In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc

For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. From a report: But here is what frustrated city employees and residents do not know: A key component of the malware that cybercriminals used in the attack was developed at taxpayer expense a short drive down the Baltimore-Washington Parkway at the National Security Agency, according to security experts briefed on the case. Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the N.S.A.'s own backyard. It is not just in Baltimore. Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs.

The N.S.A. connection to the attacks on American cities has not been previously reported, in part because the agency has refused to discuss or even acknowledge the loss of its cyberweapon, dumped online in April 2017 by a still-unidentified group calling itself the Shadow Brokers. Years later, the agency and the Federal Bureau of Investigation still do not know whether the Shadow Brokers are foreign spies or disgruntled insiders.

Just thieves

[Anonymous Coward]

Probably run of the mill average brain dead thieves working in a mediocre cybercrime network. Such thieves are never sophisticated and have few novel ideas or techniques. It will end up being some pedophile and his fat friends beating off in front of a computer in their tighty whiteys and wifebeaters. It's easy to prove. Smart cyber criminals never call so much attention to themselves. Also, notice how the thieves aren't getting paid? Another feature of clueless criminals. Probably have a Cayman Islands dip

Re:

[Anonymous Coward]

They seem to be smarter than the NSA, who decided that surveillance was better than security and didn't disclose the security holes they are using to enable spying.

This is what happens when idiocy drives policy.

Re:

[Anonymous Coward]

They seem to be smarter than the NSA, who decided that surveillance was better than security and didn't disclose the security holes they are using to enable spying.

This is what happens when idiocy drives policy.

And yet, there are many, many people who want to give the same thoroughly corrupt, ham-fisted, and idiotic government that operates the NSA and the other TLAs with all their many domestic surveillance & monitoring programs even more power and control over ever more of our economy, culture, and society and ever more of our money to spend on abusing us even further.

But, hey, what could possibly go wrong?

I'll leave this here just in case anyone actually cares to enlighten themselves.

https://youtu.be/PfH8IG [youtu.be]

Re:

[stinky wizzleteats]

Making voting decisions based on hostility to effective, participative government is like decorating your home with gasoline to protest it catching fire.

Re:Just thieves

[Opportunist]

And yet they somehow manage to outsmart FBI and NSA?

Be afraid, be very afraid.

Re:

[Anonymous Coward]

There were no need to 'outsmart' the NSA.
1. NSA made a tool (EternalBlue) that sucessfully exploit faults in SMB v1. (windows file sharing/serving)
2. This tool leaked out. After that, NSA could do nothing to stop its spread.
3. Incompetent Microsoft does not fix bugs in a timely manner, so this persists. SMB v1 is outdated, but incompetent users still don't turn off the support. Only an incompetent idiot would expose SMB to the internet, but apparently lots of idiots do so.
4. Bandits profits - from incompete

A good idea

[Anonymous Coward]

You "lose" control of a tool that criminals cannot resist. Of course the tool is now on their systems. Trojan horse?

Not stolen! Leaked!

[Anonymous Coward]

Stolen is what you use for things, where the original holder is not holding it anymore!

When merely a secret got copied, the term is *leaked*!

Snorted too much of the pirate* cocaine, have we?

_ _ _
* "Pirate" now means somebody who abuses creative people, by paying them once for their work, and then himself holding their work hostage with an artificial scarcity monopoly, to leech off protection money from their fans for all eternety, without adding any work or value themselves. (So esentially stealing/fraud/usury, but more evil.) Usually called "media industry", but also "My best client!" by their cocaine dealer.

[Go ahead; downvote me. I worked in the "industry". EMI, Sony, BMG/Bertelsmann/RTL, EA, and various software companies. I've seen it first hand. I'm gonna speak the truth until it sticks again, like it used to on Slashdot up until the mid/late 2000s.)

Re:

[Opportunist]

Well... in this particular case, it could well be that the tool becomes useless due to the leak and hence its function at least is taken away from the original owner.

Not that I'd complain about that...

Too many silos in the NSA

[Anonymous Coward]

"Equation Group" is another name for "Cryptography group Echo". When there were enough of them to start naming the groups, they started with "Alpha" and "Beta" and each had cute names that started with the same letter. They were at least up to "Golf" two decades ago. Each group deals with its own thing and can't talk to members inside other group in very tightly controlled silos. One group deals with diplomatic encryption, another diplomatic decryption. There were groups for US corporations (which funded DES and selected AES, MDG, SHA etc) and groups to break others (which gave us the DES s-box magic numbers). There are groups that deal with US military, satellite control and others to try to crack others. That is just the encryption groups. There are many other groups that don't talk to each other that do other things like build intelligence gathering systems for specific groups so the group that deals with local red-neck terrorist won't talk to the ones that deal with local religious terrorist.

