Microsoft confirms WannaCrypt worm uses exploit stolen from NSA

Last Friday a lot of businesses around the world got hit by a new worm called WannaCrypt (aka Wcry, WannaCry, etc) and now there's concern a lot more businesses are going to get hit when people come back to work on Monday. As I wrote earlier this weekend, the worm can spread automatically through networks by using a flaw in Windows' Server Message Block (SMB) service.

Fortunately, this security bug got patched over two months ago so companies that are running supported versions of Windows and update regularly aren't at major risk. Due to the severity of the bug, Microsoft even issued patches for end-of-life (EOL) operating systems like Windows XP and Windows Server 2003.

Since the outbreak started, people have been pointing to leaks of exploits that were stolen from the NSA. Interestingly, Microsoft President and Chief Legal Officer Brad Smith now confirms on the Microsoft Blog that the WannaCrypt attack is indeed based on exploits stolen from the NSA. In his blog post, Smith points out there are several lessons to learn from the WannaCrypt attack.

In particular, Smith highlights the need to upgrade systems as soon as possible and says the attack is a powerful reminder that computers need to be kept current and fully patched. Furthermore, he also blasts government agencies for stockpiling vulnerabilities:

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.