Leaked NSA Hacking Tool On Global Ransomware Rampage

from the who-trusts-the-nsa? dept

Welp. What was that we were saying about the problems of the NSA creating hacking tools that leak, rather than helping patch security flaws? Oh, right. That it would make everyone less safe.

And here we are. With a global ransomware rampage, referred to as “WannaCry” putting tons of people at risk, thanks to leaked NSA malware:

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks ? which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast ? have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

Specifically, it appears that the ransomware is using an NSA tool called ETERNALBLUE, which was leaked in April by Shadow Brokers. This was among those that were quietly patched by Microsoft back in March, but not everyone installs security patches in a timely manner. Indeed, as some are reporting, some of the victims — including the National Health Service Hospitals in the UK — are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.

Thus, there’s some debate online about whether the “problem” here is organizations who don’t upgrade/patch or the NSA. Of course, these things are not mutually exclusive: you can reasonably blame both. Failing to update and patch your computers is a bad idea these days — especially for large organizations with IT staff who should know better.

At the same time, the fact that this hack is built off of a leaked NSA hacking tool highlights a couple of key points:

  1. The NSA’s dual-hatted offensive & defensive structure is damaging: The NSA plays both offense and defense on computer security. That is, it is supposed to hack into other systems, but also help protect our systems. But it’s quite clear that the offensive capabilities are valued much more than the defensive ones — and that’s a problem. Once again, it appears that people in the intelligence community are not doing a clear cost-benefit analysis of the tools that they use. They like their toys, but they rarely seem to take into consideration what happens should those toys get out.
  2. Once again, this reinforces why we should not allow backdoors to encryption or any other such vulnerability. Over and over again, the proponents of backdooring encryption have insisted that it can be built in a “safe” way, where only government will get the backdoor access to encryption. The fact that some of the NSA’s most powerful hacking tools have not only been leaked but are now wreaking havoc around the world, should put a complete end to the “going dark” debate. But it won’t. It’s not safe, but many in the law enforcement community, in particular, are in denial about this.

These problems are not new. Hell, we’ve been talking about both of them for the better part of a decade already. But this rapid spread of WannaCry is putting an exclamation point on those arguments. Unfortunately, the cynical side of my brain says this warning will still be ignored.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Leaked NSA Hacking Tool On Global Ransomware Rampage”

Subscribe: RSS Leave a comment
Seegras (profile) says:

Re: NSA: The Best Defense is a Good Offense

“The Best Defense is a Good Offense” is complete bogus in this environment.

Because every zero-day you know, is at the same time a vulnerability.

You think it’s nice to be able to penetrate systems at will for your surveillance wants? Well, you’re putting your hospitals, electrical grid, power plants, all other government agencies, the military, everything at risk at the same time.

You can only choose to have everyone vulnerable or nobody.

The Wanderer (profile) says:

Re: Re: Re: NSA: The Best Defense is a Good Offense

The NSA, knowing about these offensive exploits, can defend their computers against them.


In this case, the only fix I’ve seen reported is to install a patch from Microsoft.

That patch only exists because Microsoft was notified about the vulnerability. No one else has the source code, so no one else can build a patch to close the vulnerability, much less actually get it installed (given code-signing practices nowadays, et cetera).

If the NSA notifies Microsoft about the vulnerability, the patch for it will be released publicly, thereby both notifying the public about the vulnerability and enabling the public to close it – meaning that the NSA won’t be able to rely on using the vulnerability to get in.

If the NSA does not notify Microsoft about the vulnerability, no patch will be created (until such time as someone else finds and reports the same vulnerability), and so the NSA will not be able to secure their own Windows computers.

Is there a hole in that logic somewhere?

PaulT (profile) says:

Re: Re: Re:2 NSA: The Best Defense is a Good Offense

“No one else has the source code, so no one else can build a patch to close the vulnerability, much less actually get it installed (given code-signing practices nowadays, et cetera).”

I’d stop there and just say that it’s certainly possible for a 3rd party patch to be created and installed, although it’s not as easy if you don’t have the source to hand. The NSA will certainly have people available with the necessary skills. It’s also likely that the NSA would be able to have some agreement with Microsoft to have access to the signing keys for various reasons. They could hack the OS or just choose to use something more secure for anything that would be non-trivial if compromised.

