Microsoft slams govt cyber secrecy
"We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world." Microsoft President Brad Smith
STATES: Officials across the globe scrambled over the weekend to catch the culprits behind a massive ransomware worm that disrupted operations at car factories, hospitals, shops and schools, while Microsoft yesterday pinned blame on the US government for not disclosing more software vulnerabilities.
Cyber security experts said the spread of the worm dubbed Wannacry - ransomware that locked up more than 200,000 computers in more than 150 countries had slowed but that the respite might only be brief amid fears new versions of the worm will strike.
In a blog post yesterday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already
UNITED
widely concluded: The ransomware attack leveraged a hacking tool, built by the U.S. National Security Agency, that leaked online in April.
‘‘This is an emerging pattern in 2017,’’ Smith wrote. ‘‘We have seen vulnerabilities stored by the CIA show up on Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world.’’
He also poured fuel on a longrunning debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.
‘‘This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,’’ Smith wrote. He added that governments around the world should ‘‘treat this attack as a wakeup call’’ and ‘‘consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.’’
The NSA and White House did not immediately respond to requests for comment about the Microsoft statement.
Economic experts offered differing views on how much the attack, and associated computer outages, would cost businesses and governments.
The non-profit US Cyber Consequences Unit research institute estimated that total losses would range in the hundreds of millions of dollars, but not exceed US$1 billion.
Most victims were quickly able to recover infected systems with backups, said the group’s chief economist, Scott Borg.
California-based cyber risk modelling firm Cyence put the total economic damage at US$4 billion, citing costs associated with businesses interruption.
The original attack lost momentum on Saturday after a security researcher took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks.
Infected computers appear to largely be out-of-date devices that organisations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.
Microsoft released patches last month and on Saturday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge at the weekend.
Code for exploiting that bug, which is known as ‘‘Eternal Blue,’’ was released on the internet last month by a hacking group known as the Shadow Brokers.
Account addresses hard-coded into the malicious Wannacry virus appear to show the attackers had received just under US$32,500 in anonymous bitcoin currency as of yesterday morning, but that amount could rise as more victims rush to pay ransoms of US$300 or more. - Reuters