Category Archives: NSA

In mid-April,an arsenal of powerful software tools apparently designed by the NSA to infect and control Windows computers was leaked by an entity known only as the Shadow Brokers. Not even a whole month later, the hypothetical threat that criminals would use the tools against the general public has become real, and tens of thousands of computers worldwide are now crippled by an unknown party demanding ransom.

An infected NHS computer in Britain

Gillian Hann

The malware worm taking over the computers goes by the names WannaCry orWanna Decryptor. It spreads from machine to machine silently and remains invisible to users until it unveils itself as so-called ransomware, telling users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay $300 to an anonymous party using the cryptocurrency Bitcoin. At this point, ones computer would be rendered useless for anything other than paying said ransom. The pricerises to $600 after a few days; after seven days, if no ransom is paid, the hacker (or hackers) willmake the data permanently inaccessible (WannaCry victims will have a handy countdown clocktosee exactly how much time they have left).

Ransomware is not new; for victims, such an attack is normally a colossal headache. But todays vicious outbreak has spread ransomware on a massive scale, hitting not just home computers but reportedly health care, communications infrastructure, logistics, and government entities.

Reuters saidthathospitals across England reported the cyberattack was causing huge problems to their services and the public in areas affected were being advised to only seek medical care for emergencies, and that the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

The worm has also reportedly reached universities, a major Spanish telecom, FedEx, and the Russian Interior Ministry. In total, researchers have detected WannaCry infections in over 57,000 computersacross over 70 countries(and counting these things move extremely quickly).

According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs asMalwareTech told The Intercept, Ive never seen anything like this with ransomware, and the last worm of this degree I can remember is Conficker. Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over 9million computers in nearly 200 countries.

Most importantly, unlike previous massively replicating computer worms and ransomware infections, todays ongoing WannaCry attack appears to be based onan attack developed by the NSA, code-named ETERNALBLUE. The U.S. software weapon would have allowed the spy agencys hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixedthe ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in government) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them but from the moment the agency lost control of its own exploit last summer, theres been no such assurance. Today shows exactly whats at stake when government hackers cant keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, I am actually surprised that a weaponized malware of this nature didnt spread sooner.

Screenshot of an infected computer via Avast.

The infection will surely reignite arguments over whats known as the Vulnerabilities Equity Process, the decision-making procedure used to decide whether the NSA should use a security weakness it discovers (or creates) for itself and keep it secret, or share it with the affected companies so that they can protect their customers. Christopher Parsons, a researcher at the University of Torontos Citizen Lab, told The Intercept plainly: Todays ransomware attack is being made possible because of past work undertaken by the NSA, and that ideally it would lead to more disclosures that would improve the security of devices globally.

But even if the NSA were more willing to divulge its exploits rather than hoarding them, wed still be facing the problem that too many people really dont seem to care about updating their software. Malicious actors exploit years old vulnerabilities on a routine basis when undertaking their operations, Parsons pointed out. Theres no reason that more aggressive disclose of vulnerabilities through the VEP would change such activities.

A Microsoft spokesperson provided the following comment:

Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.

Update: May 12, 2017, 3:45 p.m. This post was updated with a comment from Microsoft.

Update: May 12, 2017, 4:10 p.m. This post was updated with a more current count of the number ofaffected countries.

More here:
Leaked NSA Malware Is Helping Hijack Computers Around the World - The Intercept

Forbes

Microsoft Just Took A Swipe At NSA Over The WannaCry Ransomware Nightmare Forbes After software vulnerabilities exploited and leaked by the NSA were used by cybercriminals to infect as many as 200,000 Windows PCs with ransomware over the last three days, Microsoft has criticized government agencies for hoarding those flaws and ... 74 countries hit by NSA-powered WannaCrypt ransomware backdoorThe Register NSA's Failure to Warn Microsoft of Vulnerability 'Troubling' - US Advocacy GroupSputnik International all 285 news articles »

Read the rest here:
Microsoft Just Took A Swipe At NSA Over The WannaCry Ransomware Nightmare - Forbes

Some media reports about the ransomware -- called WannaCry -- that rocked the UK health system, Spain's telecom industry, and other targets in Europe Friday say that hackers pulled it from a leaked NSA tool kit.