Either way, in this particular case it’s possible to guard against the vulnerability without doing anything to code:

“In this case, the only fix I’ve seen reported is to install a patch from Microsoft.”

The vulnerability exists on SMB v1, which you can disable if not required, and I believe can be removed completely in Windows 10. The patch stops the vulnerability from being present in the service, but as with all optional services the best advice is always to remove anything not required. If simply disabled, the service can be re-enabled by attackers in they gain access in other ways.

In fact, one of the reason why Microsoft has such a poor security reputation is that their systems usually had services installed and enabled by default that had no business being on a machine for 95% of use cases. Older versions of Windows became exponentially more secure just by changing the default running services and applying a few additional security measures, it’s just that Windows admins of the time neither knew nor cared about the security above convenience.

The Wanderer (profile) says:

Re: Re: Re:3 NSA: The Best Defense is a Good Offense

Hmm. Thanks for the note; I’d heard suggestions of the problem being specific to SMBv1, but even Microsoft’s own article on the subject didn’t seem to be explicit that this was SMBv1 only and that other versions of SMB are not vulnerable, so I didn’t trust that as being a fix. (If you have a source for an explicit statement that this is only a hole in SMBv1, I’d appreciate a link.)

If it’s confirmed that only SMBv1 has the problem, then that does simplify things considerably, and would have let the NSA secure their own systems without needing to touch the question of hacking together a third-party patch (and dodging code signing enforcement, in whatever form it may be in place).

PaulT (profile) says:

Re: Re: Re:4 NSA: The Best Defense is a Good Offense

“(If you have a source for an explicit statement that this is only a hole in SMBv1, I’d appreciate a link.)”

The official patch notes only specify that version 1 is affected, so I believe that’s good enough for me. I think there was a rumour about v2 also being affected that was later debunked, but I can’t seem to see any sources at a quick glance.


Generally speaking, we got lucky this time. I don’t believe the attack was particularly targeted, patches were immediately available when the attack started, someone accidentally managed to trigger the payload’s kill switch and it was well enough broadcast that most vulnerable computers were patched before the killswitch-free version was released.

We won’t be so lucky next time, but I think you can pretty much guarantee that the NSA are always working on their own protective measures. I’d say that would include bespoke patches where workarounds aren’t available.

The Wanderer (profile) says:

Re: Re: Re:5 NSA: The Best Defense is a Good Offense

That’s the Microsoft article I read, but I didn’t spot an explicit statement that only v1 was affected; I saw it as being implied by parts of the phrasing I don’t remember (I’m currently on a computer which is configured in a way that doesn’t load most Microsoft pages correctly, and I don’t feel like undoing and redoing that configuration just at the moment, so I can’t double-check right now), but not stated explicitly. That’s why I didn’t bother pushing to only disable SMBv1 in my organization, rather than an emergency deployment of the patch. (I’m working on getting regular, timely patch deployments going, but that implementation has been stalled by factors out of my control, including bureacratic obstacles. We may hope that they clear out of the way somewhat after this incident.)

I agree that we got lucky this time, for all the reasons you cite.

afn29129 (profile) says:

Re: What about liability?

Two words: Sovereign immunity..
“In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit.[2] The United States as a sovereign is immune from suit unless it unequivocally consents to being sued.” Or in other words; The king is untouchable.

1eyed Jack says:

Re: Re: It's Good to be King

yeah, but Americans have the sacred right-to-vote … and can just leash or get rid of the NSA at the ballot box.

oh wait, the NSA was created by a secret Presidential Executive Order in direct violation of all that constitutional and democracy stuff.
Citizens have effectively zero control over the NSA.
US Presidents, Congressmen, and Supreme Court Justices often act as unaccountable sovereigns and usually get away with it.

… never mind

Anonymous Coward says:

Re: Re: Re:2 Good to be King

Constitution does not authorize a President to create a major new Federal department, bypassing Congress (separation of powers).

Truman’s October 1952 secret 7-page memo (not even a formal Executive Order) created the super secret NSA. Even the NSA name was initially classified… Truman’s memo that acted as the agency’s charter remained secret for decades.

The executive branch secretly creating a big new government agency vested with extremely broad and unaccountable powers… is not how representative democracy or the American constitutional system works. Few Congressmen knew of the NSA, its activities, or budget.

