How leaked exploits empower cyber criminals

Last year, the interconnectedness of cybercrime was demonstrated by a variety of supply chain hacks and other well-known cybersecurity issues that coalesced to create massive botnets powered by compromised Internet-of-Things (IoT) devices. The events from the first half of 2017 highlight another long-developing issue, which has been made worse by a variety of data dumps from actors such as WikiLeaks, TheShadowBrokers, and others: the leakage of state-sponsored and cybercriminal hacking tools and exploits. 

Much like leaked personal data, once those vulnerabilities, exploits, and tools are exposed, they forever remain in the cybercriminal public domain. The May outbreak of WannaCry ransomware and the June outbreak of the data-destroying malware NotPetya both leveraged leaked NSA exploits to disrupt numerous organizations across the globe. As described by cyber analysts at SurfWatch Labs in their mid-year report, those events reaffirmed that the most dangerous data breaches often involve the theft of such tools and exploits and, even more worrisome, the impact of that type of information being leaked can spread further, wider, and be more long-lasting than perhaps any other type of cyber incident.   

A central themes in the 2016 report was issues that arose from the Mirai botnet and the takeover of numerous insecure IoT devices. Although those record-setting DDoS attacks were vastly different from 2017’s outbreak of WannaCry ransomware and the destructive NotPetya malware, the events share a similar root cause: leaked exploits and source code. IoT botnets and data-encrypting malware were of course common before those incidents however the September 2016 release of the Mirai source code and the April 2017 release of NSA exploits exacerbated the crime.   

Examining the NSA Leaks and EternalBlue 

It is unclear exactly how the sensitive hacking tools and exploits were stolen from the NSA’s elite hacking team, known as the Equation Group. It is clear, however, that multiple individuals were in possession of that data. The breach first came to light in mid-August 2016 when TheShadowBrokers announced it was auctioning off a cache of stolen NSA tools. The most notable of the stolen NSA tools was EternalBlue, an exploit for the Server Message Block (SMB) vulnerability (CVE-2017-0144) that was leveraged, along with other leaked exploits, into May’s outbreak of WannaCry and June’s outbreak of NotPetya. While WannaCry was a true ransomware in that some victims reported they were able to decrypt their files by paying the ransom, the version of NotPetya using leaked NSA exploits acted more as a Shamoon-like data wiper than actual ransomware. The ransom messages that infected victims experienced were a ruse, researchers discovered, as the attackers had no way to actually decrypt victims’ files. 

However, the warnings of an unknown SMB exploit came months prior to those incidents. US-CERT issued an SMB best practice alert after TheShadowBrokers listed the exploit for sale in January, and Microsoft patched a variety of exploits stolen by the group, including EternalBlue, in March after being informed by the NSA that the agency’s cyber arsenal was in the hands of malicious actors.

Beyond EternalBlue: How Other Leaks Fuel Cybercrime 

Malicious actors have a long history of taking the tools used by other successful campaigns and then modifying and enhancing those tools to make them either more impactful or to fit their specific campaigns. 

In March of this year, WikiLeaks began an almost-weekly series of data dumps related to the CIA, which WikiLeaks described as totalling “more than several hundred million lines of code” and revealing “the entire hacking capacity of the CIA.” That alone is concerning, but the leaks also revealed, not surprisingly, that the CIA would scour old malware code, data leaks, and other sources for hacking tools that the agency could incorporate into its knowledge base. For example:   

  • CIA’s UMBRAGE group would examine known commercial malware code such as DarkComet for “functional code snippets that can be rapidly combined into custom solutions.” 
  • iOS and Android exploits were shared from other intelligence agencies and purchased from vendors. 
  • Suspected state-sponsored malware was analyzed, repurposed, and improved. 
  • Public data dumps such as the 400 GB of data leaked from Hacking Team in 2015 were reviewed and mapped for their capabilities. 

This widespread leaking, sharing, and repurposing of hacking tools by the CIA and cybercriminal actors is yet another example of the interconnected nature of cybercrime. As we’ve repeatedly seen over the past few years, a major breach is rarely isolated, and information stolen or leaked from one organization can be leveraged to attack numerous other organizations. Whether it is personal information, password lists, intellectual property, or vulnerabilities and exploits, actors will build off of the hard work and previous success of other actors by incorporating that information into new campaigns. 

The heightened level of leaked exploits appears likely to continue in the second half of 2017 so here are three recommendations to mitigate your risk - what I like to call “go-do’s”:   

1. Continuously monitor for relevant external threats.  

Understanding the cyber risks that are occurring inside your organization is crucial; however, data shows that threats frequently originate outside an organization's walls. Continuous monitoring and reporting on new vulnerabilities, exploits, and other data breaches that may impact your organization or those in your supply chain can help to spot risks like EternalBlue before they are exploited by cybercriminal actors.

2. Have a structured way of prioritizing threats and taking meaningful action.   

Using threat intelligence to get a jump on external threats only works if you know how to quickly take action to prevent those threats. This includes prioritizing how those threats will impact your organization's unique cyber risk profile and working to mitigate those risks. The WannaCry outbreak occurred two months after Microsoft issued a patch for the exploits and one month after TheShadowBrokers publicly leaked those exploits. It isn’t uncommon to see zero-day vulnerabilities being incorporated into campaigns in an even shorter window – sometimes just a few days after disclosure. Timely patching is one of the most effective ways to thwart cybercriminal actors.

3. Follow best practice and risk assessment recommendations.  

The NSA failed to follow through on several recommendations to limit internal threats – even after the insider theft carried out by Edward Snowden in 2013 that exposed the agency to additional threats from contractors like Harold Martin and, potentially, TheShadowBrokers. Following broad cybersecurity best practices and frameworks such as those provided by NIST, OWASP, and others can help to limit the large portion of cyber-attacks that leverage well-known issues and vulnerabilities. In addition, organizations should have a source for more specific recommendations that can be taken when pertinent events arise, whether that is a global attack like WannaCry or something more specific to your industry sector or organization. 

Adam Meyer, Chief Security Strategist, SurfWatch Labs

Image Credit: Alexskopje / Shutterstock