******************** POSTING RULES & NOTES ********************
#1 YOU MUST clip all extraneous text when replying to a message.
#2 This mail-list, like most, is publicly & permanently archived.
#3 Subscribe and post under an alias if #2 is a concern.
*****************************************************************
NY Times, May 25, 2019
In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc
By Nicole Perlroth and Scott Shane
For nearly three weeks, Baltimore has struggled with a cyberattack by
digital extortionists that has frozen thousands of computers, shut down
email and disrupted real estate sales, water bills, health alerts and
many other services.
But here is what frustrated city employees and residents do not know: A
key component of the malware that cybercriminals used in the attack was
developed at taxpayer expense a short drive down the
Baltimore-Washington Parkway at the National Security Agency, according
to security experts briefed on the case.
Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it
has been picked up by state hackers in North Korea, Russia and, more
recently, China, to cut a path of destruction around the world, leaving
billions of dollars in damage. But over the past year, the cyberweapon
has boomeranged back and is now showing up in the N.S.A.’s own backyard.
It is not just in Baltimore. Security experts say EternalBlue attacks
have reached a high, and cybercriminals are zeroing in on vulnerable
American towns and cities, from Pennsylvania to Texas, paralyzing local
governments and driving up costs.
The N.S.A. connection to the attacks on American cities has not been
previously reported, in part because the agency has refused to discuss
or even acknowledge the loss of its cyberweapon, dumped online in April
2017 by a still-unidentified group calling itself the Shadow Brokers.
Years later, the agency and the Federal Bureau of Investigation still do
not know whether the Shadow Brokers are foreign spies or disgruntled
insiders.
Thomas Rid, a cybersecurity expert at Johns Hopkins University, called
the Shadow Brokers episode “the most destructive and costly N.S.A.
breach in history,” more damaging than the better-known leak in 2013
from Edward Snowden, the former N.S.A. contractor.
“The government has refused to take responsibility, or even to answer
the most basic questions,” Mr. Rid said. “Congressional oversight
appears to be failing. The American people deserve an answer.”
The N.S.A. and F.B.I. declined to comment.
Since that leak, foreign intelligence agencies and rogue actors have
used EternalBlue to spread malware that has paralyzed hospitals,
airports, rail and shipping operators, A.T.M.s and factories that
produce critical vaccines. Now the tool is hitting the United States
where it is most vulnerable, in local governments with aging digital
infrastructure and fewer resources to defend themselves.
Before it leaked, EternalBlue was one of the most useful exploits in the
N.S.A.’s cyberarsenal. According to three former N.S.A. operators who
spoke on the condition of anonymity, analysts spent almost a year
finding a flaw in Microsoft’s software and writing the code to target
it. Initially, they referred to it as EternalBluescreen because it often
crashed computers — a risk that could tip off their targets. But it went
on to become a reliable tool used in countless intelligence-gathering
and counterterrorism missions.
EternalBlue was so valuable, former N.S.A. employees said, that the
agency never seriously considered alerting Microsoft about the
vulnerabilities, and held on to it for more than five years before the
breach forced its hand.
The Baltimore attack, on May 7, was a classic ransomware assault. City
workers’ screens suddenly locked, and a message in flawed English
demanded about $100,000 in Bitcoin to free their files: “We’ve watching
you for days,” said the message, obtained by The Baltimore Sun. “We
won’t talk more, all we know is MONEY! Hurry up!”
Today, Baltimore remains handicapped as city officials refuse to pay,
though workarounds have restored some services. Without EternalBlue, the
damage would not have been so vast, experts said. The tool exploits a
vulnerability in unpatched software that allows hackers to spread their
malware faster and farther than they otherwise could.
North Korea was the first nation to co-opt the tool, for an attack in
2017 — called WannaCry — that paralyzed the British health care system,
German railroads and some 200,000 organizations around the world. Next
was Russia, which used the weapon in an attack — called NotPetya — that
was aimed at Ukraine but spread across major companies doing business in
the country. The assault cost FedEx more than $400 million and Merck,
the pharmaceutical giant, $670 million.
The damage didn’t stop there. In the past year, the same Russian hackers
who targeted the 2016 American presidential election used EternalBlue to
compromise hotel Wi-Fi networks. Iranian hackers have used it to spread
ransomware and hack airlines in the Middle East, according to
researchers at the security firms Symantec and FireEye.
“It’s incredible that a tool which was used by intelligence services is
now publicly available and so widely used,” said Vikram Thakur,
Symantec’s director of security response.