Group E was dissolved after their target disappeared. Their main reason for existence was the Eastern Block former USSR connections. Apparently the NSA lost control of their toy box during that downsizing.

Nope

[Aighearach]

Years later, the agency and the Federal Bureau of Investigation still do not know whether the Shadow Brokers are foreign spies or disgruntled insiders.

Just because they didn't tell you the answer does not imply that they do not know. It only implies that think you don't need to know.

It certainly doesn't mean they said they don't know.

What happened *BEFORE* 2017

[Anonymous Coward]

Okay, according to the TFA:

Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world

What happened before 2017? Care to elaborate?

I mean, before NSA lost control of EternalBlue, how wide the path of destruction around the world NSA has caused?

Stop accusing others of causing havoc when NSA was the FIRST to do it !!

Re:

[Anonymous Coward]

I mean, before NSA lost control of EternalBlue, how wide the path of destruction around the world NSA has caused?

I would guess that any destruction done by the NSA with these tools before they were leaked was very small and narrowly targeted indeed. Consider that the US government spent years and hundreds of millions of dollars to research and create these tools. The last thing they would have wanted was for these tools or the vulnerabilities exploited by them to become widely known. Ideally these tools would never have been leaked and been used only judiciously and in very targeted ways to preserve for as long as pos

Re:

[sjames]

Don't worry, the NSA is responsible for everything after as well, just as surely as if the Air Force misplaced a nuclear weapon and Al-Queda set it off somewhere in the U.S.

The only difference is that for some reason, there isn't a smoking crater where the leadership of the NSA used to be standing.

Time to change OS design.

[Gravis Zero]

Honestly, I think it's high time that OS userland be redesigned so that these kind of attacks not only do not happen but are incapable of happening. To fix the current flock of data thieving and hostage taking, application should be required to use a system service/daemon to access and store various types of information. The services/daemons doing the accessing and storing would only have access to the files they watch over and use IPC to allow only allowing authorized applications to interface with access the data.

If you think antivirus is the answer then you aren't considering that programs that execute on your machine have the same file access as you and it may be too late by the time antivirus detects the virus. If Windows 10 is the last Windows then Microsoft has lost the war on malware for good.

Re:Time to change OS design.

[ArchieBunker]

I'm sure what you describe will be in the next build of systemd. We could all honestly learn a lot from the AS/400 hardware and OS.

Re:

[drinkypoo]

To fix the current flock of data thieving and hostage taking, application should be required to use a system service/daemon to access and store various types of information.

Ass backwards and unnecessary. That's what we had before UNIX came along with it's "everything's a flat file" approach to computing. Now we have ACLs, and Capability-based security. There's no need to return to a less convenient time.

I change OS design to...

[Anonymous Coward]

...Linux, where services have their own accounts and no registry exists. Please note that all of these /. ransomware headlines boil down to two things: no backups and Windows (typically not updated either).

Re:Time to change OS design.

[thogard]

OS-9 (the 6809/68000 version, not the Mac thing) had the ability to whitelist or blacklist modules back in 1981. Modern binary signing is a step in the but you still can't add single binary signature to a list of things to never load. There are systems known as "labeled systems" where every bit of data gets a security tag and the OS won't let one subsystem hand data to another unless the security profile allows it. That includes handing it to other machines over the network stack. That was in "Trusted Solaris" from over two decades ago but I don't know of anyone who implemented it other than myself.

Nearly every IT security book covers firewalls with the DNZ concept along with Trusted and Untrusted sections of the network. That was wrong decades ago yet still persists. A modern firewall needs to be zone based, have each zone untrusted from the others and only allow very specific data flow. Flow rules need to have maximum data flow sizes as well so you can say the web sever doesn't deliver anything bigger than 500k, so the max stream sizes if 500k and anything bigger gets stopped and an alert sent out. PCI-DSS requires a stateful firewall yet most non-NAT implementations of iptables let you set up a connection, reboot the router which will kill the state and continue the connection. Looking at SYN doesn't make a firewall stateful. Semi-Stateless protocols (like VoIP) cause problems as well. IPv6 which is also decades old is putting massive holes in networks often with the excuse "we don't use it" but ifconfig/ipconfig says you do! That is another reason for zone based firewalls.

The general state of IT security with groups that have the money to do it right is dismal, how do we expect the ones who don't to do it right?

Re:

[viperidaenz]

Where does PCI-DSS say a stateful firewall is required?
I thought it only said a firewall is required at internet connections and between DMZ's, it doesn't stipulate the specific type of firewall, only that it must do its job.

Re:

[pnutjam]

PCI-DSS is a very low standard.

Re:

[swillden]

There are systems known as "labeled systems" where every bit of data gets a security tag and the OS won't let one subsystem hand data to another unless the security profile allows it.

This is called "mandatory access control" (MAC). SELinux implements MAC for Linux. Some enterprise systems use it, and Android does.

MAC is a valuable tool, but it has its limits. The biggest one is that configuring the access control rules for any non-trivial system is a very large job. It took years of effort for Android's rule set to get reasonably good, and it takes constant ongoing effort to keep it from bit-rotting. Developers and many admins have a strong tendency to remove or weaken any rules t

Re:

[sjames]

The problem with fully labeled systems is that the policy must anticipate every possible combination of things that might legitimately be done or you're SOL. That and, of course, if an app gets subverted by a virus, it might still encrypt everything it might legitimately access.

That's not to say that current security is adequate, just that you have to remember that if you lock things up too tight, it will be subverted from the inside by people who just want to do their job.

What we really need if for the FBI

Re:

[viperidaenz]

In this case there was a bug in the service/daemon that has the responsibility of sharing files. Therefore it has access to all those files and delegates access to clients accordingly.
In your la la land, this would still be the case.

Re: Time to change OS design.

[Zero__Kelvin]

Somebody should invent Linux and enable SELinux! Oh the irony that the NSA already gave us a way to have DAC with UAC, and that those of us who actually belong here already have the OS you say needs to be designed installed on our systems.

Re: Time to change OS design.

[Zero__Kelvin]

Windows XP has no such capability. You added a bolt on solution. You also have to have the skills to do that which the average user doesn't. Fedora ships secure out of the box with no need for user skills or knowledge to remain secure. It's not even close to the same thing.

Re:

[Anonymous Coward]

The services/daemons doing the accessing and storing would only have access to the files they watch over and use IPC to allow only allowing authorized applications to interface with access the data.

Sounds very much like work done by the MACH [wikipedia.org] kernel project. The problem they ultimately could not solve was that all of the message processing, security checking and handshaking between processes and threads resulted in a very substantial performance penalty. In practice, the overhead from all of this message related processing approached 30% which was generally considered to be an unacceptable performance hit for an operating system. The research interest tapered off in the late 1990s and to my knowledge t

Yeah, riight.

[Anonymous Coward]

Not at all convenient for the NSA.
Raise the budget, crack down on leaks, fearmonger the livestock, grab the government by the balls with private secrets...

It's always $enemyOfTheWeek. Never any proof, because "top secret".
Like they would not call them out on it, if they had more.

China is incompetent, and so is Russia. Outdated and underfinanced. NK does not even qualify. The IS is de-facto dead. The Taliban actually want peace, lol. What's left?
The NSA is simply bored out or their mind, and massively over-bloated for a few unequal primitives. But now they got used to that sweet sweet budget, and have to keep it coming.

We call that "job security".

And who can blame them? Both their feeder and their livestock are dumb enough to fall for it, all the time, every time.

NSA should be notifying and patching every flaw

[Aristos Mazer]

Any flaw the NSA finds that opens a security hole into any American company should be reported to the software/hardware creators to be fixed. All of them. We need a law that requires this disclosure. Government-funded research needs to be shared for all of our security.

Re:

[Anonymous Coward]

You are right and without a law it will never happen. The NSA's response to this fiasco is not, nor will ever be, "Gosh, maybe we should have reported those exploits instead of weaponizing them."

Their only response is to tighten-up internal security practices and convince themselves that such measures are good enough to ensure that a leak never happens again.

They don't care in the slightest about what is morally right. Nor do they agree that disclosing vulnerabilities is the best way of keeping everyone s

Re:

[Anonymous Coward]

They further their own ends to our detriment, and there is basically nothing we can do about it.

Bollocks. There is plenty we can do about it.

1. We can stop using Microsoft products for one (which is what I did the very next day after Vault 7 was released).

2. We can stop hooking everything, including the toaster oven, up to the Internet where these attacks are launched from. Important data and critical systems should be kept OFF-LINE.

Clearly, the US needs to retaliate!

[ffkom]

The president should decree that nobody in the US is allowed to buy operating systems from US companies, as they are clearly contaminated with back-doors for agencies and criminals.

Re: Clearly, the US needs to retaliate!

[Zero__Kelvin]

It's funny because Trump really is retaliating against the US.

It was patched in 2017

[Solandri]

From the Wikipedia page on EternalBlue [wikipedia.org]:

On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[14] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016

I get all the NSA hate. But at some point you have to start blaming the incompetent administrator who left mission-critical computers unpatched for more than two years (on top of apparently not having backups).

Re:

[WoodstockJeff]

Maybe those "incompetent administrators" had been burned by Microsoft's tendency to bury real fixes among "patches" that do things they didn't want done to their computers. You know, like, install Win10 in an uncontrolled manner?