That's not really accurate.

Instead, computing experts say and a review of the computing code shows, the leaked NSA tool kit demonstrated to the hackers how they could attack these systems. The hackers didn't use NSA code, but they did copy something from the tool kit.

"WannaCry ransomware uses one of the exploitsreleased recently by Shadowbrokers in the leaked NSA tools archive," said Andrew Komarov, chief intelligence officer for the cybersecurity firm InfoArmor. "This is pretty normal practice, where cybercriminals are using the latest vulnerabilities in order to increase the efficiency of their malware."

The name of the NSA tool that the hackers drew on to develop the new ransomware is called "Eternalblue".

The software fix for the vulnerability that the ransomware exploits came out in March, before the Shadowbrokers leak, so experts say there was theoretically time to patch systems in advance of an attack.

Komarov said there was no indication that WannaCry or Friday's attack had anything to do with the NSA "or any other state-sponsored cyber offensive activities."

The FBI is warning that unknown hackers have launched cyberattack with 'destructive malware' in the U.S. Kacper Pempel

The Agency announced late Tuesday that it has established a "Korea Mission Center" to "harness the full resources, capabilities, and authorities of the Agency in addressing the nuclear and ballistic missile threat posed by North Korea." The CIA also announced that Director Mike Pompeo has named a "veteran intelligence officer" to run the center but declined to name the officer for security reasons.

Both publicly and privately, the agency has said North Korea has been one of, if not the most, difficult of intelligence targets.

"Creating the Korea Mission Center allows us to more purposefully integrate and direct CIA efforts against the serious threats to the United States and its allies emanating from North Korea," said Pompeo. "It also reflects the dynamism and agility that CIA brings to evolving national security challenges."

Oregon Democrat Ron Wyden says he will block the nomination of Donald Trumps pick to be the top Treasury intelligence official until Treasurys anti-money-laundering agency produces documents requested by the Senate Intelligence Committee related to Trump.

Sen. Wyden says he will maintain a hold on the nomination of Sigal Mandelker to be under secretary of the Treasury for terrorism and financial intelligence until the documents are produced.

This week, Intelligence Committee Ranking Member Sen. Mark Warner, D-Virginia, announced that the committee had asked the Treasury Departments Financial Crimes Enforcement Network (FinCEN) for records relating to President Trump and his associates.

"I have stated repeatedly that we have to follow the money if we are going to get to the bottom of how Russia has attacked our democracy," Wyden said. "That means thoroughly review any information that relates to financial connections between Russia and President Trump and his associates, whether direct or laundered through hidden or illicit transactions. The office which Ms. Mandelker has been nominated to head is responsible for much of this information."

Wyden-0702508-18401- 0010

Three senior defense officials report that Iran test-fired a high-speed torpedo near the Strait of Hormuz on Sunday.

The Hoot torpedo is still in the testing phase, the officials report, but once it is fully operational it should be able to travel about12,000 yards (approximately six nautical miles) at a speed of about 200 knots per hour (approximately 250 miles per hour). None of the officials couldsay whether the test was successful or not.

The USS George HW Bush strike group is in the Gulf right now but all three officials said the test did not pose a threat to U.S. shipsor assets in the region.

Two of the officials said that the Iranian military last tested this torpedo in February 2015.

The ACLU is suing four federal agencies for records related to the Jan. 29 raid in Yemen that killed a Navy SEAL and civilians, including children.

The civil liberties organization filed a freedom of information request for documents in March and then filed a lawsuit in Manhattan federal court on Monday to force the government to respond.

"After conducting an internal investigation, the government released little information about the circumstances surrounding the Raid, the legal or factual justifications for it, and its consequences," the suit said.

