News Stay informed about the latest enterprise technology news and product updates.

Microsoft slams NSA over cyberweapon in WannaCry ransomware

Microsoft blames the U.S. government for cyberweapon stockpiling as WannaCry ransomware infections continue to spread, though some experts say Microsoft shares responsibility.

WannaCry ransomware is spreading around the globe and Microsoft has called out the U.S. government for being at...

least partially responsible because the malware is based on an NSA cyberweapon.

The WannaCry ransomware was based on the "EternalBlue" exploit found in a Shadow Brokers dump of NSA-linked exploits last month. The EternalBlue cyberweapon takes advantage of a flaw in Microsoft's Server Message Block (SMB) networking protocol. After issuing an emergency patch to protect legacy systems against the threat, Microsoft said the WannaCry attacks provide "yet another example of why the stockpiling of vulnerabilities by governments is such a problem."

"The governments of the world should treat this attack as a wake-up call," wrote Brad Smith, president and chief legal officer at Microsoft. "They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

Jeremiah Grossman, director of security at SentinelOne based in Palo Alto, Calif., said someone needed to call out the government regarding cyberweapon stockpiling because "this whole situation is ridiculous."

"Look at what the whole world is going through now. When the triage is over, and we're past this, there needs to be a gathering of the various countries and stakeholders regarding policy -- again like [Microsoft] suggested," Grossman told SearchSecurity. "Especially as we move forward into the future and exploits in other important systemic systems are found."

Ziv Mador, vice president of security research at Trustwave, a security services company based in Chicago, said it was unlikely that Microsoft's message would make an impact.

"If indeed they collect such zero days and similar vulnerabilities, they do it for a purpose and I find it hard to believe that a call from the industry, even from a major vendor such as Microsoft, would cause them to change their plan," Mador told SearchSecurity. "They can prevent similar cases in the future by making sure that such information never leaks, much like any other major weapons."

Sanjay Raja, chief marketing officer at Lumeta, a cybersecurity company headquartered in Somerset, N.J., said it shouldn't be a surprise that the NSA would stockpile cyberweapons because the "NSA must stay ahead of nation-state threats or be vulnerable to more willing, cracking participants."

"Blaming the NSA for taking advantage of a flaw in your OS is a like a coach whining that another team took advantage of a serious flaw in your game plan. Stupid, but points the finger in the wrong direction. Plan a better game. That is my response to Microsoft," Raja told SearchSecurity. "Understand that being the leader in OS and a leader in applications means taking responsibility for supporting them but also taking security more seriously despite the investment. That being said, it is an embarrassment to the NSA when you leave your playbook lying around."

Elias Manousos, CEO and founder at RiskIQ, a digital threat management company headquartered in San Francisco, agreed that Microsoft was shifting blame about the WannaCry cyberweapon.

"It suits Microsoft interests to point the blame on others. The fact is, they stopped supporting this software many years ago, so the fault lies on end users for not moving to more secure platforms and Microsoft for abandoning them ... not the adversary," Manousos told SearchSecurity. "The NSA is a government agency that takes direction from leadership and policymakers."

Rick Orloff, CSO of Code42, said "the U.S. government is not the bad guy here; we need to give them better tools and processes."

National Security Agency insignia

"All governments with cyber capabilities stockpile vulnerabilities and this is a reality that is not going to change, we should simply move on," Orloff told SearchSecurity. "That said, it is possible to establish criteria and a framework that would allow for a public/private partnership to address known vulnerabilities. The government could stockpile as needed and still notify a high-tech company based on established forcing functions."

Echoes of Apple vs FBI

A number of experts noted that the WannaCry ransomware and Microsoft's comments about governments stockpiling cyberweapons had connections to the fight between Apple and the FBI in the San Bernardino case.

The FBI wanted Apple's help to unlock the iPhone of a suspect in a terror attack, but Apple refused. The FBI claimed it only sought access to that one phone, but Apple CEO Tim Cook said "there's no such thing as a backdoor for the good guys; the bad guys will find it too."

Experts said they saw the similarities to this argument in the case of WannaCry, where an exploit the government thought would be used for intelligence purposes only was eventually leaked and abused by malicious actors.

Microsoft president Brad SmithBrad Smith

"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," Smith wrote in the blog post. "This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today -- nation-state action and organized criminal action."

John Bambenek, threat systems manager at Fidelis Cybersecurity, said the WannaCry exploit was actually better secured than what the FBI asked from Apple.

"The underlying exploit used in WannaCry was a highly classified exploit developed by the NSA and then stolen," Bambenek told SearchSecurity. "Any backdoor in cellphones could not be as highly classified and protected as this exploit that was still stolen was. Once somebody leaks out the needed steps or tools to use the backdoor, it will become public to anyone who can use it and this week's outbreak shows how real that possibility is."

The difference in the case of WannaCry, according to Philip Lieberman, president of Lieberman Software, a cybersecurity software company based in Los Angeles, was that the role of Apple and Microsoft didn't quite match.

