An NSA hacking tool that was leaked to the web a month ago is being used by hackers to deliver ransomware called WanaCrypt0r 2.0 (AKA WannaCry, Wana Decrypt0r, WannaCryptor and WCRY) onto Windows machines. The NSA hacking tool is known as Eternal Blue, and has so far infected tens of thousands of computers with the WanaCryptor malware. Those victims include schools, hospitals, and corporations all over the world.
WanaCryptor targets have so far been pinpointed in nearly 100 countries. Among the victims are the Russian Interior Minister, Spain’s Telefonica, and the global delivery service FedEx. Victims must pay a $300 ransom in order to regain access to their encrypted files.
The exploit has spread around the world via cleverly designed phishing emails and delivered to victims via the NSA hacking tool (known as a worm). Among the emails that have so far tricked people into infection are fake job offers, fake security updates, and fake invoices (among others). This is what one Redditor (K3wp) who was involved in an attack had to say about the email that set off the attack:
Many UK Hospitals Hit
In the UK, the ransomware attack has caused chaos for the National Health Service (NHS), where the ransomware has attacked 40 trusts across the country. This has led to many patients who were expecting to see a doctor or nurse being turned away. In addition, the Mirror is reporting that “hospitals are diverting emergency operations – and services are severely disrupted after the ‘large-scale attack.’” According to that report, some people even had scheduled operations canceled.
Prime Minister Theresa May has made the following comment about the chaotic emergency caused by the ransomware:
“This cyber attack that has taken place has affected organisations here in the UK but in many countries around the world as well. Europol has said that it is unprecedented in terms of the scale of the cyber attack that has taken place.
“The National Cyber Security Centre is working with all organisations here in the UK that have been affected and that’s very important. I’d like to thank particularly the NHS staff who have been working through the night to ensure that, as we know, there has been no compromise of patient records.”
In France, car manufacturer Renault had to close its factories due to the devastating lockdown of its systems. Here is a list of some of the biggest targets that have so far emerged:
- China – schools and universities
- Taiwan – PC users
- Spain – gas and telecommunications firms
- USA – FedEx delivery service
- Germany – railway ticket machines
- Russia – government computers
- France – Renault car factories
- UK – NHS and Nissan car factories
- Argentina – telecommunications firm
- Portugal – telecommunications firm
Anybody unlucky enough to fall victim to the attack is being asked for a payment of between $300 and $600 in order to regain access to their system. According to a number of security researchers, many people have already surrendered to the evil hackers by paying a bitcoin ransom.
Antivirus firm Avast says it has witnessed evidence of in excess of 57,000 infections within 99 countries. The majority of victims, so far, appear to be from Russia, Ukraine, and Taiwan. However, a map that shows where infections have occurred reveals just how international the cyberattack is (see title image).
Lucky in the US?
According to Vikram Thakur (a research manager at Symantec), the US appears to have gotten off most lightly. Thakur says that this is because the attack started in Europe and beyond:
“By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious.”
The exploit being used to infect machines with WanaCryptor was actually stolen from the National Security Agency (NSA) last August. At that time, the Shadow Brokers announced to the world that they had managed to steal hacking tools used by the NSA’s elite Equation Group hackers to penetrate computer systems located throughout the world.
At that time, the Shadow Brokers said that they would be selling the NSA exploits to anybody who was willing to pay one million Bitcoin – approximately $568 million at the time (but much more now that bitcoin’s price has surged).
Unbelievably, despite last August’s news, the NSA decided not to inform Microsoft about the zero-day vulnerability contained within one of those stolen exploits. Eternal Blue, as the NSA exploit is now known, is a vulnerability within Windows that exploits the SMBv1 protocol in order to gain control over Windows computers connected to the web.
A month ago, news emerged that Eternal Blue (and other NSA hacking tools) had been leaked online by the Shadow Brokers. Initially, the news caused panic due to the belief that the zero-day was still live and could be exploited. However, in a bizarre turn of events, security experts soon realized that Microsoft had actually patched up the flaw just a month before the leak (with the MS17-010 security update).
