The unprecedented series of major cyber-security incidents in recent months has highlighted the biggest challenge facing any security team – trying to outguess unknown potential assailants who may unleash unfamiliar attacks at any time.
The competition between attackers and defenders has often been described as an arms race, but the unique way the world of cyber-threats operates makes it pretty far removed from any traditional examples. Attackers and defenders alike are usually very disparate groups, but a discovery by a single dedicated or lucky researcher can spread quickly and change the entire equation. This was perfectly exemplified by the leaking of the stolen NSA tools by the Shadow Brokers group and subsequent WannaCry attack.
The brazen and public leak by the Shadow Brokers was an unusual event however, and usually the sharing of information is kept as covert as possible. In most cases the cyber-community makes it challenging for outsiders to gain any awareness of what data and discoveries are being shared and discussed. Nation state actors and criminals actively planning attacks obviously have a vested interest in remaining totally untraceable, but even hobbyists and researchers will usually hide on the dark web, behind a level of anonymity beyond the wildest dreams of the spymasters of the Cold War.
This secret world can be accessed however, if you know where to look and who to ask. Most dark web forums are very strict on membership, and usually require an existing member of the community to vouch for credibility. Even with this in-road, it can take six months to a year or more to be fully vetted and allowed into the community. Expensive entrance fees are also standard practice, running from US$ 500 (£394) to several thousands.
Once access has been granted, it's possible to gain powerful insight into how the cyber-underworld operates and utilise threat intelligence to predict trends and stop attacks. With machine learning, analytics tools can monitor both open and closed communication channels in real time, identifying spikes in key words and names that can mean a new vulnerability is for sale or an attack is being planned.
We most recently saw this with the discovery of a ransomware nicknamed Karmen, which used a unique distribution model to adjust the ransom demand to match the economic level of the target area. Once the ransomware scheme was unearthed, the seller had to shut down the operation due to the level of attention he was receiving.
These channels are thrumming with activity at all times, but a large-scale event like the Shadow Brokers leak essentially kicks over the hornet nest and sets things into overdrive. The increased activity and singular focus also serves to provide anyone watching with even more useful and concentrated insight into the priorities and preferences of different groups.
Unsurprisingly we saw the most interest in the leaked tools from the Chinese and Russian communities, due to their advanced technical skills and extensive history of activity.
The exploit framework FUZZBUNCH and privilege escalation tool ETERNALROMANCE were of particular interest to all comers, along with the SMB malware ETERNALBLUE, which went on to be a crucial component of the global WannaCry ransomware attacks.
Aside from these areas of universal interest though, it was also possible to see different toolkits drawing more interest from particular groups. Chinese-speaking actors were particularly focused on the unique malware trigger point, and there were claims that the patches for CVE-2017-0143 through -0148 would not offer sufficient protection because they did not address the base code weaknesses.
A well-respected member of top-tier Russian-speaking criminal community meanwhile quickly set about analysing both ETERNALBLUE and the DOUBLEPULSAR kernel payload. An in-depth tutorial was produced within three days and promptly spread far and wide. Considering that the two exploits were used as part of the WannaCry attack, it is very likely these guidelines helped the culprits prepare their attack.
With many tools from the initial leak yet to surface and the group now claiming it will release new leaks on a monthly basis, it's safe to say the Shadow Brokers group will continue to be a major point of focus for cyber- communities around the world.
With advanced threat actors being able to weaponise vulnerabilities in days, and even the fastest patches being delayed by relying on end-user updates, any future leaks will cause more waves in the cyber-community. While this will continue to provide valuable threat intelligence, the security industry will need to act swiftly to mitigate another global event.
Contributed by Andrei Barysevich, head of advanced collection, Recorded Future
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.