One month before the Shadow Brokers began dumping the agency’s tools
online in 2017, the N.S.A. — aware of the breach — reached out to
Microsoft and other tech companies to inform them of their software
flaws. Microsoft released a patch, but hundreds of thousands of
computers worldwide remain unprotected.
Hackers seem to have found a sweet spot in Baltimore, Allentown, Pa.,
San Antonio and other local, American governments, where public
employees oversee tangled networks that often use out-of-date software.
Last July, the Department of Homeland Security issued a dire warning
that state and local governments were getting hit by particularly
destructive malware that now, security researchers say, has started
relying on EternalBlue to spread.
Microsoft, which tracks the use of EternalBlue, would not name the
cities and towns affected, citing customer privacy. But other experts
briefed on the attacks in Baltimore, Allentown and San Antonio confirmed
the hackers used EternalBlue. Security responders said they were seeing
EternalBlue pop up in attacks almost every day.
Amit Serper, head of security research at Cybereason, said his firm had
responded to EternalBlue attacks at three different American
universities, and found vulnerable servers in major cities like Dallas,
Los Angeles and New York.
The costs can be hard for local governments to bear. The Allentown
attack, in February last year, disrupted city services for weeks and
cost about $1 million to remedy — plus another $420,000 a year for new
defenses, said Matthew Leibert, the city’s chief information officer.
He described the package of dangerous computer code that hit Allentown
as “commodity malware,” sold on the dark web and used by criminals who
don’t have specific targets in mind. “There are warehouses of kids
overseas firing off phishing emails,” Mr. Leibert said, like thugs
shooting military-grade weapons at random targets.
The malware that hit San Antonio last September infected a computer
inside Bexar County sheriff’s office and tried to spread across the
network using EternalBlue, according to two people briefed on the attack.
This past week, researchers at the security firm Palo Alto Networks
discovered that a Chinese state group, Emissary Panda, had hacked into
Middle Eastern governments using EternalBlue.
“You can’t hope that once the initial wave of attacks is over, it will
go away,” said Jen Miller-Osborn, a deputy director of threat
intelligence at Palo Alto Networks. “We expect EternalBlue will be used
almost forever, because if attackers find a system that isn’t patched,
it is so useful.”
Until a decade or so ago, the most powerful cyberweapons belonged almost
exclusively to intelligence agencies — N.S.A. officials used the term
“NOBUS,” for “nobody but us,” for vulnerabilities only the agency had
the sophistication to exploit. But that advantage has hugely eroded, not
only because of the leaks, but because anyone can grab a cyberweapon’s
code once it’s used in the wild.
Some F.B.I. and Homeland Security officials, speaking privately, said
more accountability at the N.S.A. was needed. A former F.B.I. official
likened the situation to a government failing to lock up a warehouse of
automatic weapons.
In an interview in March, Adm. Michael S. Rogers, who was director of
the N.S.A. during the Shadow Brokers leak, suggested in unusually candid
remarks that the agency should not be blamed for the long trail of damage.
“If Toyota makes pickup trucks and someone takes a pickup truck, welds
an explosive device onto the front, crashes it through a perimeter and
into a crowd of people, is that Toyota’s responsibility?” he asked. “The
N.S.A. wrote an exploit that was never designed to do what was done.”
At Microsoft’s headquarters in Redmond, Wash., where thousands of
security engineers have found themselves on the front lines of these
attacks, executives reject that analogy.
“I disagree completely,” said Tom Burt, the corporate vice president of
consumer trust, insisting that cyberweapons could not be compared to
pickup trucks. “These exploits are developed and kept secret by
governments for the express purpose of using them as weapons or
espionage tools. They’re inherently dangerous. When someone takes that,
they’re not strapping a bomb to it. It’s already a bomb.”
Brad Smith, Microsoft’s president, has called for a “Digital Geneva
Convention” to govern cyberspace, including a pledge by governments to
report vulnerabilities to vendors, rather than keeping them secret to
exploit for espionage or attacks.
Last year, Microsoft, along with Google and Facebook, joined 50
countries in signing on to a similar call by French President Emmanuel
Macron — the Paris Call for Trust and Security in Cyberspace — to end
“malicious cyber activities in peacetime.”
Notably absent from the signatories were the world’s most aggressive
cyberactors: China, Iran, Israel, North Korea, Russia — and the United
States.
_________________________________________________________
Full posting guidelines at: http://www.marxmail.org/sub.htm
Set your options at:
https://lists.csbs.utah.edu/options/marxism/archive%40mail-archive.com