“No statute establishes the NSA or defines the permissible scope of its responsibilities” stated former Senate intelligence committee chairman Frank Church– ” The CIA, on the other hand, was established by Congress under a public law, the National Security Act of 1947, setting out that agency’s legal mandate as well as the restrictions on its activities. “

Jim says:

Re: Re: Re:

Don’t blame ms for a nsa unreported hole in security. Just blame me for delaying delivery of patches for the consumer. Not everyone gets patches at the same time. That would mean that the ms servers would have to be on 24 x 7, they aren’t. An don’t blame the consumer for not leaving their system on 24 x7 to receive patches. They want to use their system eventually to post on Facebook or read the latest news.

Jim says:

Re: Re: Re:

Don’t blame ms for a nsa unreported hole in security. Just blame me for delaying delivery of patches for the consumer. Not everyone gets patches at the same time. That would mean that the ms servers would have to be on 24 x 7, they aren’t. An don’t blame the consumer for not leaving their system on 24 x7 to receive patches. They want to use their system eventually to post on Facebook or read the latest news.

PaulT (profile) says:

Re: Re:

“Patched 2 months ago, but too many people and companies dont apply the free updates.”

There’s multiple reasons for that, ranging from underfunded agencies being unable to afford decent system management to the fact that most experienced Windows admins have experienced failures due to routing patching so need to spend much more time testing & rolling out patches to large organisations. Victim blaming might be fun, but there’s a lot of factors involved in the real world.

“Don’t blame tge NSA for bad system management.”

Can we blame them for creating tools to easily exploit the known vulnerabilities, (presumably) asking Microsoft to keep the specifics and priority quiet when they patched it, and allowing the tool to be leaked?

The NSA might not deserve 100% of the blame, but they own their well deserved chunk of it.

GristleMissile says:

Re: Re:

There are actually people attempting to make “smart” guns to do that. OFC, they don’t realise they’re just adding extra failure modes to something you want to be as reliable as possible.

The modern revolver has been around for over 150 years, and most likely will be around for several hundred more just because it is as simple and reliable as possible.

Anonymous Coward says:

Re: Re: Re:2 Re:

The problem goes beyond that. Kernel updates are disabled by default. ….

What??, I rum Mint on one of my machines, and Mint patches and updates it kernel as required for security fixes. What it does not do, in common with many distros that value stability, is update the system to the latest kernel automatically.

Anonymous Coward says:

If _only_ there was a law!

If only there were a law that required the US Government to coordinate with computer vendors to disclose vulnerabilities so they could get fixed. We should immediately pass such a law and insist that all government agencies obey it and send any that do not to federal "pound you in the ass" prison.

Oh – wait. Yeah, there is such a law.

Oh well, because -terrorism- yeah, makes it acceptable to break our own laws.

Because nothing says "love" quite like mocking your own laws while others seek to expose your own hypocrisy and unethical/illegal actions.

Honor isn’t what others think of you – it’s what you know of the justice of your own actions. And America is seriously lacking in Honor these days.

Anonymous Coward says:

missing budget

It’s not the IT staff who should know better, it’s the missing budget. Medical care uses a lot of special software, often software which has to be certified and may run only on specific PCs (example: DICOM and PACS). Certification processes are expensive and very slow, i.e. you might have to wait a few years to get certified software for your current OS. Each OS upgrade is a quite expensive adventure. Simply blaming hospital IT staff without any further research is a sign of ignorance.

BTW, I’m not a member of a hospital’s IT staff. Just happen to know a few things about that topic.

Anonymous Coward says:

The problem with "Best defence is a good offence"

It only works if the only thing that matters is if you are ahead in the end. What the heck is so great about winning a “war” when all that is left, is rubble on both sides?

But by all means, lets forget the real crooks here who made it all possible in the first place, and then wonder in amazement about the bad hackers being bad and possibly use it to make us even more vulnerable. That is the NSA/government style we are used to by now.

Dave Cortright (profile) says:

The time lime of events is an important point

Microsoft ended support for Windows XP on April 8, 2014. My brief search didn’t turn up an estimate of when the NSA developed ETERNALBLUE, but given the age of some of the other leaks, I’m betting it would have been before the XP EOL. So basically the NSA *ensured* that XP would always be vulnerable by withholding this information from Microsoft. Assholes.

