Microsoft blames United States government for ‘stockpiling’ vulnerabilities

The attack that authorities say swept 150 countries this weekend is part of a growing problem of “ransomware” scams, in which people find themselves locked out of their files and presented with a demand to pay hackers to restore their access.

“The governments of the world should treat this attack as a wake-up call”. “An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen”, Smith wrote.

Chris Wysopal, chief technology officer with the software security company Veracode, says after ransomware attacks, researchers will often infect one of their own machines on objective to see if the key is somehow left in the memory.

The NSA did not respond to requests for comment.

On Sunday, the United States software giant called on intelligence services to strike a better balance between their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – and sharing those flaws with technology companies to better secure the internet.

An independent research by Quick Heal Technologies, a cyber-security firm, shows that about 48,000 computers were attacked by the ransomware WannaCry, with most incidents in West Bengal.

Last year, a group known as the Shadow Brokers, which western intelligence officials believe to be a proxy for Russian intelligence services, began to leak NSA cyber weapons online. Failing to get a buyer, the Shadow Brokers released the flaws openly in mid-April.

“Out of that batch, it is probably a high-water mark”, Manky said. Regardless of the ethics questions about how these agencies should best carry out their duty of protecting the public, the decision will likely end up as a political one, about how the government should use its power.

EsteemAudit takes advantage of a vulnerability in Microsoft’s Remote Desktop Protocol in Windows 2003 and Windows XP, allowing an attacker to install and execute malicious code, according to an analysis by Fortinet. Cyber security expert Subhamangala said that the first thing they are doing is checking what systems have been affected.

With the interests of government agencies and tech firms often at odds, Sims said, a national cybersecurity policy or regulations are needed to set out when notifying companies about a government-identified flaw becomes more important than secretly hanging onto it.

It said “computer hardware and software that can no longer be supported should be replaced as a matter of urgency”.

In Congress, Republican Senator Ron Johnson and Democratic Senator Brian Schatz are working on legislation that would codify the review process.

“Who’s culpable are the criminals that distributed it and the criminals that weaponized it”, Bossert said.