{"id":9165,"date":"2017-09-07T20:00:34","date_gmt":"2017-09-08T04:00:34","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/07\/news-2938\/"},"modified":"2017-09-07T20:00:34","modified_gmt":"2017-09-08T04:00:34","slug":"news-2938","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/09\/07\/news-2938\/","title":{"rendered":"UNITEDRAKE Looms Large\u2026Maybe"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Fri, 08 Sep 2017 03:32:04 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Responsible disclosure is a critical process<\/a> in the security community. It\u2019s the way for security researchers and vendors to work together in order to improve system security for users.<\/p>\n

We see the opposite of this process in the digital underground<\/a>.<\/p>\n

Cybercriminals often sell exploits and malicious tools for profit. The ShadowBrokers<\/a>\u2014infamous for the leak of ETERNALBLUE<\/a> which was used by WannaCry and other malware\u2014have been struggling to find a way to profit from their activities.<\/p>\n

The latest news<\/a> from the hacker group is that their refreshed monthly service will now dump data, exploits, and tools twice a month\u2026if you\u2019re willing to pay.<\/p>\n

UNITEDRAKE<\/h2>\n

Rumoured as part of the September dump from the ShadowBrokers is another high quality NSA tool. The tool helps attackers collect information and control systems running older versions of Microsoft Windows such as XP, Vista, 7, 8, Server 2003, Server 2008, and Server 2012.<\/p>\n

This is an extensible tool that is build for scale and it greatly simplifies the hacking process. UNITEDRAKE stands out because it\u2019s a much more refined hacking product than is typically available. It has a polished interface and even comes with a 60+ page manual!<\/p>\n

While we know some of the features of the tool, the details of how it works are unknown at this time.<\/p>\n

This leaves defenders and the larger security community asking, \u201cHow can I protect my organization from this tool?\u201d.<\/p>\n

The Vulnerability or Vulnerabilities<\/h2>\n

Unfortunately we just don\u2019t know how to stop UNITEDRAKE\u2026yet.<\/p>\n

Previous dumps from NSA hacks have been significant. Look no further than WannaCry<\/a> to understand the potential<\/b> here. We simply won\u2019t know how bad this tool is or isn\u2019t until the security community gets access to the code and analyzes it.<\/p>\n

For now, make sure you\u2019re using a defence in depth strategy, have the latest patches applied to all of your systems, and that you have a strong, well practiced incident response plan in place.<\/p>\n

The larger question you\u2019re probably asking yourself is \u201cWhy doesn\u2019t the security community have access to the code?\u201d. After all the ShadowBrokers are selling the tool as part of a larger data cache.<\/p>\n

The Line<\/h2>\n

The answer to this question highlights the line between the white hats<\/a> and the black. <\/p>\n

Responsible disclosure comes in many forms. Whether it\u2019s a bug bounty program<\/a>, brokered disclosure<\/a>, or an informal process. Each of these end in the same result: fixing the root cause.<\/p>\n

In each of these processes someone (a researcher, developer, etc.) has discovered an issue (by accident, through testing, etc.) and is working with the vendor to fix the problem. <\/p>\n

None of these processes are perfect and there\u2019s still a lot of discussion around how to streamline this type of work. But there is no debate about the goal.<\/p>\n

The goal is to protect users by making stronger software through a transparent process.<\/p>\n

The ShadowBrokers on the other hand, are shrouded in mystery but they are crystal clear about the source of their data dumps. They freely admit the data is illicit in nature and the group is looking to profit by selling this information.<\/p>\n

That approach stands in stark contrast to responsible disclosure. Supporting this group by paying for illicit data only encourages more of attacks that would generate more illicit data.<\/p>\n

This is the exact opposite of the goal of the security community.<\/p>\n

Next Steps<\/h2>\n

While we won\u2019t condone or support illicit behaviour, the community\u2014Trend Micro included\u2014is actively watching for the use of these tools in the wild. Once an attack is seen, it can be analyzed in order to help protect organizations against further attacks.<\/p>\n

Advanced techniques like machine learning and behavioural analysis will get the first opportunity to stop UNITEDRAKE and gather information about how it works. These tools dynamically react to changing conditionals without the need for updated rules or configurations which is why they can be very effective.<\/p>\n

Once attack data is available, teams around the world will analyze it and quickly provide updates to the relevant security solutions. The global security community is very good at this type of rapid response and this exploit will be no different.<\/p>\n

A situation like this\u2014where we know a potentially big exploit will be released\u2014brings up a lot of different issues. What are your thoughts? As a defender, how are you approaching the situation? Do you change your tactics when you know an attack is imminent?<\/p>\n

Let me know on Twitter where I\u2019m @marknca<\/a>.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Fri, 08 Sep 2017 03:32:04 +0000<\/strong><\/p>\n

\"\"Responsible disclosure is a critical process in the security community. It\u2019s the way for security researchers and vendors to work together in order to improve system security for users. We see the opposite of this process in the digital underground. Cybercriminals often sell exploits and malicious tools for profit. The ShadowBrokers\u2014infamous for the leak of…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[10422,4503,10423,10752],"class_list":["post-9165","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-current-news","tag-cybercrime","tag-underground-economy","tag-vulnerabilities"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9165"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9165\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}