Monday, May 27, 2019

A lesson in journalism vs. cybersecurity

A recent NYTimes article blaming the NSA for a ransomware attack on Baltimore is typical bad journalism. It's an op-ed masquerading as a news article. It cites many to support the conclusion the NSA is to be blamed, but only a single quote, from the NSA director, from the opposing side. Yet many experts oppose this conclusion, such as @dave_maynor, @beauwoods, @daveaitel, @riskybusiness, @shpantzer, @todb, @hrbrmstr , ... It's not as if these people are hard to find, it's that the story's authors didn't look.


The main reason experts disagree is that the NSA's Eternalblue isn't actually responsible for most ransomware infections. It's almost never used to start the initial infection -- that's almost always phishing or website vulns. Once inside, it's almost never used to spread laterally -- that's almost always done with windows networking and stolen credentials. Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn't mean Eternalblue is responsible for ransomware.

The NYTimes story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other. A good example is this paragraph:


That link is a warning from last July about the "Emotet" ransomware and makes no mention of EternalBlue. Instead, the story is citing anonymous researchers claiming that EthernalBlue has been added to Emotet since after that DHS warning.

Who are these anonymous researchers? The NYTimes article doesn't say. This is bad journalism. The principles of journalism are that you are supposed to attribute where you got such information, so that the reader can verify for themselves whether the information is true or false, or at least, credible.

And in this case, it's probably false. The likely source for that claim is this article from Malwarebytes about Emotet. They have since retracted this claim, as the latest version of their article points out.


In any event, the NYTimes article claims that Emotet is now "relying" on the NSA's EternalBlue to spread. That's not the same thing as "using", not even close. Yes, lots of ransomware has been updated to also use Eternalblue to spread. However, what ransomware is relying upon is still the Windows-networking/credential-stealing/psexec method. Because the actual source of this quote is anonymous, we the reader have no way of challenging what appears to be a gross exaggeration. The reader is lead to believe the NSA's EternalBlue is primarily to blame for ransomware spread, rather than the truth that it's only occasionally responsible.

Likewise, anonymous experts claim that without EternalBlue, "the damage would not have been so vast":


Again, I want to know who those experts are, and whether this is a fair quote of what they said. What makes ransomware damage "vast" is almost entirely whether it can spread via Windows networking with admin privileges. For the most part, ransomware attacks are binary. They are either harmless, infecting a few desktop computers via a phishing attack, which IT cleans up without trouble. Or, the ransomware gains Doman Admin privileges, then spreads through the entire network via Windows-networking/psexec, which destroys the entire network as we saw in attacks like those in Baltimore and Atlanta.

Yes, it's true, EternalBlue does make devastating attacks more likely. It's not for nothing that hackers are including it in their malware. It's certainly possible that EternalBlue was the thing responsible here, that without it, the "RobinHood" infection might not have spread to the Domain Controllers -- and then to the rest of the network via psexec. But the article does not claim this. It's not citing specific evidence of this fact that we can challenge, but is handwaving over the entire problem, talking in vague generalities that we can't challenge.

Instead of blaming the NSA, the blame resides with the hackers themselves, or the city of Baltimore for irresponsible management. Yes, there's good reason to heap some of the blame on the NSA for the WannaCry and notPetya attacks from two years ago, but it's absurd blaming them now. Windows is a system that needs regular patches. Going two years without a patch is gross malfeasance that's hard to lay at the NSA's feet. If what experts believe is implausible, that Baltimore was indeed devastated by the NSA's EternalBlue, then Baltimore has only themselves to blame for not patching for two years.

Had the NSA done the opposite thing, notified Microsoft of the vuln instead of exploiting it, then Microsoft would've released a patch for it. In such cases, hackers get around to writing exploits anyway. They likely would not have in quick time frame of WannaCry and notPetya that came only a couple months after EternalBlue was first disclosed. But they certainly would have within 2 years years. We've seen that with many other bugs where only patches were released. The "Conficker" bug in Windows is still being used 10 years after it the patch was released, and hacker's independently figured out how to exploit it.

In other words, if EternalBlue is responsible for the Baltimore ransomware attack, it would've been regardless whether the NSA had weaponized an exploit for done the "responsible" thing and worked with Microsoft to patch it. After two years, exploits would exist either way.