Among the information the ACLU wants is an accounting of the civilians killed in the raid, which erupted in a deadly firefight after, as one senior U.S. intelligence official told NBC News, "almost everything went wrong."

The head of U.S. Central Command told Congress between four and 12 civilians were killed, but Human Rights Watch and others have put the toll higher.

The Trump administration has characterized the raid as a huge success. However, NBC News has reported in March that none of the intelligence gleaned from the operation so far has proven actionable or vital.

A man stands on the rubble of a house destroyed by a Saudi-led airstrike in the outskirts of Sanaa, Yemen, Feb. 16, 2017. At least one Saudi-led airstrike near Yemen's rebel-held capital killed at least five people on Wednesday, the country's Houthi rebels and medical officials said. Hani Mohammed / AP

Gregory Lepsky appeared in a New Jersey federal courtroom Friday to face charges that he planned to detonate a pressure cooker bomb in New York City in the name of ISIS.

Seamus Hughes of George Washington's Program on Extremism pulled this inventory of the defendant's internet search history from the case file.

Eight men accused of plotting to attack the 2016 Olympic Games in Rio de Janeiro on behalf of ISIS were sentenced Thursday.

The men were found guilty in a Brazilian court of recruiting and promoting terrorism and face sentences that range from five to 15 years in prison. They were arrested in a series of raids in late July 2016, several weeks before the Games.

They had all pledged allegiance to an ISIS offshoot, authorities said, anddiscussed a plan to contaminate one of Rio de Janeiro's water reservoirs.

"All of the accused were dedicated to promoting the terrorist organization called the Islamic State through the social networks Facebook, Twitter and Instagram," said the judge in the case, Marcos Josegrei da Silva.

The suspects, all Brazilian citizens, discussed plans in email threads, and via messaging apps like Telegram and WhatsApp, according to court documents reviewed by NBC News.

Some celebrated other terrorist attacks, like the shooting at the Orlando nightclub.

It doesn't appear any of them knew each other aside from conversations online and messaging apps.

The convictions are the first under Brazil's new anti-terrorism law. Previously, terrorism was not clearly defined in Brazil and was treated like any other crime; now an individual can face up to 22 years in jail if found guilty of preparing terrorist acts.

One of the men sentenced under Brazil's new terrorism law for a plot against the 2016 Olympic Games in Rio. Court Documents

The newest issue of the ISIS magazine Rumiyah includes instructions for would-be terrorists about how to kill pedestrians with trucks. In infographic form, the instructions list the characteristics of the ideal vehicles ("slightly raised chassis and bumper"), where to buy, steal or rent the trucks, and the ideal targets.

The latest installment of the magazine's "Just Terror Tactics" feature comes as the U.S. Transportation Security Administration has just sent a warning about truck attacks to law enforcement agencies across the U.S.

Truck Attacks Poster Propaganda

We've got a bad feeling about this.

The Russian government jumped on the "May the 4th Be With You" bandwagon by tweeting the message "Come to our side" over a photo of a key Star Wars character.

Han Solo? Nope.

Luke Skywalker? Nah.

Yoda, you ask? Nyet.

The Russian Embassy in the U.K. chose a photo of Darth Vader, a villain bent on galactic domination, to personify itself on what's come to be known as Star Wars Day.

Hopefully it's just a snarky joke from a Twitter account known for trolling. Otherwise, someone tell the Pentagon to fire up the Millennium Falcon.

Read more:
Ransomware That Hit Europe's Computers Did Not Come From NSA Leak - NBCNews.com

A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers.

The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware is notable for its multi-lingual ransom demands, which support more than two-dozen languages.

Wcry is reportedly causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government's National Health Service, and Spanish telecom Telefonica have all been hit. The Spanish CERT has called it a "massive ransomware attack" that is encrypting all the files of entire networks and spreading laterally through organizations.

The virally spreading worm was ultimately stopped when a researcher who uses the Twitter handle MalwareTech and works for security firm Kryptos Logic took control of a domain name that was hard-coded into the self-replicating exploit. The domain registration, which occurred around 6 AM California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.

