Security Market Segment LS
Tuesday, 28 May 2019 11:43

Infosec pros defend NSA against NYT claims on EternalBlue

Infosec pros defend NSA against NYT claims on EternalBlue Pixabay

A number of information security professionals in the US have sharply criticised The New York Times over an article it ran recently, claiming that a ransomware attack on local government offices in Baltimore, Maryland, was carried out through the use of a leaked NSA exploit known as EternalBlue.

The angle taken by the NYT was that the exploit, developed using taxpayer funds and leaked on the Web by a group known as the Shadow Brokers in 2017, had come back to bite an organisation on its own doorstep: the NSA itself is headquartered in Baltimore. EternalBlue was used in the WannaCry ransomware that rocked a number of countries in May 2017.

The article also dealt with a number of other ransomware attacks, pointing out that Russia, North Korea and Iran had all used the same exploit in malware which attackers had crafted. This is the second time in recent weeks that the NYT has come under attack by a similar class of professionals.

It cited a study by Slovakian security outfit ESET which had pointed out earlier this month that the use of the EternalBlue exploit had been growing rapidly.

The exploit targets a flaw in Microsoft's implementation of the server message block protocol through port 445. Though the flaw was patched by Microsoft before WannaCry hit in May 2017, there are plenty of vulnerable systems exposed to the Internet today.

Former NSA hacker Dave Aitel, who runs a security company known as Immunity that was acquired by Cyxtera Technologies in January, slammed the article in a blog post, claiming that the ransomware involved in the Baltimore attack was a strain known as RobinHood that had nothing to do with EternalBlue.

He used somewhat intemperate language, writing: "Recently a misleading and terribly researched article... came out in the NYT which essentially blamed the NSA and EternalBlue for various ransomware attacks on American city governments, including Baltimore. This then ballooned to PBS and the BBC and a bunch of other places, all of which parroted its nonsense."

Aitel pointed out that EternalBlue had been patched by Microsoft two years ago, and the avatars of Windows that it could attack — Windows 7 and 2008 — were about to reach their end-of-life next year.

"... no doubt EternalBlue will always be useful somewhere, on geriatric machines left in closets next to Wang computers and the odd SPARC workstation, it's not going to be a professional ransomware crew's goto, because it would alert everyone and probably never work," he wrote sarcastically.

Aitel had a number of other objections as well, all of which can be read here.

Another infosec professional, Robert Graham, who runs the company Errata Security, was also worked up about the NYT article to the extent that he wrote a blog post about it. Describing the NYT effort as "an op-ed masquerading as a news article", Graham said the authors had cited a number of people who supported their arguments, but only a single quote from the NSA director who took an opposing stance.

He said the main reason "experts" disagreed with the NYT article was because, in his view, EternalBlue was not responsible for most ransomware infections.

"It's almost never used to start the initial infection – that's almost always phishing or website vulnerabilities. Once inside, it's almost never used to spread laterally - that's almost always done with Windows networking and stolen credentials," he wrote.

"Yes, ransomware increasingly includes EternalBlue as part of their arsenal of attacks, but this doesn't mean EternalBlue is responsible for ransomware. The NYT story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other."

Graham also took issue with the use of anonymous sources by the NYT, saying, "This is bad journalism. The principles of journalism are that you are supposed to attribute where you got such information, so that the reader can verify for themselves whether the information is true or false, or at least, credible."

The NYT article had claimed another strain of ransomware, Emotet, was "relying" on EternalBlue in order to spread. "That's not the same thing as 'using', not even close," Graham argued. "Yes, lots of ransomware has been updated to also use EternalBlue to spread.

"However, what ransomware is relying upon is still the Windows-networking/credential-stealing/psexec method. Because the actual source of this quote is anonymous, we, the readers, have no way of challenging what appears to be a gross exaggeration. The reader is led to believe the NSA's EternalBlue is primarily to blame for ransomware spread, rather than the truth that it's only occasionally responsible."

He said instead of the NSA, the blame for the Baltimore incident resided with the attackers or the city of Baltimore itself.

Additionally, Graham argued that if the NSA had not kept the vulnerability secret and had told Microsoft about it right away, then hackers would have used the patch to create an exploit anyway.

"Indeed, the exploit the hackers are including in their malware is often an independent creation and not that NSA's EternalBlue at all," he said.

"This work shows how much hackers can independently develop these things without help from the NSA. Again, the story seems to credit the NSA for their genius in making the vulnerability useful instead of 'EternalBlueScreen', but for malware/ransomware, it's largely the community that has done this work."

Contacted for comment, former NSA hacker Jake Williams, a well-known commentator in these columns, said he was of the opinion that both the NSA and the victims shared the blame.

"On a more technical note, there are many remote code execution vulnerabilities that aren't weaponised (both before and after MS 17-010)," added Williams, who now runs his own security firm, Rendition Infosec. "The Shadow Brokers disclosure was a game changer in ensuring this could be weaponised."

He said a great example of this was the group that security firm Symantec tracked as Buckeye. "They were using one of the Eternal vulnerabilities, but had to use a secondary vulnerability to leak kernel addresses to make it reliable."

Added Williams: "The argument that this particular vulnerability would have been weaponised from simply analysing the patch doesn't hold much water when you see a Chinese APT (with similar resources to NSA) using a second vulnerability to gain reliable exploitation."

Read 3360 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News