Select Page

Mike Mimoso over at the Threat Post has a great article up about the next round of potential vulnerabilities from the Shadow Brokers. Now, of course I always love reading an article from Mike – he’s one of those folks that could write about bread mold and I’d find it interesting – but this particular one is absolutely, no-foolin’ worth a read.  I say that of course because it covers the truly strange and ridiculous (but yet compelling to the outside observer) conflict between the Shadow Brokers and the Equation Group.

To recap, the Shadow Brokers (going to call them SB to save letters from now on) are the state-sponsored Russian hacking group folks that brought us the EternalBlue exploit and the DoublePulsar tool a few months back.  They got it from the NSA Equation Group (EQ to save the space) originally, but it was all very strange because they tried first to auction off a miscellaneous set of tools to the highest bidder.  There weren’t any takers (because… would you expect there to be), so they dumped a bunch of really sophisticated tools into the aether: some really nasty vulnerabilities, a fairly sophisticated (but arguably unnecessary) intrusion toolkit, backdoors, etc.

The impact was off the charts. For example, the reason that WannaCry was possible was because of the issue it exploited – the CVSS 9.3 little gem in SMB that was fixed by MS17-010.  Anyway, the SB are at it again — this time claiming that they have all sorts of other 0-day issues – potentially in browsers, potentially newer (post-2013) issues in Windows, issues in the banking ecosystem related to SWIFT transactions (funds transfer), etc.   They are once again stating that they intend to try to auction these off, one per month (like an “exploit of the month club”).

They could of course be bluffing.  Though personally I doubt it.  Any sysadmin will tell you how extraordinarily difficult it is to restore an already-hacked environment to a state where you have assurance that the bad guys don’t have access anymore.  If SB did in fact, have access to EG systems at some point (which clearly they did because of the last round of dumped tools), then there are a few ways that they could still have access now:

  1.  Whatever access path they had before wasn’t closed off (the “nobody noticed” scenario)
  2. The original exploitation vector and C&C channel was closed off, but they established some other C&C vector (the “filthy rootkit” scenario)
  3. They were able to extrapolate then-current research from data they collected while they did have access (the “reverse engineering” scenario)

The other side of the coin is that maybe they were irrevocably locked out in 2013.  That’s possible.  But it would beg one to ask the question of what they get in return for bluffing now.  How exactly would that benefit them?  All someone would have to do is call them on the bluff and they’d look ridiculous.  I can’t see that happening – because I’m really skeptical that someone will pay them this time around.  So the bluff is very likely to get called.  Couple that with the relatively likely outcome that they still had some access pathway in past 2013 and the tea leaves suggest that there are more tools coming. That’s speculation on my part, but I wouldn’t be surprised.

What’s interesting to me about this primarily is whether or not the EG (or someone else) will pay them.  SB says that they’re not particularly interested in the issues themselves – or, in fact, the money.  What they say is that they want is for the EG to address them as equals.  So what exactly would the benefit be of someone paying them the money?  That the issues don’t get leaked?  The issues are still there whether or not they’re known publicly.  And I strongly doubt that EG is going to ante up a bunch of bitcoin to keep the issues from being posted (not to mention the whole non-negotiation policy.)

For us on the sidelines, the practical effect is to be on the lookout.  If these issues do get published – and they’re as bad as SB says that they are – we could be looking at some serious impact once they surface.  Watch this space.