"Tim Cook of Apple expressed his distrust of the government in general in using zero day or manufacturer provided known exploits in a trustworthy manner. Apple's solution was to create a platform that they believed could not be broken. In this case, Microsoft's product was exploited by means unknown to it, as was the phone in the San Bernardino Apple episode," Lieberman told SearchSecurity. "It all comes down to who gets hold of vulnerabilities and what they do with them, as well as how long it takes for the holes to be plugged once they are discovered."

Aviv Grafi, CTO of Votiro, a security company headquartered in Tel Aviv, said the NSA likely had the EternalBlue exploit that WannaCry is based on for a long time and used it "for public safety and for their own targets or goals."

"It is clear that the FBI and NSA hold vulnerabilities that they can use for their own goals and targets. While one of the NSA's major vulnerabilities (WannaCry) was leaked, the FBI may soon find itself in a similar situation since we also know that they hold vulnerabilities that can target Apple devices, for example," Grafi told SearchSecurity via email. "This, we learned, from the San Bernardino case -- and it's evident that leakage of such information, can be very dangerous -- reused for crime and other cyber warfare against the public."

Kevin Magee, global security strategist at Gigamon, said these cyberweapons held by the government can cause real world damage.

"It's a fact today that cyberattacks are being weaponized and they are beginning to inflict considerable damage both online and in the real world. Not only have some of these attacks resulted in significant financial damages, but attacks on hospitals in particular have resulted in patient care impacts and at some point, if it has not already occurred, will result in deaths," Magee told SearchSecurity. "It's time for our world's governments to begin to take responsibility for their own actions when it comes to both cybersecurity and cyberwarfare, as well as the need to recognize that the internet, hackers and cybercriminals are not limited or restrained by physical borders so an international and coordinated response is needed to tackle these challenges."

Young-Sae Song, head of marketing at Arctic Wolf, a computer security service provider headquartered in Sunnyvale, Calif., said there is a need to balance privacy with data sharing between business and government agencies.

"There could be many benefits to greater collaboration between tech companies and law enforcement. The problem is that protecting privacy and what is for the greater good are often at odds with each other, and it's [a] slippery slope when you start doing things on an exception basis," Song said. "Finding and prosecuting the ones responsible for WannaCry is definitely in the interest of the greater good. However, government and private enterprise are not likely to agree on the level of cooperation needed."

Grossman said the NSA should act now before any more cyberweapons are released.

"We're not sure if the Shadow Brokers, or anyone else, managed to steal all of [the NSA's] cyberweapons or exploits or just a subset," Grossman said. "If more are in the wild, that they know of, it's time for them to disclose to the appropriate vendors immediately -- if they aren't already."

Next Steps

Learn more about why Apple's Tim Cook opposed the FBI.

Find out about cyberweapons and the lawful use of exploit toolkits.

Get info on why metadata could be all intelligence and law enforcement needs.

Dig Deeper on Emerging cyberattacks and threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about Microsoft calling out the government's cyberweapons stockpile?
Cancel
The quotes of John Bambenek and Young-Sae Song indicate we have some people with a good grasp of the situation. First the government needs to explicitly justify why it needs back doors and why when it discovers an unintended door, it needs to hide it from the manufacturer of that door. Second, the manufacturers need to re-evaluate the design of their products that allows back doors. Third, independent security firms need to publicly rate and rank hardware and software from smart phones to IOT to mainframes on their privacy and security.
Cancel
Microsoft needs to take responsibility for the crappy software it put out and the millions of Windows users that were too stupid to install the patch in March of this year that would have prevented this from infecting their computers.
Cancel

MSFT is in the wrong business -- hacking OS -- without even understanding the responsibilities of an operating system. MSFT should think hard and stop ruining lives and nations with such weak irresponsible OS. MSFT OS offers no protection what so ever. All in the name of usability, which they have achieved,I must admit. I can talk to my grandma in some remote village only because of MSFT braindead OS. Atleast now instead of blaming others for pointing out their ill-structured--poorly engineerd machinations they should study Unix and its many variants to understand how to build robust and secure operating systems. At a minium they can copy what Apple did...

Any program at any level can stop the entire OS. Denial Of Service is rampant. Some userlevel process can bring down the world. Simple terms, MSFT is the best example of how now to hack an OS. No sympathy for MSFT. Instead of doing whatever else, they should focus on fortifying the MSFT from the core. They should not be complaining.

Cancel
Whilst the NSA don't actually live up to the name they have been given, there is no doubt that Microsoft are the architects of Windows Users downfall.
The amount of "Bloatware" that now exists in the latest MS Offerings is disproportionate to their use. I imagine also that there is significant legacy code in there that does not need to be and should not be there.
Its high time that Microsoft made a concerted effort to prune the OS root and branch and get it down to something manageable and I suspect infinitely more secure.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close