The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign. MalwareTech's registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world. As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.

So-called worms, which spread quickly amid a chain of attacks, are among the most virulent forms of malware. Researchers are still investigating how Wcry takes hold. The awesome power of worms came to the world's attention in 2001 when Code Red managed to infect more than 359,000 Windows computers around the world in 14 hours.

"The initial infection vector is something we are still trying to find out," Adam Kujawa, a researcher at antivirus provider Malwarebytes, told Ars. "Considering that this attack seems targeted, it might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. Regardless, it is spreading through infected networks using the EternalBlue vulnerability, infecting additional unpatched systems."

Other organizations in Spain known to be disrupted include telecom Vodafone Espana, the KPMG consultancy, banks BBVA and Santander, and power company Iberdrola. The Blackpool Victoria Hospital in the UK reportedly pleaded for patients to seek treatment only for life-threatening emergencies after Wcry crippled its network. Portugal Telecom has also reported being infected. Meanwhile, Barts Health Hospital in London is redirecting ambulances to other facilities. At least two train stations showed signs of infections according to display pictures published here and here.

According to an article posted by Madrid-based El Mundo, 85 percent of computers at Telefonica, Spain's dominant telecom, are affected by the worm, although that figure has not been confirmed. Officials at Telefonicaand Spanish energy companies Iberdrolaand Gas Natural Fenosa have all instructed employees to shut down computers. While the paper confirmed an attack on Telefonica, it said it was not yet clear if the other two companies had been infected or ifthey ordered the shutdown as a preventative measure.

Wcry is demanding a ransom of $300 to $600 in Bitcoin to be paid by May 15, or, in the event that deadline is missed, a higher fee by May 19. The messages left on the screen say files will remain encrypted. It's not yet clear if there are flaws in the encryption scheme that might allow the victims to restore the files without paying the ransom.

People who have yet to install the Microsoft fixMS17-010should do so right away. People should also be extremely suspicious of all e-mails they receive, particularly those that ask the recipient to open attached documents or click on Web links.

This post was updated repeatedly over the first six hours it was first published to report newly available information.

Read more from the original source:
An NSA-derived ransomware worm is shutting down computers ... - Ars Technica

When searching intelligence data, analysts from the National Security Agency failed to follow the rules with much greater frequency than was previously disclosed, documents published by the Office of the Director of National Intelligence show.

The secretive Foreign Intelligence Surveillance Court accused the NSA of a lack of candor when reporting those failures, which are a serious concern for the Fourth Amendment.

During a preliminary review of just a few months in 2015, analysts running searches on emails and other digital communications vacuumed up from undersea internet cables frequently violated Americans privacyalbeit unintentionally. The problem was widespread, wrote the Foreign Intelligence Surveillance Court in a memorandum published on the intelligence offices Tumblr page Thursday evening.

NSA analysts had a startling error rate of 85 percent on another, smaller part of the NSAs foreign intelligence programs, a statistic that raises questions about the propriety of current powers to search that data, the court wrote. That program, which uses rarely exercised authorities involving a few dozen top targets, is designed to target American citizens presumably living overseas, one former intelligence official explained to Foreign Policy.

Those failures happened almost immediately after being told to fix the same issue with privacy protection in 2011. Too oftenthe government fails to meet its obligation to provide prompt notification when an analyst doesnt follow the rules, the court wrote.

On April 28, the NSA announced it would be winding down one part of a controversial foreign intelligence program, called Upstream, that allowed it to vacuum up digital communications about a target straight from the backbone of the Internet. That program is authorized under Section 702 of the Foreign Intelligence Surveillance Act, a law thats set to expire at the end of the year unless lawmakers reauthorize it.

The frequency of compliance issues, meaning the regularity with which NSA employees broke protocol when sifting through the communications, was the reason for shutting down the program, the NSA said.

