Microsoft: NSA’s Exploit Hoarding Makes Us WannaCry

Last Friday the world woke up to one of the biggest cyberattacks in history. The WannaCry ransomware attack spread like wildfire through vulnerable Windows machines across the globe late last week, infecting over 230,000 machines in 150 countries and blocking users from their data unless they agreed to pay approximately $300 in Bitcoin.

The attack’s spread only slowed when security researcher MalwareTech accidentally discovered a killswitch for the malware by registering a domain for a DNS sinkhole found in the virus’s code.

But by then the damage was already done and victims of the ransomware’s indiscriminate spread included Telefonica, a major Spanish telecom company, major parts of Britain’s National Health Service (NHS), FedEx, Deutsche Bank, and hundreds of targets in Russia and China.

Now that the dust has (mostly) settled, Microsoft is pointing its finger at the NSA, who’s stockpiling of hacking exploits is “a problem,” according to a blog post from Microsoft’s President and Chief Legal Officer Brad Smith.

“Repeatedly,” says Smith, “exploits in the hands of governments have leaked into the public domain and caused widespread damage.”

According to Smith, “an equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”

The “disconcerting link” that Smith is referring to is WannaCry’s use of exploits such as EternalBlue, an exploit that uses a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol to spread the malware from one machine to another. This exploit, amongst others, was purportedly stolen from the NSA’s elite hacking unit, The Equation Group, by a blackhat hacker group calling themselves the ShadowBrokers, who released the exploits to the public in April of this year.

While Microsoft had already patched the issues on March 14, a month before their public release many Microsoft computers remained unpatched globally, especially those using deprecated versions of Microsoft operating systems, such as Windows XP or Windows Server 2003. This let the ransomware spread quickly to thousands of machines worldwide, from unpatched machines at major corporations to unsupported stolen software on personal devices, until Microsoft finally took the uncommon step of releasing another patch for Windows XP users.

Smith clearly blames the NSA’s refusal to disclose major vulnerabilities for this disaster, and says as much in his blog post where he not-so-subtly calls on “governments of the world” to see the attack as a wake up call to “take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”

“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” says Smith. “This is one reason we called in February for a new ‘Digital Geneva Convention‘ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

Jeff Edwards
Follow Jeff

Jeff Edwards

Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff

Leave a Reply

Your email address will not be published. Required fields are marked *