to conduct “low-volume spear-phishing campaigns.” The group is linked to the Democratic National Committee email breaches and other recent cyber incidents at political organizations and think tanks. 

“STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes,” the blog post said.

Microsoft said it is testing patches for release Nov. 8 and that customers should consider upgrading to Windows 10.

The Shadow Brokers Post List of Allegedly Hacked Servers 

The hacking group that tried to sell National Security Agency hacking tools says it knows which servers the agency has used for spying operations.

The Shadow Brokers published files Oct. 31 it claims are 306 domains and 352 IP addresses of servers compromised by the Equation Group—hackers suspected, but not confirmed, to be an NSA unit, according to Motherboard.

If the list is authentic, organizations could use it to see if they have been targeted by the Equation Group, security experts told Motherboard.

Flashpoint analysis said the configuration information in the files suggested the servers were used for covert reconnaissance operations performed between 2000 and 2010. The analysis also found most servers were located in China, Japan and Korea.