The new memorandum reveals further detail about those compliance issues. At least one section of the program didnt allow audits of the searches, something unusual for the NSA. One former intelligence official told Foreign Policy it was shocking the database wasnt immediately tied to an auditing system.

The program is designed to track only foreign people living overseas, and NSA analysts werent supposed to be digging through Americans communications. But because the information was drawn straight from undersea Internet cables trawling for information about foreign targets, Americans data often got swept up in what is known as incidental collection.

The NSA blamed human error and tricky technical design on the analysts improper searches as well as a system that forced them to opt-out of certain search parameters instead of opt-in, leading them to forget to limit their queries.

Its unclear if NSA will try to revive its legal authority to search for communications about foreign targets, but for now it appears to be gearing up to defend the rest of the collection program so that lawmakers dont further strip away collection powers.

The immense magnitude of noncompliance shows the current structure does not function and needs to change, Jake Laperruque, senior counsel at constitutional nonprofit The Constitution Project, wrote in a message to FP. If FISA surveillance leads to such systemic failures violation of Americans rights, its time for systemic reforms.

NSA analysts werent the only ones with compliance issues, according to the courts memorandum. The FBI, which also maintains access to communications collected by the NSA for both foreign intelligence and domestic crime purposes, shared that raw intelligencewithout any redactions or privacy protectionswith a third party largely staffed by private contractors.

Photo credit: MICHAEL BOCCHIERI/Getty Images

Twitter Facebook Google + Reddit

See the rest here:
Report: NSA Analysts Frequently Broke Rules on Intelligence Collection - Foreign Policy (blog)

New York Times

Hackers Hit Dozens of Countries Exploiting Stolen NSA Tool New York Times They then quickly spread through victims' systems using a hacking method that the N.S.A. is believed to have developed as part of its arsenal of cyberweapons. And finally they encrypted the computer systems of the victims, locking them out of critical ... NSA-created cyber tool spawns global attacksPolitico Cybercriminals have just mounted a massive worldwide attack. Here's how NSA secrets helped themWashington Post Ransomware based on leaked NSA tools spreads to dozens of countriesTechCrunch Forbes -The Providence Journal -Sacramento Bee -NHS Digital all 947 news articles »

See the original post:
Hackers Hit Dozens of Countries Exploiting Stolen NSA Tool - New York Times

Common Dreams

NSA Tools, Built Despite Warnings, Used in Global Cyber Attack ... Common Dreams Disruptions reported in at least 74 countries, including Russia, Spain, Turkey, and Japan, with some reports of U.S. infiltration as well. Edward Snowden: Congress needs to grill NSA on hospital software ...Washington Examiner Edward Snowden points blame at NSA for not preventing NHS cyber ...Telegraph.co.uk Edward Snowden blames NSA for not preventing NHS cyberattackInternational Business Times UK all 6 news articles »

Link:
NSA Tools, Built Despite Warnings, Used in Global Cyber Attack ... - Common Dreams

The shadow of ousted FBI director James Comey hung over the Senate Intelligence committees worldwide threat hearing yesterday. Like Banquos ghost in Macbeth, the presence of Comeys absence was everywhere. But it wasnt the most surreal aspect of the day. Here was a hearing on external threats at a moment when internal threats are growing more serious and scary than any time in recent memory. Just 24 hours later, the magnitude of that danger came into sharp focus as cyber attacks using stolen NSA tools hit an estimated 45,000 computers in more than 70 countries, disrupting Britains health system and sending officials from Moscow to Madrid back to paper and pens.

Global Ransomware Attack Stuns Systems in Up to 74 Countries

Insider threats are not new but the speed and scale of their destructive impact are. In 2001, Robert Philip Hanssen, a 25-year veteran of the FBI, was caught hiding a garbage bag full of classified documents in a dead drop under a Virginia park bridge. His arrest ended a 15-year mole hunt for one of the most damaging traitors in American history. Hanssen was found to have passed a few thousand highly classified documents to the Soviets over two decades, including the names of dozens of American agents. Several were killed as a result of his treachery.

