[BreachExchange] What do we learn about clandestine operators from the Shadow Brokers leak?

[Audrey McNeil]

https://www.scmagazineuk.com/what-do-we-learn-about-
clandestine-operators-from-the-shadow-brokers-leak/article/665039/

The unprecedented series of major cyber-security incidents in recent months
has highlighted the biggest challenge facing any security team – trying to
outguess unknown potential assailants who may unleash unfamiliar attacks at
any time.

The competition between attackers and defenders has often been described as
an arms race, but the unique way the world of cyber-threats operates makes
it pretty far removed from any traditional examples. Attackers and
defenders alike are usually very disparate groups, but a discovery by a
single dedicated or lucky researcher can spread quickly and change the
entire equation. This was perfectly exemplified by the leaking of the
stolen NSA tools by the Shadow Brokers group and subsequent WannaCry
attack.

The brazen and public leak by the Shadow Brokers was an unusual event
however, and usually the sharing of information is kept as covert as
possible. In most cases the cyber-community makes it challenging for
outsiders to gain any awareness of what data and discoveries are being
shared and discussed. Nation state actors and criminals actively planning
attacks obviously have a vested interest in remaining totally untraceable,
but even hobbyists and researchers will usually hide on the dark web,
behind a level of anonymity beyond the wildest dreams of the spymasters of
the Cold War.

This secret world can be accessed however, if you know where to look and
who to ask. Most dark web forums are very strict on membership, and usually
require an existing member of the community to vouch for credibility. Even
with this in-road, it can take six months to a year or more to be fully
vetted and allowed into the community. Expensive entrance fees are also
standard practice, running from US$ 500 (£394) to several thousands.

Once access has been granted, it's possible to gain powerful insight into
how the cyber-underworld operates and utilise threat intelligence to
predict trends and stop attacks. With machine learning, analytics tools can
monitor both open and closed communication channels in real time,
identifying spikes in key words and names that can mean a new vulnerability
is for sale or an attack is being planned.

We most recently saw this with the discovery of a ransomware nicknamed
Fatboy, which used a unique distribution model to adjust the ransom demand
to match the economic level of the target area. Once the ransomware scheme
was unearthed, the seller had to shut down the operation due to the level
of attention he was receiving.

These channels are thrumming with activity at all times, but a large-scale
event like the Shadow Brokers leak essentially kicks over the hornet nest
and sets things into overdrive. The increased activity and singular focus
also serves to provide anyone watching with even more useful and
concentrated insight into the priorities and preferences of different
groups.

Unsurprisingly we saw the most interest in the leaked tools from the
Chinese and Russian communities, due to their advanced technical skills and
extensive history of activity.

The exploit framework FUZZBUNCH and privilege escalation tool
ETERNALROMANCE were of particular interest to all comers, along with the
SMB malware ETERNALBLUE, which went on to be a crucial component of the
global WannaCry ransomware attacks.

Aside from these areas of universal interest though, it was also possible
to see different toolkits drawing more interest from particular groups.
Chinese-speaking actors were particularly focused on the unique malware
trigger point, and there were claims that the patches for CVE-2017-0143
through -0148 would not offer sufficient protection because they did not
address the base code weaknesses.

A well-respected member of top-tier Russian-speaking criminal community
meanwhile quickly set about analysing both ETERNALBLUE and the DOUBLEPULSAR
kernel payload. An in-depth tutorial was produced within three days and
promptly spread far and wide. Considering that the two exploits were used
as part of the WannaCry attack, it is very likely these guidelines helped
the culprits prepare their attack.

With many tools from the initial leak yet to surface and the group now
claiming it will release new leaks on a monthly basis, it's safe to say the
Shadow Brokers group will continue to be a major point of focus for cyber-
communities around the world.

With advanced threat actors being able to weaponise vulnerabilities in
days, and even the fastest patches being delayed by relying on end-user
updates, any future leaks will cause more waves in the cyber-community.
While this will continue to provide valuable threat intelligence, the
security industry will need to act swiftly to mitigate another global
event.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170620/7f522434/attachment.html>