WannaCry ransomware is spreading around the globe and Microsoft has called out the U.S. government for being at least partially responsible because the malware is based on an NSA cyberweapon.
The WannaCry ransomware was based on the “EternalBlue” exploit found in a Shadow Brokers dump of NSA-linked exploits last month. The EternalBlue cyberweapon takes advantage of a flaw in Microsoft’s Server Message Block (SMB) networking protocol. After issuing an emergency patch to protect legacy systems against the threat, Microsoft said the WannaCry attacks provide “yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
“The governments of the world should treat this attack as a wake-up call,” wrote Brad Smith, president and chief legal officer at Microsoft. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Jeremiah Grossman, director of security at SentinelOne based in Palo Alto, Calif., said someone needed to call out the government regarding cyberweapon stockpiling because “this whole situation is ridiculous.”
“Look at what the whole world is going through now. When the triage is over, and we’re past this, there needs to be a gathering of the various countries and stakeholders regarding policy — again like [Microsoft] suggested,” Grossman told SearchSecurity. “Especially as we move forward into the future and exploits in other important systemic systems are found.”
Ziv Mador, vice president of security research at Trustwave, a security services company based in Chicago, said it was unlikely that Microsoft’s message would make an impact.
“If indeed they collect such zero days and similar vulnerabilities, they do it for a purpose and I find it hard to believe that a call from the industry, even from a major vendor such as Microsoft, would cause them to change their plan,” Mador told SearchSecurity. “They can prevent similar cases in the future by making sure that such information never leaks, much like any other major weapons.”
Sanjay Raja, chief marketing officer at Lumeta, a cybersecurity company headquartered in Somerset, N.J., said it shouldn’t be a surprise that the NSA would stockpile cyberweapons because the “NSA must stay ahead of nation-state threats or be vulnerable to more willing, cracking participants.”
“Blaming the NSA for taking advantage of a flaw in your OS is a like a coach whining that another team took advantage of a serious flaw in your game plan. Stupid, but points the finger in the wrong direction. Plan a better game. That is my response to Microsoft,” Raja told SearchSecurity. “Understand that being the leader in OS and a leader in applications means taking responsibility for supporting them but also taking security more seriously despite the investment. That being said, it is an embarrassment to the NSA when you leave your playbook lying around.”
Elias Manousos, CEO and founder at RiskIQ, a digital threat management company headquartered in San Francisco, agreed that Microsoft was shifting blame about the WannaCry cyberweapon.
“It suits Microsoft interests to point the blame on others. The fact is, they stopped supporting this software many years ago, so the fault lies on end users for not moving to more secure platforms and Microsoft for abandoning them … not the adversary,” Manousos told SearchSecurity. “The NSA is a government agency that takes direction from leadership and policymakers.”
Rick Orloff, CSO of Code42, said “the U.S. government is not the bad guy here; we need to give them better tools and processes.”
“All governments with cyber capabilities stockpile vulnerabilities and this is a reality that is not going to change, we should simply move on,” Orloff told SearchSecurity. “That said, it is possible to establish criteria and a framework that would allow for a public/private partnership to address known vulnerabilities. The government could stockpile as needed and still notify a high-tech company based on established forcing functions.”
Echoes of Apple vs FBI
A number of experts noted that the WannaCry ransomware and Microsoft’s comments about governments stockpiling cyberweapons had connections to the fight between Apple and the FBI in the San Bernardino case.
The FBI wanted Apple’s help to unlock the iPhone of a suspect in a terror attack, but Apple refused. The FBI claimed it only sought access to that one phone, but Apple CEO Tim Cook said “there’s no such thing as a backdoor for the good guys; the bad guys will find it too.”
Experts said they saw the similarities to this argument in the case of WannaCry, where an exploit the government thought would be used for intelligence purposes only was eventually leaked and abused by malicious actors.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote in the blog post. “This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.”
John Bambenek, threat systems manager at Fidelis Cybersecurity, said the WannaCry exploit was actually better secured than what the FBI asked from Apple.
“The underlying exploit used in WannaCry was a highly classified exploit developed by the NSA and then stolen,” Bambenek told SearchSecurity. “Any backdoor in cellphones could not be as highly classified and protected as this exploit that was still stolen was. Once somebody leaks out the needed steps or tools to use the backdoor, it will become public to anyone who can use it and this week’s outbreak shows how real that possibility is.”
The difference in the case of WannaCry, according to Philip Lieberman, president of Lieberman Software, a cybersecurity software company based in Los Angeles, was that the role of Apple and Microsoft didn’t quite match.
“Tim Cook of Apple expressed his distrust of the government in general in using zero day or manufacturer provided known exploits in a trustworthy manner. Apple’s solution was to create a platform that they believed could not be broken. In this case, Microsoft’s product was exploited by means unknown to it, as was the phone in the San Bernardino Apple episode,” Lieberman told SearchSecurity. “It all comes down to who gets hold of vulnerabilities and what they do with them, as well as how long it takes for the holes to be plugged once they are discovered.”
Aviv Grafi, CTO of Votiro, a security company headquartered in Tel Aviv, said the NSA likely had the EternalBlue exploit that WannaCry is based on for a long time and used it “for public safety and for their own targets or goals.”
“It is clear that the FBI and NSA hold vulnerabilities that they can use for their own goals and targets. While one of the NSA’s major vulnerabilities (WannaCry) was leaked, the FBI may soon find itself in a similar situation since we also know that they hold vulnerabilities that can target Apple devices, for example,” Grafi told SearchSecurity via email. “This, we learned, from the San Bernardino case — and it’s evident that leakage of such information, can be very dangerous — reused for crime and other cyber warfare against the public.”
Kevin Magee, global security strategist at Gigamon, said these cyberweapons held by the government can cause real world damage.
“It’s a fact today that cyberattacks are being weaponized and they are beginning to inflict considerable damage both online and in the real world. Not only have some of these attacks resulted in significant financial damages, but attacks on hospitals in particular have resulted in patient care impacts and at some point, if it has not already occurred, will result in deaths,” Magee told SearchSecurity. “It’s time for our world’s governments to begin to take responsibility for their own actions when it comes to both cybersecurity and cyberwarfare, as well as the need to recognize that the internet, hackers and cybercriminals are not limited or restrained by physical borders so an international and coordinated response is needed to tackle these challenges.”
Young-Sae Song, head of marketing at Arctic Wolf, a computer security service provider headquartered in Sunnyvale, Calif., said there is a need to balance privacy with data sharing between business and government agencies.
“There could be many benefits to greater collaboration between tech companies and law enforcement. The problem is that protecting privacy and what is for the greater good are often at odds with each other, and it’s [a] slippery slope when you start doing things on an exception basis,” Song said. “Finding and prosecuting the ones responsible for WannaCry is definitely in the interest of the greater good. However, government and private enterprise are not likely to agree on the level of cooperation needed.”
Grossman said the NSA should act now before any more cyberweapons are released.
“We’re not sure if the Shadow Brokers, or anyone else, managed to steal all of [the NSA’s] cyberweapons or exploits or just a subset,” Grossman said. “If more are in the wild, that they know of, it’s time for them to disclose to the appropriate vendors immediately — if they aren’t already.”