UNITEDRAKE Looms Large…Maybe
Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Fri, 08 Sep 2017 03:32:04 +0000
Responsible disclosure is a critical process in the security community. It’s the way for security researchers and vendors to work together in order to improve system security for users.
We see the opposite of this process in the digital underground.
Cybercriminals often sell exploits and malicious tools for profit. The ShadowBrokers—infamous for the leak of ETERNALBLUE which was used by WannaCry and other malware—have been struggling to find a way to profit from their activities.
The latest news from the hacker group is that their refreshed monthly service will now dump data, exploits, and tools twice a month…if you’re willing to pay.
UNITEDRAKE
Rumoured as part of the September dump from the ShadowBrokers is another high quality NSA tool. The tool helps attackers collect information and control systems running older versions of Microsoft Windows such as XP, Vista, 7, 8, Server 2003, Server 2008, and Server 2012.
This is an extensible tool that is build for scale and it greatly simplifies the hacking process. UNITEDRAKE stands out because it’s a much more refined hacking product than is typically available. It has a polished interface and even comes with a 60+ page manual!
While we know some of the features of the tool, the details of how it works are unknown at this time.
This leaves defenders and the larger security community asking, “How can I protect my organization from this tool?”.
The Vulnerability or Vulnerabilities
Unfortunately we just don’t know how to stop UNITEDRAKE…yet.
Previous dumps from NSA hacks have been significant. Look no further than WannaCry to understand the potential here. We simply won’t know how bad this tool is or isn’t until the security community gets access to the code and analyzes it.
For now, make sure you’re using a defence in depth strategy, have the latest patches applied to all of your systems, and that you have a strong, well practiced incident response plan in place.
The larger question you’re probably asking yourself is “Why doesn’t the security community have access to the code?”. After all the ShadowBrokers are selling the tool as part of a larger data cache.
The Line
The answer to this question highlights the line between the white hats and the black.
Responsible disclosure comes in many forms. Whether it’s a bug bounty program, brokered disclosure, or an informal process. Each of these end in the same result: fixing the root cause.
In each of these processes someone (a researcher, developer, etc.) has discovered an issue (by accident, through testing, etc.) and is working with the vendor to fix the problem.
None of these processes are perfect and there’s still a lot of discussion around how to streamline this type of work. But there is no debate about the goal.
The goal is to protect users by making stronger software through a transparent process.
The ShadowBrokers on the other hand, are shrouded in mystery but they are crystal clear about the source of their data dumps. They freely admit the data is illicit in nature and the group is looking to profit by selling this information.
That approach stands in stark contrast to responsible disclosure. Supporting this group by paying for illicit data only encourages more of attacks that would generate more illicit data.
This is the exact opposite of the goal of the security community.
Next Steps
While we won’t condone or support illicit behaviour, the community—Trend Micro included—is actively watching for the use of these tools in the wild. Once an attack is seen, it can be analyzed in order to help protect organizations against further attacks.
Advanced techniques like machine learning and behavioural analysis will get the first opportunity to stop UNITEDRAKE and gather information about how it works. These tools dynamically react to changing conditionals without the need for updated rules or configurations which is why they can be very effective.
Once attack data is available, teams around the world will analyze it and quickly provide updates to the relevant security solutions. The global security community is very good at this type of rapid response and this exploit will be no different.
A situation like this—where we know a potentially big exploit will be released—brings up a lot of different issues. What are your thoughts? As a defender, how are you approaching the situation? Do you change your tactics when you know an attack is imminent?
Let me know on Twitter where I’m @marknca.