As a second wave of the WannaCry Ransomware attack is infecting more systems in more countries, the White House has ordered emergency meetings to deal with a threat that is, in part, the NSA’s fault. Experts believe that we may not even know the extent of how hard the attack hit Asia, and we won’t know until later today.
WannaCry is believed to have originated from a set of hacking tools that were leaked online by a group of hackers known as the Shadow Brokers. One tool was a vulnerability in Windows that the NSA had kept secret from Microsoft in order to give themselves a back door when they needed it. When the leaks occurred, Microsoft patched the vulnerability, but the events that kicked off on Friday demonstrated that many, many systems weren’t up to date. At this point, 200,000 victims in 150 different countries are known to have been affected. The attackers have locked up users’ data and are demanding between $300 and $600 for the encryption key.
The NSA is now partially responsible for the global havoc that has caused hospitals to turn away patients, manufacturing to shut down, cash machines to go dark, and long shifts for cybersecurity professionals. According to reports from multiple outlets, some of those cybersecurity professionals work for the U.S. Cyber Response Group that has been huddled with Homeland Security Adviser Tom Bossert all weekend.
The relatively new group now has the unenviable task of cleaning up the NSA’s mess, and protecting systems in the U.S. from further attacks. So far, America has been pretty lucky, and infections here have been minimal. According to Politico:
The ransomware campaign — which has gone through at least two phases as researchers worked to halt its advance — mostly affected Europe and Asia. But at least two public universities in the United States have reported infections, according to a spokeswoman for a cyber-information-sharing organization dedicated to state and local governments.
A DHS official told POLITICO late Friday that the malware had not yet infected U.S. government agencies and critical infrastructure organizations, such as hospitals and power plants.
But many experts are afraid the beginning of the new work week will bring more attacks and reveal ones that already existed that went unnoticed. Many workers in Asia had already finished their business for the day on Friday. It’s possible that people could be heading into the office to find a nasty surprise. And despite the best efforts of a young security researcher in the UK who goes by MalwareTech, the temporarily halted ransomware has simply been altered and is being spread by copycats. “We are in the second wave,” Matthieu Suiche of Comae Technologies, tells the New York Times. “As expected, the attackers have released new variants of the malware. We can surely expect more.”
Microsoft even had to create a new patch for Windows XP, an operating system it hasn’t supported since 2014. Today, the software giant released a statement that addressed their efforts to prevent issues like this and condemned the U.S. government’s policies:
This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organised criminal action.
The governments of the world should treat this attack as a wake-up call.
Outside of the damage being done by blocking access to essential services, financial repercussions, and productivity slowdowns, this is an international incident that is likely causing diplomatic rifts with our allies. New cybersecurity policies should find a way to work with companies to coordinate intelligence about vulnerabilities. It’s just so obviously in our own interest to do so. [Reuters, Politico, New York Times, Microsoft]