Baltimore leading contender for Digital Darwin Award

What can nature teach us about ransomware attacks? Plenty, if you look for and apply the lessons. Imagine a weather forecast so accurate it could predict 24 months in advance the next hurricane, where it would hit and the damage it would do. Or tornados. Or hail storms. There would be no excuse for not being prepared, right?. Unless you’re government.

For the second time in less than 14 months, Baltimore has been hit by ransomware.

The first attack, last year, targeted the computer-aided dispatch (CAD) system used by emergency personnel. Baltimore’s vulnerability that time — a technician’s change to an internal firewall — was only four hours old when it was exploited. While the attack did not take down the actual inbound call system for 911 emergencies, it crippled the CAD system and forced emergency operations to revert to manual dispatching.

According to the chief information officer for the city at that time, Frank Johnson, the mechanism of injury was obvious. “I don’t know what else to call it but a self-inflicted wound,” Johnson said. “The bad guys did not get in on their own without the help of someone inadvertently leaving the door open.”

Baltimore had plenty of time to prepare for the next attack. The threats were known and identified. “Johnson said his office works diligently to prevent cyber-attacks and is looking to invest more in safeguarding its networks.” A successful wake-up call? Nope. Baltimore hit the snooze button and now is paying a bigger price.

The original warning for the most recent attack came in the form of a critical alert from Microsoft in March of 2017 — 26 months before Baltimore got hit. Microsoft wasn’t vague about it either, labeling it as “**Critical** Remote Code Execution.” The double asterisks on either side of ‘critical’ was a clue. The vulnerability affected the Microsoft Server Message Block (SMB) server. This server provided shared access to files, printers and serial ports.

The tool used to commit the most recent exploit was one of our own making. The National Security Agency created EternalBlue to take advantage of a flaw in the Windows SMB server. The New York Times reported that EternalBlue “was one of the most useful exploits in the NSA’s cyberarsenal. According to three former NSA operators who spoke on the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it.”

Microsoft was not alerted for five years, until the tool was leaked by the Shadow Brokers. EternalBlue was eventually used by Russia to launch a devasting ransomware attack called ‘NotPetya’, and by North Korea with the ‘WannaCry’ campaign. Once the tool was ‘in the wild,’ NSA made the notification to Microsoft, and the critical alert was issued.

Those organizations and government entities that patched the vulnerability were generally safe from the targeted exploit. There is a traditional framework to understand your risk, which is you only have a risk when there is a threat (EternalBlue) and a known vulnerability (Windows SMB server). If EternalBlue didn’t exist, then there is little or no risk. If the vulnerability was patched (like Equifax should have done to their database), then there is no risk even if there is a threat (Chinese hackers).

To put it bluntly, Baltimore wouldn’t be in the news for a ransomware attack if they had simply patched their systems. 

According to the 2018 Government Cybersecurity Report from SecurityScorecard, government ranks 14^th out of 18 for patching systems compared to other major U.S. industry sectors. According to the report, the top three areas of weakness in government systems were endpoint security (17^th), network security (13^th) and patching (14^th). 

Endpoint security affects all laptops, desktops and mobile devices that connect to government networks, while network security involves defending against external threats. And while patching systems might not sound sexy, “around 80 percent of attacks use vulnerabilities for which patches already exist, and most use vulnerabilities which could have been patched over a year before the attack.” Or even 26 months.

In the case of Baltimore, attackers would have required “unfettered access to a victim’s system days or perhaps even weeks in advance.” The fox was in the hen house targeting individual computers, since this version of ransomware dubbed ‘RobbinHood’ did not spread automatically and required specific targeting of computers.

The ransom demand will most likely escalate into hundreds of thousands of dollars. The mayor says they won’t pay, at least for now. “But in order to move the city forward? I might think about it. But I have not made a decision yet,” he said.

In the meantime, Baltimore is pursuing a novel remedy. The city council is asking Maryland Governor Larry Hogan to request a federal emergency and disaster declaration. The reason? The attack tool was of NSA origin, and the United States should bear responsibility for the attack.

That approach would carry more weight if Baltimore had not been warned 26 months in advance. They even had a test run and wake-up call in March of 2018.

Even now, a significant number of Baltimore county school systems remain vulnerable to the RobbinHood ransomware. One reason is because the same vulnerability targeted by EternalBlue remains unpatched in the school system network. When asked for comment by Ars Technica, a Baltimore County Public Schools spokesperson said, “I’ll check with our IT team.” There was no further reply.

Had the EternalBlue exploit still been secret, and everyone vulnerable, you could make a case for a FEMA declaration and use taxpayer money for ‘some’ of the recovery efforts. In this case, it appears there was over two years of warning that was ignored.

Whether EternalBlue was used for the initial compromise or used after a different technique allowed access to the network, the fact the attackers operated long enough to infect machines without detection should be troubling.

The biggest threat to government networks might not be nation states or criminal hacker groups. It might be our own apathy and ineptitude — like Walt Kelly’s infamous cartoon strip when Pogo remarked “We have met the enemy and he is us.”