Over the weekend, the entire community of cyber researchers was faced with its worst nightmare in the form of a Windows-focused ‘Wanna Cry’ ransomware. Microsoft has finally responded to the hullaballoo by calling out the U.S government for stockpiling the vulnerabilities for several computer systems. Now, one such massively threatening exploits has caused an outrage and Redmond has termed it as a ‘wake-up call’ for the global cyber security community.
The attack was flagged off from Spain and the U.K. but affected the healthcare and security services of over 150 countries across the globe, including India. The outrage, which is said to have affected over 2 lakh computers globally, has been caused due to an ‘EternalBlue’ exploit leaked through the collection of NSA documents dumped online by hacker group — Shadow Brokers earlier last month. Microsoft had then assured the masses saying that ‘all supported’ versions of Windows were safe from any attacks. And that is true, only unsupported Windows variants that weren’t up to date and still being used to manage important government data.
Commenting on their efforts, Microsoft’s president and chief legal officer Brad Smith in a statement said,
While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.
Smith further continues to mention that the company hasn’t abandoned any Windows users and is committed to helping out every user who’ve been hit with the ransomware — usually being propagated through phishing emails. In a highly unusual move, Microsoft also released an update patch for unsupported Windows variants to curb further spread of the ransomware. This was an immediate priority for the Redmond giant as Wanna Cry could spread even without any interactions — simply via file sharing networks.
We have more than 3,500 security engineers at the company, and we’re working comprehensively to address cyber security threats. This [update] includes new security functionality across our entire software platform, including constant updates to our Advanced Threat Protection service to detect and disrupt new cyberattacks.
It is now looking back on the damage caused and realizing that the said hubbub could’ve been curbed if the U.S government and its intelligence agencies were forthcoming with the vulnerabilities discovered by them. Their minor (definitely intentional) lapse of judgement had broader implications across the globe. The repercussions of this attack, Smith believes, is born by Microsoft and its customers who were reluctant to upgrade but a massive chunk of the responsibility for this wide-spread attack has to be shouldered by the U.S government.
Talking about the customers’ lapse in the blog post, Smith continues to mention:
The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.
As for the government, they’re the prominent members who have failed to protect the security and privacy of their citizens. Microsoft has rebuked their practice of collecting exploits, so they can gain access to at least some systems while adding:
This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.
This means that government’s security practices, which they boast about, aren’t also as secure as they should be. And stockpiling the vulnerabilities in a digital safe that was recently cracked simply reiterates the fact that an ‘urgent collective action’ is needed against the increasing threat to cyber security. If the government, tech giants and consumers don’t maintain a harmony then more powerful and lethal attacks will spring up in the coming months. Else, doomsday for the Internet could be oh-so-near!!