Indeed, the exploit the hackers are including in their malware is often an independent creation and not that NSA's EternalBlue at all. This work shows how much hackers can independently develop these things without help from the NSA. Again, the story seems to credit the NSA for their genius in making the vuln useful instead of "EternalBlueScreen", but for malware/ransomware, it's largely the community that has done this work.

All this expert discussion is, of course, is fairly technical. The point isn't that a NYTimes reporter should know all this to begin with, only that they should get both sides of a story and actually interview experts that might have opposing opinions. They should not allow those supporting their claims to hide behind anonymity where technical details cannot be challenged. Otherwise, it's an op-ed pushing an agenda and not a new article reporting the news.

tl;dr:

  • Ransomware devastation spreads via primarily through Windows/psexec, not exploits like EternalBlue. It's things like psexec that are to blame, not the NSA.
  • Two years after Microsoft releasing a patch, exploits would exist regardless if the NSA had weaponized 0day or followed responsible disclosure, so they aren't to blame for an exploit being used now.
  • There are experts all over the place with opposing views, that the article ignores them, and protects its own sources behind anonymity, means it's not a journalistic "article" but an "op-ed" pushing an agenda.




By the way, may other experts have great comments I would love to repeat here, that would make such a story better. A good example is this one:


The NYTime story exaggerates EternalBlue as some sort of NSA nation-state superweapon that small organizations are powerless to defend against. The opposite is true. EternalBlue is no worse than any other 0day vuln that organization routinely defend against. It would not have affected you before two years ago had you followed Microsoft's advice and disabled SMBv1. It would not have affected you since had you kept up with Microsoft's patches. In any case, it's not what's causing the devastation we see from mass ransomware: that's stolen credentials and things like psexec.

Lots of experts have good points that don't align with the NYTime's agenda. Too bad they have an agenda.




Dave Aitel also has some good comments https://cybersecpolitics.blogspot.com/2019/05/baltimore-is-not-eternalblue.html.


4 comments:

  1. What are you doing? Most ransomware scenarios I resolve in a few days. 50 computer's should take a few weeks at most if I did it myself. Gmail really? Who are the people fixing nothing? Call me at Healthy Computers Listowel to fix this ASAP. Just saying is all. Most tech people don't even know to reload Windows on a PC. So they replace it with another system in a box with 20+ crappy apps to slow it down and they gain incentives. Get a real company to fix your problem!

    ReplyDelete
  2. Haven't read the NYT article, but since you asked for arguments.

    So the Windows "problem" of credentials + remote control protocols (SMB, RPC, etc) enabled by default and everywhere is decades long. And it's not that much of a problem as these protocols are used for multiple legitimate tasks, such as system administration, troubleshooting and even incident response. The idea, of course, always was that the attackers don't have the credentials that allow these protocols to be used for executing arbitrary code.

    So, in WannaCry and NotPetya scenarios, while these remote control protocols were used, they were used with admin credentials. So how did they get the working admin credentials in the first place? Here you go: by exploiting an unpatched OS. Which gave them NT Authority\SYSTEM, as opposed to ridiculous user credential set you are talking about, which a typical attacker would get through successful phishing. Why even bringing up phishing?

    Of course, after they get the system account they can easily (unless the host is hardened) get the clear text passwords of all the users who logged on interactively/RDP on the host and some of them could be administrative which later on are used to spread to patched hosts.

    Besides that, as I already mentioned, this is how enterprise networks on Windows have been working for decades. Ransomware worms, though, did not exist. Until, of course, the Shadow Brokers published the Equation Group (or NSA as everyone knows by now) hacking tools, including working exploits for EternalBlue & EternalRomance. Then suddenly we had ransomware worm pandemic. According to your point of view it's just, of course, a pure coincidence.

    But it is not. These exploits in the public and slow/flawed patch management program is the key that brought us ransomware worms, building on top of things you are talking about, but which are, by themselves, alas, just not enough.

    ReplyDelete
  3. This article is full of information related to cybersecurity. I really like how the publisher has explained in detail about cybersecurity device.

    ReplyDelete
  4. Your article has all the information about cyber security. Thanks for updating us about the recent Baltimore’s attack. I have read about the wannacry ransomware attack on many sites. Is it a big thing?

    ReplyDelete