It is still unclear exactly how Windows became aware of the zero-day vulnerability. It is possible that the Shadow Brokers told Microsoft about the vulnerability before performing the leak. Another option is that the NSA caught wind of this upcoming attack and decided to warn Microsoft. Nobody knows.
Sadly, despite issuing the fix, it is now clear that the MS17-010 Windows update was too little too late. Despite the availability of the update, many thousands of computer systems around the world have failed to protect themselves in time for this attack.
Who’s to Blame?
Sadly, software (including operating systems) often has security holes. As such, it is hard to point the finger at Microsoft. It is because software so often has vulnerabilities that the cybersecurity community is always quick to tell firms about vulnerabilities in their products. We can be thankful that Microsoft did, at least, do its best to issue a fix before the Shadow Brokers leaked the hacking tools last month.
The NSA, on the other hand, has acted in a truly wrongful and unforgivable manner.
The fact that the NSA knew (for at least ten months) that hackers had stolen tools for exploiting a Windows zero-day, reveals just how little US intelligence agencies care about protecting US citizens (and people around the world).
Like the Vault 7 revelations released by Wikileaks (which show that the CIA also uses hacking tools to surveil people using backdoors), the ongoing attack reveals the unbelievably selfish nature of US intelligence. Like the CIA, the NSA prefers vulnerabilities to remain in circulation – despite knowing the dangers that they pose. In fact, the reality is that the intelligence community is directly to blame for the ongoing cyber-insecurity the world is experiencing.
Infection Despite the Fix
You may be wondering why so many computers are being attacked if Microsoft already issued a fix. Unfortunately, many people simply haven’t accepted the Windows update quickly enough to protect themselves.
In addition, many larger corporations and institutions prefer to have their tech department test updates before accepting them onto their network (in case the update has a problem and locks up their entire system). That often takes months, and on this occasion appears to have led to mass infection.
On top of this, many people actually disable Windows updates because they are disgruntled with how often Windows uses automatic updates to force telemetry and other spyware/adware onto their machines. Sadly, on this occasion, distrust in Microsoft has left people vulnerable to the leaked NSA exploit that is allowing the ransomware to spread.
WanaCrypt0r 2.0 – Foiled for Now
The good news is that, for now, a security expert from the UK (working alongside security firm Proofpoint) has managed to halt the spread of the attack. The independent cybersecurity expert noticed a kill switch within WanaCryptor that checks to see if a particular domain name is registered. If the domain is found to be active, this triggers the ransomware to stop spreading. The UK-based security worker decided to buy the domain name to see if it stopped the attack, and – to his delight – it worked!
This is good news for people who haven’t updated their system yet, as it gives them time to download the Windows security update. However, it is not known how long it will be before the attack vector is updated with a new server kill switch. For this reason, people are being warned that the attack is far from over.
In addition, the Spanish security firm CERT has discovered another NSA exploit (known as DOUBLEPULSAR) being spread by the same hackers. Like Eternal Blue, that malware also makes use of a Windows zero-day exploit (this time in Windows kernel Ring 0).
Protect Yourself Now!
Due to the fact that people could still be vulnerable to this secondary exploit, it is strongly recommended that anybody with Windows updates their operating system quickly.
This can be done by going to Control Panel > System and Security > Windows Updates. The necessary update is MS17-010.
Interestingly Microsoft has even issued a Widows XP patch for the vulnerability, so if you still run the outdated version of the operating system, please be sure to protect yourself.
For more information from Windows about protecting against the ransomware epidemic, check here. In addition, people should take great care not to open any emails that seem suspect – as they could be the emails being used to spread the virus. Another recommendation is to use a firewall, as this can stop the Eternal Blue worm from directly targeting machines.
Furthermore, with the spread of ransomware becoming more of an issue all the time, people are advised to get a good antivirus and anti-malware application. It’s also important to back up data often, so that it can be recovered should the worst happen.
Opinions are the writer’s own.
Title image credit: intel.malwaretech.com/WannaCrypt.html
Image credits: Steve Heap/Shutterstock.com, Carsten Reisinger/Shutterstock.com, Agenturfotografin/Shutterstock.com