Somebody screwed up.
Or, rather, a whole lot of people and an entire bureaucracy screwed up.
On Friday, May 12, the WannaCrypt ransomware attack was unleashed upon the world. The well-coordinated cyber-attack targeting Microsoft Windows operating systems infected over 200,000 computers in 150 different countries, with the software demanding ransom payments in 28 different languages. The scope and scale of the attack has been described as unprecedented.
48 National Health Service (NHS) locations in the UK were affected, leaving hospitals unable to access patient data and forcing the cancellation of scheduled operations. The attack also hit schools, hospitals, companies and public services across the globe, including FedEx, Deutsche Bahn, LATAM Airlines, and Renault. Microsoft has taken emergency action, releasing patches for no-longer supported versions of Windows. According to a blog post from Friday, May 12, Microsoft took “the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8 and Windows Server 2003.”
While the attack spreads by phishing emails, it also uses the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA). EternalBlue exploits vulnerability MS17-010 in Microsoft’s implementation of the Server Message Block protocol. It was leaked by the Shadow Brokers hacker group on April 14, 2017.
Many are now questioning the NSA’s non-disclosure of this underlying vulnerability, and the general practice of intelligence agencies stockpiling software exploits for cyber warfare rather than disclosing them for defensive purposes. Microsoft’s president and chief legal officer Brad Smith did not mince words in a scathing blog post condemning American intelligence agencies for their negligence:
This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today: nation-state action and organized criminal action.
President Trump’s homeland security adviser Tom Bossert said that people “should be thinking about this as an attack that for right now we have under control, but as an attack that represents an extremely serious threat.” Coincidentally, President Trump signed a new executive order on cybersecurity on Thursday, May 11, the day before the WannaCrypt attack. The order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” formally declares the need to “educate and train the American cybersecurity workforce,” and is intended to hold the leaders of federal agencies directly accountable to the president for their organizations’ digital security.
For a deeper look at what enterprises need to build on the foundation of their existing security information and event management (SIEM) platform, and the market growth of specialized security providers, check out Aberdeen’s comprehensive research report, Taking Your SIEM to the Next Level with Managed Detection and Response.