After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.
An NSA-derived ransomware worm is shutting down computers worldwideThose same NSA officials, according to Tuesday’s report, failed to communicate the severity of the vulnerability to the outside world. A month after Microsoft released the patch, the Shadow Brokers published the attack code, code-named EternalBlue, that exploited the critical Windows vulnerability. A month after that, attackers used a modified version of EternalBlue to infect computers around the world with malware that blocked access to data. Within hours of the outbreak of the ransomware worm dubbed WCry, infected hospitals turned away patients; banks, telecommunications companies, and government agencies shut down computers.
“NSA identified a risk and communicated it to Microsoft, who put out an immediate patch,” Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told The Washington Post. The problem, he said, is that no senior official took the step of shouting to the world: “This one is very serious, and we need to protect ourselves.”
Elsewhere in the article, the paper, citing people who spoke on the condition of anonymity, said: “The agency eventually warned Microsoft after learning about EternalBlue’s theft, allowing the company to prepare a software patch issued in March.”
The Washington Post article is the first to explicitly report that the NSA was the source that alerted Microsoft to the vulnerability fixed in March’s MS17-010 security bulletin. But it comes as little surprise. Several pieces of evidence led outsiders to speculate for weeks that the NSA was the disclosing party. Exhibit A was the timing. On January 7, the Shadow Brokers announced the auction of dozens of NSA tools, including one called DoublePulsar, a backdoor that is installed by EternalBlue.
Five weeks later, Microsoft abruptly canceled February’s scheduled patch release, citing an undisclosed last-minute issue. It was the first time the company has ever canceled a Patch Tuesday. Four weeks later, MS17-010 was released. And precisely 28 days after that, the Shadow Brokers published EternalBlue, DoublePulsar, and dozens more hacking tools.
Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow BrokersExhibit B was Microsoft’s decision not to name the party that reported the vulnerabilities fixed in suspiciously timed MS17-010 bulletin. While Microsoft bulletins omit disclosing parties from time to time, the majority of them are credited.
Tuesday’s article doesn’t say when NSA officials tipped off Microsoft. Company representatives declined to confirm or deny the agency was its source. Asked for comment on Tuesday’s report, a Microsoft representative wrote: “Our standard practice is to list acknowledgements on our website. We may not list an acknowledgement for reasons including reports from employees, requests for non-attribution, or if the finder doesn’t follow coordinated vulnerability disclosure.” The representative declined to answer additional questions.
During the more than five years the NSA used EternalBlue’s extraordinary powers to extract secrets from targeted computers, the Washington Post reported, some officials discussed whether the flaw was so dangerous they should reveal it to Microsoft. The worries were most acute for early versions, which contained bugs. The paper reported:
The NSA also made upgrades to EternalBlue to address its penchant for crashing targeted computers—a problem that earned it the nickname “EternalBlueScreen” in reference to the eerie blue screen often displayed by computers in distress.
To mitigate its instability in the early days, the NSA hackers were under strict usage rules that required approval from a senior supervisor on a target-by-target basis to use the exploit, the employees recalled.
After a few years, its stability was improved, but NSA was still mindful of the potential for harm if the tool somehow was breached.
“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network, and you can compromise everything.”
The Shadow Brokers’ first dump of exploits in August sparked a robust discussion within the Obama administration. “By that point, the intelligence value” of the exploits was “degraded,” so it was decided that NSA would alert whatever vendors were affected, a former senior administration official said.
Crisis could grow worse
The Shadow Brokers’ theft and subsequent leaks are one of the worst, if not the worst, crisis to hit the NSA. It’s not clear officials can do much to recover. Even with the patch Microsoft issued in March, the vulnerability remained an Achilles’ heel that paralyzed key parts of the physical world. There’s little stopping people from unleashing new attacks that similarly repackage EternalBlue or possibly other dangerous exploits already released by Shadow Brokers.
There’s also the possibility of even more dangerous Shadow Broker releases in the coming months. On Monday night, the group—which so far has made good on most of the threats it has foreshadowed—published a new dispatch that claimed to possess 75 percent of the NSA arsenal. It went on to warn future releases might include:
- Web browser, router, handset exploits, and tools
- select items from newer Ops Disks, including newer exploits for Windows 10
- compromised network data from more SWIFT providers and Central banks
- compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
“The Shadow Brokers is launching new monthly subscription model,” the dispatch, written in the group’s characteristically exaggerated broken English, stated. “Is being like wine-of-month club. Each month, peoples can be paying membership fee, then getting members-only data dump each month. What members doing with data after is up to members.”
More Info: arstechnica.com