Today, trusted insiders can steal and release classified information in terabytes, not trash bags, all in a matter of days, not decades. Chelsea Manning downloaded the contents of more than 250,000 State Department cables on a fake Lady Gaga CD, lip syncing to Lady Gaga's Telephone as he exfiltrated the data. Former NSA contractor Edward Snowden stole an estimated 1.5 million documents, including information about some of the most highly classified programs in the U.S. governmentand not just by copying what he happened to see on his desktop.

A bipartisan review by the House Intelligence Committee found that Snowden deliberately sought access to classified programs by tricking coworkers into giving him their security credentials and by searching their network drives without their permission, downloading away. The vast majority of the documents he stole, the report concludes, have nothing to do with programs impacting individual privacy intereststhey instead pertain to military, defense, and intelligence programs of great interest to Americas adversaries. Snowdens operation took just 10 months before he high-tailed it to Hong Kong.

And for all the efforts to glue shut thumb drives and call for better procedures to detect when trusted officials become untrustworthy, the breaches just keep coming. In the past year, press reports have made public another wave of breaches believed to have been perpetrated by insiders at both the NSA and CIA that stole and released some of nations most sophisticated cyber hacking tools, including the WannaCry ransomware used today. In February, a second former NSA contractor, Hal Martin, was indicted for stealing classified documents. How many exactly? The Justice Department believes it could be as much as 50 terabytesthats the equivalent of 500 million pages.

At yesterday's hearing, Director of National Intelligence Dan Coats delivered a 28-page threat assessment about the dangers confronting the United States. Two lines look awfully ominous today: Trusted insiders who disclose sensitive or classified US Government information without authorization will remain a significant threat in 2017 and beyond. The sophistication and availability of information technology that increases the scope and impact of unauthorized disclosures exacerbate this threat.

Read more here:
A Stolen NSA Tool Is Being Used in a Global Cyberattack - The Atlantic

Senior U.S. intelligence officials from various government agencies met late today to see what, if anything, they could do to stop the sophisticated global cyberattack using leaked NSA tools that is spreading across the globe, a senior U.S. official tells ABC News.

According to several cybersecurity experts, the unidentified attackers targeted networks all over the world, including one major U.S. company, exploiting a vulnerability in Microsoft Windows that was identified by the U.S. National Security Agency (NSA) and leaked to the public by the hacker group The Shadow Brokers in April.

Microsoft released a patch to address the vulnerability, but networks that did not adopt it would have remained vulnerable. In a statement, the tech company said that users who are running its free antivirus software or have Windows updates enabled are protected. Microsoft said it is also working with customers to provide additional assistance.

The Department of Homeland Security said it is aware of the threats, it said in a press release Friday.

This appears to be the first incidence of the use of an NSA exploit in a broad and far reaching cybercriminal campaign, John Bambenek of Fidelis Cybersecurity said.

According to Ryan Kalember, senior Vice President of cyber security strategy at the cybersecurity firm Proofpoint, a ransomware worm using the essentially unaltered NSA code is spreading across government and corporate networks in at least 74 countries, with European and Asian countries among the hardest hit. Russia, he said, was particularly vulnerable because many of its networks use older versions of Microsoft Windows.

This is depressing as a cybersecurity expert, Kalember said. The patch has existed since the vulnerability was made public, so if people were applying it, this never had to happen.

One U.S. senior official said American companies may fare better than those overseas because they are better at cyber hygiene. In many cases, the official said, the attacks have been successful because they are against pirated or unauthorized copies of Microsoft Windows, which cannot be easily patched to fix the vulnerability.

Kalember says the attack is spreading rapidly, making it difficult to identify patient zero and attribute the attack to a particular hacker group.

Tyler Wood, a former top cybersecurity official who now works for a major telecommunications firm, told ABC News the forensic work to identify the perpetrators may take some time, and it could be a private attacker or a state.

FedEx appears to be the first U.S.-based target, though Kalember said he is aware of others who have not spoken publicly. A spokesperson for FedEx confirmed to ABC News that the company is among the victims of the ransomware attacks.

Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware, said a spokesperson in a statement. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.

Some of the first reports emerged from England, where hospitals across the country were hit by ransomware attacks, in which hackers infect computers with malicious software and demand ransoms to restore access, according to the National Health Service (NHS).

As of this afternoon, 16 facilities with the NHS, which is the publicly funded health care system for England, had reported that they were affected by what appeared to be a large-scale cyberattack.

"The investigation is at an early stage but we believe the malware variant is Wanna Decryptor," NHS Digital, the body of the Department of Health that uses information and technology to support the health care system, said in a statement.

The attack has locked computers and blocked access to patient files. But there's no evidence so far that patient data has been accessed, NHS Digital said.

Chris Camacho, chief strategy officer at the cybersecurity firm Flashpoint, said healthcare companies are particularly ripe for this kind exploitation because patient records are so critical to care.

Theres nothing you can do but pay once youre hit, Camacho said. If you need that data back, youre going to pay.

Following the leak of NSA tools, Bambenek told ABC News that he had conversations with high-ranking U.S. national security officials in which he urged them to share information with private vendors so that they could develop countermeasures because the NSA had lost control of its own weapons.

That did not progress rapidly enough, and here we are today, Bambenek said. The NSA can have very smart people finding these vulnerabilities, but not very smart people can start using them to very devastating effect.

ABC News' Julia Jacobo contributed to this report.

Read more here:
US security officials meet to discuss global cyberattack using leaked NSA tools - ABC News

Patrick Ward, 47, a sales director at Purbeck Ice Cream, from Dorset in England, poses for photographs after giving media interviews after his heart operation scheduled today was cancelled because of a cyberattack, outside St Bartholomews Hospital in London, Friday, May 12, 2017. A large cyberattack crippled computer systems at hospitals across England on Friday, with appointments canceled, phone lines down and patients turned away. CREDIT: AP Photo/Matt Dunham

Employees and patients across multiple UK National Health Service facilities were displaced on Friday thanks to a large-scale cyberattack on network computers across Eurasia, including Great Britain, Portugal, Spain, Russia, Turkey, Vietnam, the Philippines, and Japan.

Doctors and hospital staff were locked out of patient files and forced to relocate emergency patients, the Guardian reported. The attack made use of ransomware, a type of malware that restricts file and system access by encrypting data. The hackers then demand payment in exchange for decrypting the data and restoring access. Patient records, emails, schedules, and phone lines were all ensnared in the attack.

British health officials said its systems were not the target of the attack. But security experts believe the vulnerability exploited during the attack was discovered by the NSA, and was included among the many cyber tools previously stolen from the American intelligence community earlier this year, the New York Times reported. The ransomware was distributed via email.

Hospitals and telecom companies in western Europe, Russia, and Asia were also affected, the MalwareHunterTeam told the New York Times.

The hackers demanded each user pay $300 in bitcoin to a specific bitcoin account in the next three days, potentially totaling thousands of dollars worth of bitcoin. The ransom doubles if payments arent made in that time, according to the hackers message obtained by the Guardian, and files will be kept restricted forever if payment isnt received in seven days.

Ransomware attacks arent a new occurrence, and they often work. U.S. hospital systems were recently victimized by similar attacks. A Los Angeles hospital systemHollywood Presbyterian Medical Centerpaid a $17,000 bitcoin ransom in February 2016 after patient files and data were held hostage for two weeks. The systems CEO Allen Stefanek said paying was in the best interest of restoring normal operations.

Medstar, a Washington, D.C. area hospital system, was attacked the following month and had to turn away patients. Hackers gave the hospital system, which treats 30,000 people across 10 hospitals and 250 outpatient centers, 10 days to pay $19,000 in bitcoin, the Washington Post reported.

The FBI investigated both attacks, and previously reported an uptick in ransomware hacks in recent years.

Originally posted here:
Hackers breach computers in 12 countries using stolen NSA tools - ThinkProgress