Endpoint Security , Ransomware , Technology

Post-WannaCry, Microsoft Slams Spy Agency Exploit-Hoarding

Software Flaws from Stockpiles Cause Long-Term Damage, Company's Chief Attorney Says
Post-WannaCry, Microsoft Slams Spy Agency Exploit-Hoarding
Microsoft Chief Legal Officer Brad Smith addresses the RSA 2017 Conference in San Francisco on Feb. 14. (Photo: Mathew J. Schwartz, ISMG)

Microsoft's chief legal officer directed criticism at U.S. spy agencies Sunday, warning that civilians are at risk if governments stockpile libraries of software vulnerabilities that may eventually fall into the hands of cybercriminals.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The warning comes just days after an unprecedented global wave of file-encrypting malware, which spread quickly because of a software worm believed to have been developed by the National Security Agency (see WannaCry Ransomware Outbreak Spreads Worldwide).

"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," writes Brad Smith, Microsoft's chief legal officer, in a blog post. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

More than 200,000 endpoints reportedly have infected worldwide by the WannaCry - aka WannaCrypt - ransomware, which has been demanding $300 to unlock files. The attacks have crippled hospitals, telecommunications companies and medical organizations, among other organizations, in more than 150 countries. The worm capability being used to spread WannaCry also means that once the malware had entered a network, it could quickly spread throughout an organization, warns U.K.-based security researcher Kevin Beaumont.

Worm Delivers Ransomware

Ransomware and computer worms have been around for decades, says Mick McCluney, Trend Micro's technical director for Australia and New Zealand. But in the case of WannaCry, "we've seen the two come together very powerfully," he says.

The NSA has never confirmed the unauthorized disclosure of its software tools. So Smith's unusually blunt attribution of the software worm to the NSA adds to experts' suspicions that the agency is the source.

"Extraordinary: Microsoft officially confirms @NSAGov developed the flaw that brought down hospitals this weekend," writes Edward Snowden - the former U.S. government contractor who leaked broad documents in 2013 that described domestic NSA surveillance - on Twitter.

Spy Agency Leaks

The WannaCry outbreak has again brought into focus the U.S. government's policies regarding handling software vulnerabilities. U.S. spy agencies rely on unknown software flaws in order to access adversaries' networks for intelligence (see Zero-Day Facts of Life Revealed in RAND Study).

In the past year, the NSA and CIA have been caught off guard by devastating leaks of their most sensitive attack techniques and capabilities. The WannaCry ransomware attack has also brought full circle what some had predicted: Cybercriminals would use intelligence agencies' leaked attack tools and bring untold havoc.

Smith writes that the equivalent of the ransomware incident in the physical world "would be the U.S. military having some of its Tomahawk missiles stolen."

"The governments of the world should treat this attack as a wake-up call," he writes. "We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

The opposing view is that spy agencies need software vulnerabilities to do critical intelligence-gathering for national security investigations. Without those tools, the United States could be at a disadvantage, increasing the risk to its citizens.

"If Congress wants to create an agency to be private security researchers for multibillion dollar software companies, it is free to do so," writes Susan Hennessey, a managing editor with Lawfare and a former NSA attorney, on Twitter.

But Microsoft is pushing for more accountability. In February at the RSA security conference in San Francisco, Smith proposed a "Digital Geneva Convention" to better protect civilians from nation-state cyberattacks. One tenet would require "governments to report vulnerabilities to vendors, rather than stockpile, sell or exploit them," Smith said (see Microsoft Advocates 'Digital Geneva Convention').

Fierce Disclosure Debate

There's a fierce debate over whether the U.S. government should notify software vendors sooner - than later - when it finds flaws in their products. The government has a policy, called the Vulnerabilities Equities Process, ostensibly designed to do this.

But it's clear that some vendors, such as Cisco, only learned of vulnerabilities in their products after surprise disclosures by third parties. In August 2016, the group that calls itself the Shadow Brokers began publicly releasing exploits and attack tools from the "Equation Group," which is widely believed to be the NSA (see Mystery Surrounds Breach of NSA-Like Spying Toolset).

Also, in early March, WikiLeaks began releasing a group of internal documents and hacking technique, which it calls Vault 7, that the organization says came from the CIA. The documents describe in deep technical detail how to compromise networks, mobile devices and even smart TVs (see WikiLeaks Dumps Alleged CIA Malware and Hacking Trove).

The WannaCry ransomware incident, meanwhile, has its roots in an April 14 public dump from the Shadow Brokers. The dump included an exploit and attack tool dubbed EternalBlue. The exploit targeted a vulnerability in the server message block (SMB) protocol, which is used for file-sharing and is present on most Windows systems.

Microsoft, however, was a step ahead. In March, it patched the vulnerability - MS17-010 - targeted by the exploit (see WannaCry Outbreak: Microsoft Issues Emergency XP Patch). Microsoft has declined to comment about how it learned of the vulnerability and was able to patch it before the Shadow Brokers released it, although Microsoft does work with the U.S. government.

Even two months after the patch was released, however, tens of thousands of Windows systems had not applied it, which is why WannaCry has had such an impact. Microsoft also took the unprecedented step of issuing patches for three operating systems that it no longer officially supports - Windows XP, Windows 8, and Windows Server 2003 - unless organizations pay for pricey extended support contracts.

Monday: The World Holds its Breath

Geographical distribution of targets in the first few hours of the May 12 attack (Source: Kaspersky Lab)

After the WannaCry outbreak appeared Friday, an accidental yet fortuitous finding by a British computer security researcher limited the spread of the first version of WannaCrypt over the weekend. But it is expected the error will be fixed by WannaCry's developers and attacks will continue.

By early Monday, however, there were not yet any signs of further mass outbreaks. The South Korean government did report finding nine cases of ransomware, but it did not identify the victims, Reuters reports.

Also on Monday, the Australian government said only three small to medium-sized companies had been hit - a surprisingly low number, given the global scale of the outbreak. Alistair McGibbon, the prime minister's special cybersecurity adviser, told the ABC that critical infrastructure, the health sector and government agencies were unaffected.

"We will see more victims here, and that's very sad always," he told the broadcaster. "It's always bad for any businesses to be a victim of crime, but as a whole of nation we can be confident so far that we have missed the worst of this."

Trend Micro's McCluney, who's based in Sydney, says that the security company fielded many enquiries over the weekend about WannaCry. While he can't speak specifically about Trend Micro customers, he knows some organizations were impacted, but on the whole the damage has been less severe, compared to other places in the world.

"I think we have been the lucky country, once again," McCluney says.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network