Quick Brown Fox says:

Re: The time lime of events is an important point

While it is true that Microsoft ended support for Windows XP in April 2014, some business users entered into contracts with Microsoft for security updates well past that date. For example, the U.S. Navy contracted with Microsoft to extend its XP support until 2017.

Also, several news sources reported in 2014 that “Windows Embedded Industry” users would have continued security updates for XP until April 2019. Other users could hack the registry to trick Windows into thinking it was part of the “Windows Embedded Industry” and thus receive free updates.

As Forbes magazine’s blog stated on May 27, 2014, “…clearly, there is nothing more difficult to kill than Windows XP.”

ItAintJusttheToolItsThePublicity says:

So what about Google or Wikileaks

For all the hate directed at the NSA, which rightfully should fall on them (or more likely their Booze-Allen contractors which have been the Human Relation security hole).

What about Google who exposes very publicly any holes they find which helps marketing their brand or Wikileaks that leaked this info to begin with?

Just saying double standards and all that Google and Wikileaks play a role here for exposing what others pick up and use and that they should be in the cross hairs for any animus as well.

Anonymous Coward says:

Attack the maker of the tool?

Isn’t this like saying gun manufacturers are responsible for what people do with the guns they purchase?

No wait, it is the guns that get stolen they are responsible for – right?

Should the makers of tools be held accountable for any and all potential use/abuse of same?

Rekrul says:

Re: Re:

EOL operating systems reslly should come with nagware that encourages upgrades.

I really wonder if there shouldn’t be an expiry date after which the OS is effectively hobbled until replaced

The problem with that is that newer versions of an OS aren’t 100% backwards compatible with older software. If a user has spent money over the years on software that will only work on an older OS, what right does anyone have to tell them that they must effectively throw that software in the trash? Not every program gets updated and even if they do, newer versions aren’t always better.

Then there’s the issue of all the spyware that MS crammed into Win10, some of which I’ve read is virtually impossible to disable. There were even reports that they were pushing updates to Win7/8 that included a lot of the same crap, and making it impossible to refuse individual updates for those systems without refusing the entire pack.

Is it reasonable to expect a user to surrender all their privacy and control of their system in exchange for some security?

Anonymous Coward says:

Re: Re: Re: Re:

Don’t forget that upgrading Windows means upgrading all DRMed applications, if you can get new versions, and fgor some, like Adobe, switching to a subscription based clod service.

Unlike Linux, upgrading a Windows OS requires careful planning to ensure that you do not end uo losing the use of some application, anywhere it may not be possible to find a replacement. This situation is not helped by the inability to run older versions of languages and libraries in parallel in Windows. The situations can be even worse if Windows is used in some medical or industrial equipment and any associated workstations,, where the only way to upgrade can be to replace everything.

There are mi££ion$ of reasons why some institutions are stuck on XP.

Rekrul says:

Indeed, as some are reporting, some of the victims — including the National Health Service Hospitals in the UK — are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.

Ironically, while the linked Motherboard article mentions that the hospitals still running XP may be in breach of data protection laws, upgrading to Win10 would probably put them in breach of patient confidentiality laws as the OS sends information on everything they do back to MS. Even using Win7/8 may breach the laws as MS has reportedly introduced similar tracking into those versions of Windows as well.

Anonymous Champion says:

and i bet windows forced ten is also to blame here

and i bet windows forced ten is also to blame here….if you didnt have microsoft trying to do what they did hte last 6 months or so, a lot more people might have upgraded and been fine…

I decided to try the windows 7 update and guess what not only working ….no foolishness on ms’s part…

today was a good day to do your upgrading…my bet is they absolutely wont try and crap after this incident at least today and for a lil while till the news dies off.

Anonymous Coward says:

The big issue here is stockpiling. It’s pretty much expected for any Intelligence Agency to have exploits and use them (legal issues such as warantless wiretapping aside) – within a reasonable timeframe.

But to gather up years worth (at which point they’re likely leaked / also known to third parties) of undisclosed exploits pretty much “just in case”!?

To make the explosives analogy, that’s like insisting we leave old WW2 shells & landmines buried in the ground, you know, just in case …

Sure THIS particular exploit happened to be leaked but many others are still out there and there’s an army of young and hungry (in more ways than one) russian & chinese hackers hammering away at the exact same systems. Unfortunately that means many of those unknown exploits won’t stay hidden for too long.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...