Security Market Segment LS
Tuesday, 28 May 2019 11:43

Infosec pros defend NSA against NYT claims on EternalBlue

By
Infosec pros defend NSA against NYT claims on EternalBlue Pixabay

A number of information security professionals in the US have sharply criticised The New York Times over an article it ran recently, claiming that a ransomware attack on local government offices in Baltimore, Maryland, was carried out through the use of a leaked NSA exploit known as EternalBlue.

The angle taken by the NYT was that the exploit, developed using taxpayer funds and leaked on the Web by a group known as the Shadow Brokers in 2017, had come back to bite an organisation on its own doorstep: the NSA itself is headquartered in Baltimore. EternalBlue was used in the WannaCry ransomware that rocked a number of countries in May 2017.

The article also dealt with a number of other ransomware attacks, pointing out that Russia, North Korea and Iran had all used the same exploit in malware which attackers had crafted. This is the second time in recent weeks that the NYT has come under attack by a similar class of professionals.

It cited a study by Slovakian security outfit ESET which had pointed out earlier this month that the use of the EternalBlue exploit had been growing rapidly.

The exploit targets a flaw in Microsoft's implementation of the server message block protocol through port 445. Though the flaw was patched by Microsoft before WannaCry hit in May 2017, there are plenty of vulnerable systems exposed to the Internet today.

Former NSA hacker Dave Aitel, who runs a security company known as Immunity that was acquired by Cyxtera Technologies in January, slammed the article in a blog post, claiming that the ransomware involved in the Baltimore attack was a strain known as RobinHood that had nothing to do with EternalBlue.

He used somewhat intemperate language, writing: "Recently a misleading and terribly researched article... came out in the NYT which essentially blamed the NSA and EternalBlue for various ransomware attacks on American city governments, including Baltimore. This then ballooned to PBS and the BBC and a bunch of other places, all of which parroted its nonsense."

Aitel pointed out that EternalBlue had been patched by Microsoft two years ago, and the avatars of Windows that it could attack — Windows 7 and 2008 — were about to reach their end-of-life next year.

"... no doubt EternalBlue will always be useful somewhere, on geriatric machines left in closets next to Wang computers and the odd SPARC workstation, it's not going to be a professional ransomware crew's goto, because it would alert everyone and probably never work," he wrote sarcastically.

Aitel had a number of other objections as well, all of which can be read here.

Another infosec professional, Robert Graham, who runs the company Errata Security, was also worked up about the NYT article to the extent that he wrote a blog post about it. Describing the NYT effort as "an op-ed masquerading as a news article", Graham said the authors had cited a number of people who supported their arguments, but only a single quote from the NSA director who took an opposing stance.

He said the main reason "experts" disagreed with the NYT article was because, in his view, EternalBlue was not responsible for most ransomware infections.

"It's almost never used to start the initial infection – that's almost always phishing or website vulnerabilities. Once inside, it's almost never used to spread laterally - that's almost always done with Windows networking and stolen credentials," he wrote.

"Yes, ransomware increasingly includes EternalBlue as part of their arsenal of attacks, but this doesn't mean EternalBlue is responsible for ransomware. The NYT story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other."

Graham also took issue with the use of anonymous sources by the NYT, saying, "This is bad journalism. The principles of journalism are that you are supposed to attribute where you got such information, so that the reader can verify for themselves whether the information is true or false, or at least, credible."

The NYT article had claimed another strain of ransomware, Emotet, was "relying" on EternalBlue in order to spread. "That's not the same thing as 'using', not even close," Graham argued. "Yes, lots of ransomware has been updated to also use EternalBlue to spread.

"However, what ransomware is relying upon is still the Windows-networking/credential-stealing/psexec method. Because the actual source of this quote is anonymous, we, the readers, have no way of challenging what appears to be a gross exaggeration. The reader is led to believe the NSA's EternalBlue is primarily to blame for ransomware spread, rather than the truth that it's only occasionally responsible."

He said instead of the NSA, the blame for the Baltimore incident resided with the attackers or the city of Baltimore itself.

Additionally, Graham argued that if the NSA had not kept the vulnerability secret and had told Microsoft about it right away, then hackers would have used the patch to create an exploit anyway.

"Indeed, the exploit the hackers are including in their malware is often an independent creation and not that NSA's EternalBlue at all," he said.

"This work shows how much hackers can independently develop these things without help from the NSA. Again, the story seems to credit the NSA for their genius in making the vulnerability useful instead of 'EternalBlueScreen', but for malware/ransomware, it's largely the community that has done this work."

Contacted for comment, former NSA hacker Jake Williams, a well-known commentator in these columns, said he was of the opinion that both the NSA and the victims shared the blame.

"On a more technical note, there are many remote code execution vulnerabilities that aren't weaponised (both before and after MS 17-010)," added Williams, who now runs his own security firm, Rendition Infosec. "The Shadow Brokers disclosure was a game changer in ensuring this could be weaponised."

He said a great example of this was the group that security firm Symantec tracked as Buckeye. "They were using one of the Eternal vulnerabilities, but had to use a secondary vulnerability to leak kernel addresses to make it reliable."

Added Williams: "The argument that this particular vulnerability would have been weaponised from simply analysing the patch doesn't hold much water when you see a Chinese APT (with similar resources to NSA) using a second vulnerability to gain reliable exploitation."

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments