Cyberattacks in 12 Nations Said to Use Leaked N.S.A. Hacking Tool

Edit: Botnet stats and spread (switch to 24H to see full picture): <a href="https:&#x2F;&#x2F;intel.malwaretech.com&#x2F;botnet&#x2F;wcrypt" rel="nofollow">https:&#x2F;&#x2F;intel.malwaretech.com&#x2F;botnet&#x2F;wcrypt</a><p>Live map: <a href="https:&#x2F;&#x2F;intel.malwaretech.com&#x2F;WannaCrypt.html" rel="nofollow">https:&#x2F;&#x2F;intel.malwaretech.com&#x2F;WannaCrypt.html</a><p>Relevant MS security bulletin: <a href="https:&#x2F;&#x2F;technet.microsoft.com&#x2F;en-us&#x2F;library&#x2F;security&#x2F;ms17-010.aspx" rel="nofollow">https:&#x2F;&#x2F;technet.microsoft.com&#x2F;en-us&#x2F;library&#x2F;security&#x2F;ms17-01...</a><p>Edit: Analysis from Kaspersky Lab: <a href="https:&#x2F;&#x2F;securelist.com&#x2F;blog&#x2F;incidents&#x2F;78351&#x2F;wannacry-ransomware-used-in-widespread-attacks-all-over-the-world&#x2F;" rel="nofollow">https:&#x2F;&#x2F;securelist.com&#x2F;blog&#x2F;incidents&#x2F;78351&#x2F;wannacry-ransomw...</a>

&gt; &quot;Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems.&quot;<p>&gt; &quot;The malware was circulated by email; targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.&quot;<p>It sounds like the basic (?) security practices recommended by professionals - keep systems up-to-date, pay attention to whether an email is suspicious - would have covered your network. Of course, as @mhogomchunu points out in his comment - is this the sort of thing where only one weak link is needed?<p>Still. Maybe this will help the proponents of keeping government systems updated? And&#x2F;or, maybe this will prompt companies like MS to roll out security-only updates, to make it easier for sysadmins to keep their systems up-to-date...?<p>(presumably, a reason <i>why</i> these systems weren&#x27;t updated is due to functionality concerns with updates...?)

I think this is an excellent example that we can all reference the next time someone says that governments should be allowed to have backdoors to encryption etc.<p>This shows that no agency is immune from leaks and when these tools fall into the wrong hands the results are truly catastrophic.

I am in Tanzania(East Africa) and my father&#x27;s computer is infected.<p>All he did to get infected was plugging his laptop on the network at work(University of Dar Es Salaam).<p>The laptop is next to me and my task this night is to try to remove this thing.

One of the big problems here will be for any country which makes a lot of use of older computers using Windows XP as there is no patch for this vulnerability on that OS version.<p>How many systems that is, is debatable but by at least one benchmark (<a href="https:&#x2F;&#x2F;www.netmarketshare.com&#x2F;operating-system-market-share.aspx?qprid=10&amp;qpcustomd=0" rel="nofollow">https:&#x2F;&#x2F;www.netmarketshare.com&#x2F;operating-system-market-share...</a>) we&#x27;re looking at 7% of the desktop PC market that could be exposed with no patch available.

Going through their wallets it looks like they&#x27;ve gotten 32 pay outs, some for more than 300 USD. Are there any addresses that they are using outside of the four listed int he article?<p>It&#x27;d be an interesting project to try and track where these funds go and where they came from.<p><a href="https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" rel="nofollow">https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;13AM4VW2dhxYgXeQepoHkHSQuy6N...</a> - 11 <a href="https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" rel="nofollow">https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;115p7UMMngoj1pMvkpHijcRdfJNX...</a> - 4 <a href="https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" rel="nofollow">https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;12t9YDPgwueZ9NyMgw519p7AA8is...</a> - 6 <a href="https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY" rel="nofollow">https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;1QAc9S5EmycqjzzWDc1yiWzr9jJL...</a> - 11

This gives the lie to the notion that a government master key or back door scheme could be protected from leaks and abuse.

Malware tech need recongnition! By being the first to register the hard coded domain in the malware they have slowed the spread significantly ...<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;josephfcox&#x2F;status&#x2F;863171107217563648" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;josephfcox&#x2F;status&#x2F;863171107217563648</a>

The real world doesn&#x27;t update in 2 months. (I wish it did.)<p>The NSA should have responsibly disclosed the vulnerabilities they had been sitting on as soon as they were discovered.<p>That protects national security - not this.

You can keep an eye on their bitcoin wallet (or at least one of them): <a href="https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" rel="nofollow">https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;13AM4VW2dhxYgXeQepoHkHSQuy6N...</a>

One of the side effect if states participate in the proliferation of offensive tools. Won&#x27;t be the last time state-sponsored tools, exploits or backdoors fall into the hands of interested third parties.<p>I think collateral damage like that is way underrated by politicians all around the globe that call for their respective intelligence agencies to build up offensive capabilities to be able to conduct cyber warfare and whatnot.

Cisco&#x27;s TALOS team just published an analysis:<p><a href="http:&#x2F;&#x2F;blog.talosintelligence.com&#x2F;2017&#x2F;05&#x2F;wannacry.html" rel="nofollow">http:&#x2F;&#x2F;blog.talosintelligence.com&#x2F;2017&#x2F;05&#x2F;wannacry.html</a>

Apparently, this has spread to Deutsche Bahn...<p>1) a railway dispatcher just tweeted that IT systems will be shut down (<a href="https:&#x2F;&#x2F;twitter.com&#x2F;lokfuehrer_tim&#x2F;status&#x2F;863139642488614912" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;lokfuehrer_tim&#x2F;status&#x2F;863139642488614912</a>)<p>2) a journalist tweeted that an information display of DB fell victim to ransomware (<a href="https:&#x2F;&#x2F;twitter.com&#x2F;Nick_Lange_&#x2F;status&#x2F;863132237822394369" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;Nick_Lange_&#x2F;status&#x2F;863132237822394369</a>).<p>I guess that #1 and #2 are related, though.

BBC says up to 74 nations now: <a href="http:&#x2F;&#x2F;www.bbc.com&#x2F;news&#x2F;live&#x2F;39901370" rel="nofollow">http:&#x2F;&#x2F;www.bbc.com&#x2F;news&#x2F;live&#x2F;39901370</a>

Wow, the future is here and it&#x27;s not looking very good. We need to diversify our OS&#x27;s in the enterprise. This time it was MSFT next it could be linux. No OS gives an absolute guarantee. The systems are relatively dumb now what will happen when AI has gotten deeper into our everyday lives. This is a wake up call.

Wow, this is so insane. I really don&#x27;t think the NSA should be finding vulnerabilities and keeping them to themselves.<p>I mean I get it is all to help stop the bad guys, but if you are keeping cyber weapons like this. You should be required to keep them as secure and locked as possible if you don&#x27;t follow responsible disclosure.<p>Just like how a cop would keep their weapon on them, instead of sitting it down on the table while eating lunch.

There&#x27;s the bitcoin ransom aspect, but presumably a worm like this could extract a massive amount of data from infected servers and send that back to someone&#x2F;somewhere?<p>Bank transactions, patient medical data, stored passwords&#x2F;keys&#x2F;CA info, contacts, emails, configuration files, registry dumps for firewall rules etc etc. (I&#x27;m not that creative so there&#x27;s probably a lot more that&#x27;s been exfiltrated).<p>Pretty hellish knowing they&#x27;d let that quietly sit there, in the name of espionage. I&#x27;m not sure the benefits outweigh the damage they&#x27;re doing, without even mentioning the chilling effect and lack of confidence this instills in IT everywhere.

We really are living in the future. My condolences to the NHS, but what a time to be alive.

Cyber attacks use patched exploit to attack systems running out of date software, even in large enterprises handling sensitive data?<p>I give a pass to individuals (bandwidth for updates can be expensive, regular users don&#x27;t know about patch Tuesday etc), but enterprise scale deployment should have IT for this, and IT should have been well aware of this kind of thing happening.

If I want a deep technical analysis of what we know so far, where do I go?

What gets me is why we don&#x27;t see more viruses that _deliver_ the patch to fix the vulnerability.<p>It&#x27;s perhaps a little more difficult as you&#x27;d need a vulnerability to keep spreading the innoculation. Arguably, though you release the virus, let it spread and then trigger the innoculation using a mechanism like calling out to a webserver, just as the kill switch worked here.

If NSA made it, and failed to protect it - then NSA should be liable for law suits to pay for damages.

&gt; The attacks were reminiscent of the hack that took down dozens of websites last October, including Twitter, Spotify and PayPal, via devices connected to the internet, including printers and baby monitors.<p>Lazy writing at NYTimes; what on earth does this attack have to do with the one at hand? It&#x27;s not broadly the same type of attack, nor the same scale, nor the same outcome.

As far as I can see it hasn&#x27;t moved the needle on Bitcoin&#x2F;$ today though.<p>Ransom ware was a play for big Bitcoin holders to unwind large positions at the highs without too much downward pressure in Bitcoin market.

It could also just be the NSA banking on everyone assuming it&#x27;s someone using NSA tools.

While I can understand WikiLeaks position, I feel like it was incredibly short sighted and uninformed of them to release the code itself. Unless you believe that they are working with the Russian (and other?) governments to destabilize the west. Personally, I wouldn&#x27;t be surprised if this was the case.

So If I pay how does the hackers decrypt my HD? Is there a way to sniff the key and pay once - decrypt everywhere?

Here is a link to the malware sample and technical implementation details.<p><a href="https:&#x2F;&#x2F;gist.github.com&#x2F;rain-1&#x2F;989428fa5504f378b993ee6efbc0b168" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;rain-1&#x2F;989428fa5504f378b993ee6efbc0b...</a>

I was debugging a private web app today when I noticed a python script agent suddenly performing a port scan on me. it was querying for something called &quot;a2billing&#x2F;common&#x2F;javascript&#x2F;misc.js&quot;. After googling that phrase it seems im not the only person who has seen this today. The country of origin of the IP was Britain.<p>After Further investigation, it appears this attack could be in relation to this <a href="http:&#x2F;&#x2F;www.cvedetails.com&#x2F;cve&#x2F;CVE-2015-1875&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.cvedetails.com&#x2F;cve&#x2F;CVE-2015-1875&#x2F;</a>

&gt; Security experts described the attacks as the digital equivalent of a perfect storm.<p>Just in case there are any journalists reading - never use the term &quot;perfect storm&quot;.

Im hearing the password wncry@20l7 decrypts the zip within the PE resources. anyone confirm?

First of all, while I of all people love to pile onto the anti-NSA bandwagon (within constitutional reason that is, I don&#x27;t advocate their abolishment, but that&#x27;s a different conversation), there are quite a few non-three-letter related things that have contributed to this story and ones like it.<p>The primary issue at the heart of things like this, beyond the backdoors and 0-days is this: bad IT.<p>That being said though, bad IT is far too often the fault of upper management, and not the IT people themselves. After years of sysadmining, I&#x27;ve seen the inside of hundreds of companies, from fortune 500 oil to medium sized law firms. You know what they have all been doing over the years? Cutting costs by cutting IT. Exept... they completely fail to consider long term consequences, which end up costing more.<p>I blame things like this on two main groups. Boards of directors, and company executives. Far too often I ran into a situation where a company didn&#x27;t even have a CIO or a CTO, and you had some senior one man miracle show drowning in technical debt reporting to a CEO or CFO and getting nowhere, and therefore getting no support, no budget, no personell, etc. I&#x27;ve seen exceptions too, but they are far too rare. If it&#x27;s not technical debt that&#x27;s drowning the company, it tends to be politics. The bottom line is forward thinking IT personell don&#x27;t get heard, and inevitably companies hire people or an MSP with all the proprietary, cisco, microsoft, oracle, etc bullshit certs that make the C&#x27;s feel better, but don&#x27;t actually produce the wanted results. They inevitably end up providing an inferior product with inferior service at a short term cost just as high as doing it right the first time, and a much higher long term cost.<p>If I could say one thing that could help prevent issues like this, besides my standard whinging on about FOSS and the four freedoms and such, is that we need better CTO&#x27;s and CIO&#x27;s to advocate on behalf of IT departments, and I think senior sysadmins who feel they have hit a ceiling should consider going for their MBA&#x27;s and transitioning to those titles.<p>Now, onto the NSA angle of the story. Well... all I can say is I told ya so, with an extra note that HN in the past few years has been surprisingly dismissive of FOSS proponents who have been warning about these things.<p>First they made fun of us for saying everything was being spied on, and then Snowden happened. (often followed by bullshit like &quot;are you suprised?&quot; or &quot;what do you have to hide?&quot;<p>Then we warned about proprietary systems, and then NSA&#x2F;CIA tool leaks happened. (often followed by things like &quot;but its for foreign collection only&quot; and &quot;but the NSA contributes to SElinux&quot;)<p>Ya&#x27;ll aren&#x27;t listening until after the fact, and that&#x27;s not going to fix anything.

Shadowbrokers claiming blame: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;0xSpamTech" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;0xSpamTech</a><p>Analysis here: <a href="http:&#x2F;&#x2F;blog.talosintelligence.com&#x2F;2017&#x2F;05&#x2F;wannacry.html" rel="nofollow">http:&#x2F;&#x2F;blog.talosintelligence.com&#x2F;2017&#x2F;05&#x2F;wannacry.html</a>

It&#x27;s not 12 nations.... it&#x27;s all over the world...

Maybe it is now the time for a major review of the NHS Microsoft software dependency and should seriously consider switching to Linux based software.<p>Here is the BBC news update about the NHS Cyber attack:<p>&quot;NHS trusts &#x27;ran outdated software&#x27;<p>Some who have followed the issue of NHS cyber security are sharing a report from the IT news site Silicon, which reported last December that NHS trusts had been running outdated Windows XP software.<p>The website says that Microsoft officially ended support for Windows XP back in April 2014, meaning it was no longer fixing vulnerabilities in the system - except for clients that paid for an extended support deal.<p>The UK government initially paid Microsoft £5.5 million to keep providing security support - but the website adds that this deal ended in May 2015.&quot;

Medical offices are notorious for having machines out of date, not properly secured, and not backed up. Just recently I wanted to get test results from a few years earlier from a previous doctor. Nope, the machine they were on runs a proprietary GE setup and it crashed. The same test a few years earlier? The hospital lost them and had no record of them being done. A different test I had done a month ago was hooked up to an aging Windows XP machine. Yes, it was networked, though I&#x27;m unsure if it was intranet only (I doubt it).<p>In the US, you have to manage your own healthcare. Get every result as a hard copy or on disk (in the case of MRI etc) and save it yourself. And back it up. That way you&#x27;re prepared.

I hope the NSA can be hold accountable for this and we can finally all agree that a government holding on to 0-days and asking for loophole encryption always bites back to the very people they claim to protect.

So... I&#x27;m running Linux on all my systems, how bad will it be for me?

Q: does anyone know how to disable regular internet access in Windows except through a virtual machine (VMware or Virtualbox)?<p>I have set up my mom to use a live debian cd through VMware, but I would also like to disable networking through Windows Edge and Explorer. I don&#x27;t know how to do this however.<p>Myself, I follow a similar scheme but using a linux virtual guest and host. Is it easy to disable networking for all networking except for apt&#x2F;yum and vmware&#x2F;kvm?<p>Lastly, does anyone know what it costs for a personal subscription to grsecurity?

Just to let you know in the UK we&#x27;ll all be safe from things like this. The UK&#x27;s banning encryption so stuff like this won&#x27;t happen in the future. Phew. I feel safer!

&quot;Emergency rooms were forced to divert people seeking urgent care.&quot;<p>I feel like the words &quot;urgent&quot; and &quot;forced&quot; might both be a bit shy of absolutely true here?

Just for reminder - the second leak does not match the vault7 leak, which is supposed to be from the very same NSA.<p>There is not a single proof or reason to believe that the second leak was not a fake (while the vault7 leak looks more legit) .<p>There are reasons to think that the same people are behind the second leak and the malware, and the malware, which is said to be based on &quot;a leaked NSA exploit&quot;, was the part of a single plan.<p>It is not that hard to guess who is behind the internet bullying.

<i>&quot;Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems.&quot;</i><p>What Microsoft&#x27;s software should be updated now to protect against this particular attack? Windows? Windows at the end user machines? The servers?<p>Could someone share a &quot;What should I do now to protect myself&quot; guide, please?<p>Thanks!

If anyone reading this was effected by this attack, please take this as an opportunity to start the journey to become &quot;antifragile&quot;. If you are severely effected by this (mainly speaking about ransomeware) it means you lack backups and the ability to self-heal infrastructure. These attacks will only get more frequent and more sophisticated. So, start now.

Is it possible to cause havoc on banks worldwide?

Can&#x27;t law enforcement follow the transactions of the public address of the ransom bitcoin wallet until the bitcoin is sold?

I see the Rust Evangelism Strike Force are out in action again.<p>Guys, it may surprise you, but some of this kit <i>predates</i> Rust :)

I think tools like this should be secured at least as well as &quot;research&quot; stores of smallpox and other biotoxins. And certainly tracked long after they&#x27;ve outlived their usefulness within the agency that produced them.<p>Or maybe smallpox isn&#x27;t actually stored as securely as I assume?

DHS Statement on Ongoing Ransomware Attacks: <a href="https:&#x2F;&#x2F;www.dhs.gov&#x2F;news&#x2F;2017&#x2F;05&#x2F;12&#x2F;dhs-statement-ongoing-ransomware-attacks" rel="nofollow">https:&#x2F;&#x2F;www.dhs.gov&#x2F;news&#x2F;2017&#x2F;05&#x2F;12&#x2F;dhs-statement-ongoing-ra...</a>

Is Russia being hit the most because it was the NSA the one that was exploiting this vulnerability before? Perhaps they are leveraging some other leaked NSA tool that gives them more direct access to Russian computers?

The entertainment system on my flight is mysteriously down. I wonder if it&#x27;s connected. As a side thought does anyone know the vulnerability of critical systems such as airliners, air traffic control etc?

Why don&#x27;t telecom providers help remove devices who are requesting an exorbitant amount of requests? Wouldn&#x27;t this kill bot nets, if the exponential growth effect became impossible?

Does any one have a running list of the organizations effected so far?

There&#x27;s no evidence that this attack targeted the NHS or other health systems, right? Just spreading randomly by email, highest infection probabilities certain older Microsoft OSs?

We Linux people really should not miss this opportunity to bring people on board. Ubuntu is a great starting point.

It looks to me like common stupidity...people opening attachments that they should not be opening. No need to involve CIA NSA or other tree letters agency hacking tool...just old school phishing. I see this happening much to often....people opening *.pdf.js attachment. No need for another conspiracy theory...stupidity explains it all. Just my 50¢.

What exactly does this NSA tool do? Every story I&#x27;ve seen glosses over how it works.

I&#x27;m surprised by the lack of speculation on the identity of the perpetrators.

is this supporting evidence of the us doing something &quot;wrong&quot; by creating these tools?<p>disclaimer: i hope no b&#x2F;c it&#x27;s like any other military tech being leaked and used, but am not sold either way.

Q: could fuzzing techniques help to take down such (p2p) botnets?

Anticiaption for an attack tied to an all time high bitcoin?

12 Nations that did not apply security patches

The article could have been writen in 15 lines or less. Why u do this

Is OSX affected ?

This is what blowback looks like.<p>The US military and intelligence communities focused hard on cyber offense, rather than improving the defensive standards and technologies practiced among allies. Because of this, several allies have important systems compromised by (essentially) US-engineered malware.<p>Well, at least DARPA is sort of on it: <a href="http:&#x2F;&#x2F;archive.darpa.mil&#x2F;cybergrandchallenge&#x2F;" rel="nofollow">http:&#x2F;&#x2F;archive.darpa.mil&#x2F;cybergrandchallenge&#x2F;</a><p>(There&#x27;s also work stemming from the HoTT body of work on verified systems, as I understand it. But that doesn&#x27;t have a sexy webpage.)

Isn&#x27;t it peculiar that Russia remains the least hit or not even hit at all? It seems like the West was a clear target. Connecting the dots here, it&#x27;s suffice to say Shadow Brokers serves Russian interests.<p>We are seeing bullet holes from what seem to have been cyber warfare between the former cold war foes.

Just use Linux and 90% of your problems with malware is history.Your own customization of kernel will make your even more secure.

I do not believe that attacks of this scale or coordination are undertaken by private actors. This is warfare; it just isn&#x27;t kinetic yet.

From the Guardian:<p><i>&quot;He adds that the fear is that the ransonware cannot be broken and thus data and files infected are either lost or that the only way to get them back would be to pay the ransom, which would involve giving money to criminals.&quot;</i><p>The new terrorism.<p><a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;society&#x2F;live&#x2F;2017&#x2F;may&#x2F;12&#x2F;england-hospitals-cyber-attack-nhs-live-updates" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;society&#x2F;live&#x2F;2017&#x2F;may&#x2F;12&#x2F;england...</a>