The angle taken by the NYT was that the exploit, developed using taxpayer funds and leaked on the Web by a group known as the Shadow Brokers in 2017, had come back to bite an organisation on its own doorstep: the NSA itself is headquartered in Baltimore. EternalBlue was used in the WannaCry ransomware that rocked a number of countries in May 2017.
The article also dealt with a number of other ransomware attacks, pointing out that Russia, North Korea and Iran had all used the same exploit in malware which attackers had crafted. This is the second time in recent weeks that the NYT has come under attack by a similar class of professionals.
It cited a study by Slovakian security outfit ESET which had pointed out earlier this month that the use of the EternalBlue exploit had been growing rapidly.
Careless, hype-driven @nytimes "reporting" is encouraging even more stupid that the "reporters" directly transferred with their fairy tale. If it weren't so sad & wasteful it'd be impressive. https://t.co/0MLTZxiqLE— boB ?udis (@hrbrmstr) May 27, 2019
Former NSA hacker Dave Aitel, who runs a security company known as Immunity that was acquired by Cyxtera Technologies in January, slammed the article in a blog post, claiming that the ransomware involved in the Baltimore attack was a strain known as RobinHood that had nothing to do with EternalBlue.
He used somewhat intemperate language, writing: "Recently a misleading and terribly researched article... came out in the NYT which essentially blamed the NSA and EternalBlue for various ransomware attacks on American city governments, including Baltimore. This then ballooned to PBS and the BBC and a bunch of other places, all of which parroted its nonsense."
Aitel pointed out that EternalBlue had been patched by Microsoft two years ago, and the avatars of Windows that it could attack — Windows 7 and 2008 — were about to reach their end-of-life next year.
"... no doubt EternalBlue will always be useful somewhere, on geriatric machines left in closets next to Wang computers and the odd SPARC workstation, it's not going to be a professional ransomware crew's goto, because it would alert everyone and probably never work," he wrote sarcastically.
Aitel had a number of other objections as well, all of which can be read here.
More than anything the story gives an out to people who man business decisions to ignore cyber risks because what could they possibly do in the face of military grade cyber threats? It doesn't matter that they get attacked by community sourced versions and not the NSA tool.— Cyber Baba Yaga (@Dave_Maynor) May 27, 2019
Another infosec professional, Robert Graham, who runs the company Errata Security, was also worked up about the NYT article to the extent that he wrote a blog post about it. Describing the NYT effort as "an op-ed masquerading as a news article", Graham said the authors had cited a number of people who supported their arguments, but only a single quote from the NSA director who took an opposing stance.
He said the main reason "experts" disagreed with the NYT article was because, in his view, EternalBlue was not responsible for most ransomware infections.
"It's almost never used to start the initial infection – that's almost always phishing or website vulnerabilities. Once inside, it's almost never used to spread laterally - that's almost always done with Windows networking and stolen credentials," he wrote.
And after seeing the reporter argue with @ErrataRob, @daveaitel, and other experts in the space it's hard to feel sympathy for someone that's clearly trying to avoid admitting they did crappy research. This is way beyond a "cool story bro" response on the reporters carelessness.— Cyber Baba Yaga (@Dave_Maynor) May 27, 2019
"Yes, ransomware increasingly includes EternalBlue as part of their arsenal of attacks, but this doesn't mean EternalBlue is responsible for ransomware. The NYT story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other."
Graham also took issue with the use of anonymous sources by the NYT, saying, "This is bad journalism. The principles of journalism are that you are supposed to attribute where you got such information, so that the reader can verify for themselves whether the information is true or false, or at least, credible."
If it hadn’t been EB, it would have been something else. Ransomware existed before that exploit was public, and exist today without it. Some exploit the vuln patched by MS08-067. Or java deserialization. Or admin accounts. Attack success is a function of both defense and offense. pic.twitter.com/t8Eb0Ot7oH— Beau Woods (@beauwoods) May 27, 2019
The NYT article had claimed another strain of ransomware, Emotet, was "relying" on EternalBlue in order to spread. "That's not the same thing as 'using', not even close," Graham argued. "Yes, lots of ransomware has been updated to also use EternalBlue to spread.
"However, what ransomware is relying upon is still the Windows-networking/credential-stealing/psexec method. Because the actual source of this quote is anonymous, we, the readers, have no way of challenging what appears to be a gross exaggeration. The reader is led to believe the NSA's EternalBlue is primarily to blame for ransomware spread, rather than the truth that it's only occasionally responsible."
He said instead of the NSA, the blame for the Baltimore incident resided with the attackers or the city of Baltimore itself.
Additionally, Graham argued that if the NSA had not kept the vulnerability secret and had told Microsoft about it right away, then hackers would have used the patch to create an exploit anyway.
"Indeed, the exploit the hackers are including in their malware is often an independent creation and not that NSA's EternalBlue at all," he said.
"This work shows how much hackers can independently develop these things without help from the NSA. Again, the story seems to credit the NSA for their genius in making the vulnerability useful instead of 'EternalBlueScreen', but for malware/ransomware, it's largely the community that has done this work."
Contacted for comment, former NSA hacker Jake Williams, a well-known commentator in these columns, said he was of the opinion that both the NSA and the victims shared the blame.
"On a more technical note, there are many remote code execution vulnerabilities that aren't weaponised (both before and after MS 17-010)," added Williams, who now runs his own security firm, Rendition Infosec. "The Shadow Brokers disclosure was a game changer in ensuring this could be weaponised."
He said a great example of this was the group that security firm Symantec tracked as Buckeye. "They were using one of the Eternal vulnerabilities, but had to use a secondary vulnerability to leak kernel addresses to make it reliable."
Added Williams: "The argument that this particular vulnerability would have been weaponised from simply analysing the patch doesn't hold much water when you see a Chinese APT (with similar resources to NSA) using a second vulnerability to gain reliable exploitation."