Late last week, the world witnessed the largest ransomware attack ever perpetrated, the effects of which are still being felt in at least 150 countries and may be felt further as people return to their work computers this Monday.
The massive incident once again demonstrates the vulnerability of computer systems and IT architectures around the world. It also will jump-start a debate on whether government intelligence organizations should disclose to private companies vulnerabilities they find in the wild or continue to exploit them, at risk to those companies, in attempts to fight crime, espionage and terrorism.
Known as "WanaCryptOr 2.0" (or "WannaCrypt," the number of Ns varies), the dangerously effective ransomware may have compromised at least 85 percent of Telefónica employees' computers. It also locked down the systems of at least 16 organizations within the U.K.'s massive NHS.
A translated announcement of Spain's computer emergency response team said, "The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other [Microsoft] Windows machines on the same network."
"The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other [Microsoft] Windows machines on the same network."
The exploit appears to be a vulnerability developed by the U.S. National Security Agency and subsequently leaked publicly by hacking group The Shadow Brokers. More specifically, the vulnerability affects Microsoft Windows XP operating systems. According to Motherboard, Microsoft had issued a patch in March, known as MS17-010, but it's likely many end-users had not yet installed the fix.
The New York Times reports the attack's full effects have likely not yet been felt as much of Asia had already closed the work week last Friday before the attack manifested itself. Security researchers are warning it will likely spread on Monday as workers in Asia boot up their work computers.
To add weight to the incident, copycats are perpetrating the attacks. Comae Technologies Matthieu Suiche said, "We are in the second wave. ... As expected, the attackers have released new variants of the malware. We can surely expect more."
As of Sunday, according to Europol Executive Director Rob Wainwright, the attack has hit at least 200,000 computers in more than 150 countries. FedEx, Renault, universities in China, Germany's railway system and Russia's Interior Ministry were all hit by the attack.
In a stroke of luck, a 22-year-old British researcher, known on Twitter as Malware Tech, has now been credited with finding a so-called "kill-switch" for the attack. Yet, some researchers are concerned variants of the vulnerability could remove the kill-switch.
"Microsoft has complained for years that the large majority of computers running its software were using pirated versions," The New York Times reports.
The effects in the U.K. are reaching political levels as the Labour Party and Liberal Democrats argue the Conservative Party has not done enough to bolster cybersecurity to thwart such an attack. The BBC reports U.K. Defense Minister Michael Fallon has said the government was spending approximately 50 million GBP ($64 million USD) to improve NHS cybersecurity.
Nor is this vulnerability the only one released to the public via The Shadow Brokers. Wired points out that "a whole suite of NSA tools [is] now available to bad guys, whose interests may range from ransomware to targeted surveillance to building botnet armies and anything in between." In fact, Friday's incident is reminiscent of the massive distributed-denial-of-service attacks that took down several major websites in the U.S. late last year. The incident prompted Privacy Perspectives to point out that poorly secured devices could potentially pose a national security threat. Clearly, this latest wave of ransomware attacks affected health care, government and business frameworks and pose a looming threat to national security.
Which gives rise to the long-disputed question of whether intelligence outfits like the NSA should be working more actively with private companies to disclose the vulnerabilities it finds in its field work. For intelligence organizations, it behooves them to keep such bugs under the radar so they can track down the bad guys. But by doing so, they make companies, their users and organizations around the world vulnerable to the attacks we've witnessed in recent days.
The incident should surely prompt a dialogue between the public and private sectors on what to do with so-called zero-day vulnerabilities, if anything at all. Microsoft has not been shy about making their feelings known. In a blog post, Microsoft President Brad Smith was pointed (boldface is ours):
[quote]Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.[/quote]
The ransomware attacks, it should be noted, also took place the same week the Trump administration released a new cybersecurity executive order to shore up protections of federal agencies.
At the very least, this incident should serve as a wake-up call to public and private organizations to ensure they're keeping up with security patches. Whether government intelligence agencies play a role in helping prevent such attacks in the future by disclosing zero-days to affected organizations is a different matter altogether but one that will hopefully be addressed very soon. The alternative could very well affect critical infrastructures for governments around the world.
Thanks to TroyHunt.com for the ransomware image at the top of the page.