Re:

[Aristos Mazer]

I didn't know that, and I accept the critique of my position. I still stand by my position that the NSA should be fully reporting bugs they find, but that's apparently not in play in this instance. Thanks for flagging that.

Re:

[ljw1004]

I get all the NSA hate. But at some point you have to start blaming the incompetent administrator who left mission-critical computers unpatched for more than two years (on top of apparently not having backups).

I can't find the citations right now, but my understanding was that Baltimore had been spending only a small fraction of what other comparably-sized cities spend on IT, and had been going through CIOs pretty quickly. If true, it would be a case of "you get what you pay for" and you have to start blaming the democratic system that voted for such funding.

Re:

[FeelGood314]

Except the NSA new of the exploit in for 5 years before telling Microsoft. Windows 8 hadn't even been released when the NSA knew of this bug. Most Windows 7 and Vista users where still getting regular updates. I suspect Baltimore might be a little behind on their patches but I'm sure they have done at least one critical security update since 2012.

Re: It was patched in 2017

[Salvage]

In this decade, Iâ(TM)ve worked for some fairly large corporations. In my time there, Iâ(TM)ve been involved in creating migration paths to enable patching flaws that had been in place since some time in the 1980â(TM)s.

It didnâ(TM)t help that people like senior DBAs had been trained that all shell commands needed to be prefixed with sudo. At one site, we had an outside vendor setting up new specialized secure servers. One of the vendorâ(TM)s (mid-level) admins didnâ(TM)t know w

Stolen?

[Anonymous Coward]

The more likely scenario is the burglars (The NSA) left their burglar tools behind during a smash-and-grab job. The least likely scenario is the NSA got hacked, and their toolset was stolen.

So if you find the burglars lockpicks, and the burglar didn't even leave behind his/her business card, did you really "steal" the lockpicks?

Government back doored crypto

[charlie merritt]

Some day soon the government will be talking about government approved encryption, again. Just say "Remember Eternal Blue" the next time the Trust Me Squad pops up.

Imagine

[Snotnose]

Just imagine. We give a TLA a few billion $$$ for whatever, and as a side effect they find all sorts of ways to fuck with our infrastructure. Wonder what would happen if they told the affected vendors of the problem, or maybe even went up a level to inform them of the class of problems.

Contrast with their current modus operendi, where they sit on the vulnerabilities figuring they may come in handy someday.

Shadow Brokers? Investigate Liara t'soni

[Praedon]

Clearly, that Asari has been up to no good. I have a good lead by someone in the Cerberus Network that she should be investigate. You may not know her, but you would remember her mother. Matriarch Benezia sided with Saren, a rogue SPECTRE. We all remember what happened with the Citadel. #NeverForget.

Re:

[cen1]

*mind blown*

They do good work at the NSA

[aberglas]

Very few government workers that I have met would have a clue how to write decent malware. Indeed, most struggle with the 1,000,000 line JavaScript apps that are essential for modern web sites.

So the NSA is obviously doing something right.

Re: Backdoors

[Zero__Kelvin]

Somebody need Richard Stallman to come by and beat them with a clue stick I see.

fuck 'em

[AndyKron]

Fuck the NSA make them PAY!

This is America. Sue!

[surfcow]

The NSA created this tool.
The NSA allowed it to be stolen / leaked.
This NSA tool is costing taxpayers money, city governments too.
Maybe the NSA should help fix it.

It's only Baltimore

[packrat0x]

The city has been receiving federal money to shore up its budget since 1948 (case study of Moral Hazard). It is losing residents. The perpetrators are vultures picking at a corpse.

To anyone who things it's a social good

[sabbede]

to reveal the tools used by intelligence agencies, F-ING DON'T! If the "Shadow Brokers" thought they were doing good by revealing these things, I defy them to show that they haven't done more harm than good.

Re:

[drinkypoo]

It absolutely is a public good, especially when you engage in responsible disclosure. That is, you notify the vendor or author immediately, and you notify the public of the problem without the details necessary for exploitation of the vulnerability and also after a reasonable delay, which has been clearly communicated to the parties responsible for the fix.

On the other hand, just throwing the exploit into the wild (or worse, selling it to anyone but the vendor) is a malicious act, and it should be treated a

Re:

[sjames]

Nobody said the Shadow Brokers thought they were doing good. They were hoping for a fat check and when it didn't come, they released it all as a warning (to pay them) to others.

The best example...

[Tjp($)pjT]

This is the best example of why you should not have backdoors for any encryption scheme with the keys in the hands of the government. One of the most secure agencies on the planet, and not just keys but entire tools for disrupting things and decrypting things and encrypt and things. These hacking tools are some of the most dangerous items on the planet short of actual weapons of war, and in some ways much worse.

So how can we in good conscious hand over the ‘keys to the kingdom’ to the governm