On Sunday, Microsoft announced that software vulnerability stolen from the National Security Agency affected customers worldwide. The computer-giant claimed that the spread of the WannaCry/WannaCrypt ransomware on Friday is an example of what can happen when governments stockpile computer vulnerabilities. Microsoft’s President and Chief Legal Officer, Brad Smith, blogged that the cyber attack was a “wake-up call,” and that governments must now “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
WannaCry or Wana Decryptor, works by exploiting a vulnerability in some older versions of Windows. It struck hospitals at the United Kingdom and took down a part of their network. In Spain, the CCN-CERT computer response team warned of a "massive attack" by the ransomware, while there were reports that the Spanish Telefonica telecommunications firm was affected. The attack hit more than 100,000 organizations in 150 countries, according to Rob Wainwright, executive director of Europol, the European law enforcement agency.
The ransomware leveraged a Windows vulnerability that experts believe is related to the leak of a cache of mysterious computer hacking tools on the internet. Some researchers believe the hacking tools originate at the National Security Agency. These include an exploit named EternalBlue that enables the hacking of older Windows systems and specifically targets the Server Message Block (SMB) protocol in Windows, which is used for file-sharing. The tools were reportedly stolen by hacking-group Shadow Brokers from the NSA. “Until this weekend’s attack, Microsoft declined to officially confirm this, as US Gov refused to confirm or deny this was their exploit,” tweeted former NSA contractor Edward Snowden. He remains in Russia and is still wanted for questioning by authorities in the US.
Microsoft issued a security update on March 14 to address the vulnerability. Microsoft’s Brad Smith wrote, “While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.” Microsoft offered a patch for Windows XP, Windows Server 2003 and Windows 8, which are operating systems for which it no longer provides support.
A second attack is a possibility because, on Monday, employees return to work and switch on their affected computers. Also, the hackers may also reprise their attack with a variant of the ransomware that does not have the “kill switch” found by a young British researcher that halted the first wave of cyber attacks. “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP,” wrote the researcher on Twitter.
In February, Microsoft demanded a so-called “Digital Geneva Convention” to set ground rules to protect users from state-sponsored cyber attacks. This would include requiring governments to report vulnerabilities to vendors, instead of stockpiling, selling, or exploiting them. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” Smith wrote.
Exploits in the hands of governments have repeatedly leaked into the public domain and caused widespread damage, wrote Smith, who compared the leaks of CIA and NSA vulnerabilities to the U.S. military having some of its Tomahawk missiles stolen. “This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action,” he added.