Who Let the Bug Out? Is the NSA Responsible for “WannaCry?”

The massive ”WannaCry” (also known as “WannaCrypt) ransomware attack that began on May 6, 2017 infected more than 230,000 computers in over 150 countries at last count and reignited a fierce debate about the responsibility of federal agencies - especially the National Security Agency (NSA), the American spy agency - to share knowledge of malicious exploits it captures or develops with the manufacturers of the vulnerable software.

Many of the exploits that the NSA develops or discovers are so useful to its spying mission that it stockpiles them in its own cyber arsenal and tells nobody. As we now know, there is a risk to this approach and that is “What happens if hackers break into the NSA and steal some of these powerful and malicious cyberweapons?”

That is exactly how “WannaCry” came to life. In August 2016, a hacker group calling itself Cyber Brokers hacked into the Equation Group, an organization of super hackers with ties to the NSA, nabbing a slightly older version of the NSA’s own custom-built ransomware “EternalBlue,” which was designed to break through network firewalls and get inside the computer systems of competitors like Russia, China and Iran and place “implants” in the system, which can lurk unseen for years and be used to monitor network traffic or enable a devastating computer attack.

On April 14, 2017, Cyber Brokers released the EternalBlue code into the wild and on May 6, it surfaced as the software behind the massive “WannaCry” attack. Beginning in the U. K. and Spain, the malicious software spread like wildfire across the globe, blocking thousands of customers from their data unless they paid a ransom using Bitcoin. Hospitals, pharmacies and major corporations like FedEx and the Spanish telecommunications giant Telefonica were among the hardest hit. Syantec reports that “WannaCry” searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol because the SMB version 1 (SMBv1) server in older versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. Microsoft may have been alerted to the vulnerability ahead of the attack because on March 14 the company issued security update MS17-010, for all Windows versions that were currently supported at that time, which were Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.

The problem is that hundreds of thousands of organizations didn’t apply the patch. As Microsoft President and Chief Legal Officer Brad Smith wrote in a blog post:

The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.

Organizations running older systems, such as Windows XP, Windows 8 and Server 2003 weren’t provided with the March fix but by the end of day one of the attack, Microsoft had taken the unusual step of providing patches to customers with “end of life” products Windows XP, Server 2003, and Windows 8. Smith added:

Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download. This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

The PATCH Act

In the wake of the “WannaCry” invasion, U.S. Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) have introduced the Protecting our Ability To Counter Hacking (PATCH) Act, bipartisan legislation that adds transparency and accountability to the U.S. government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems.

The PATCH Act would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available. It would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security and include agency directors from the intelligence community as well as the secretary of commerce.

The law would also require annual reports to Congress on the board’s activities. A version of the government’s process, known as "vulnerabilities equities process," has been in place for some time, although its exact details are unclear. A version of the board already exists, but some have criticized the process as opaque, and a law would go some way toward binding the federal government to the system, its sponsors say. Added Senator Schatz, lead Democrat on the Senate Subcommittee on Communications, Technology, Innovation, and the Internet:

Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy. This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.

On more of a human interest level, the unlikely hero of the “WannaCry” attack is a 22-year-old self-taught British computer researcher named Marcus Hutchins who prevented much greater damage from the attack by ‘accidentally” triggering a kill switch from his bedroom at this parents house in the U.K. Hutchins discovered that when a new computer becomes infected, the virus contacts a remote web address and starts taking files hostage only if it finds that address unreachable. If it can connect, however, the WannaCry program terminates itself –probably a built-in failsafe in case the software became uncontrollable.

Hutchins figured out where the web address was hidden in the malicious code and discovered it was unregistered. He bought the “gobblygook” site name for less than £10, and discovered he was able to redirect 5,000 connections per seconds to a harmless “sinkhole” server. Hutchins, who tweets and blogs as Malware Tech, posted on Twitter:

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

I predict this “lucky” kid has a bright future in cyber security.

My Take

Hacking and ransomware are unpleasant daily facts of life for computer users from individuals at desk tops to elaborate networks with thousands of users distributed around the globe.

Consumers and business leaders have become all too familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. Where there is money to be made, there will be clever criminals trying to do just that.

The best defense is a good offense. If a manufacturer sends you a critical security update today, install it today. Virtually all of the computers infected by “WannaCry” would have escaped harm if someone had installed the Microsoft April update. Vendors cannot protect you from yourself alone. Cybersecurity has become a shared responsibility between tech companies and customers. There is no way for customers to protect themselves against threats unless they update their systems.

The most important issue raised by “WannaCry” is to what degree is the stockpiling of vulnerabilities by governments undermining security for everybody. Exploits of malware stored by the CIA have shown up on WikiLeaks, and now the NSs hack has inflicted misery and damage on individuals and organization around the world. There needs to be a real debate and resolution about the balance between cyber security and intelligence gathering. Too often these days, exploits gathered by governments are leaking into the public domain and causing widespread damage.

Oh, if everything else fails, it pays to have a 22-year-old whiz kid upstairs in the bedroom