{"id":234,"date":"2017-05-23T01:56:45","date_gmt":"2017-05-23T01:56:45","guid":{"rendered":"http:\/\/securitycurve.com\/?p=234"},"modified":"2017-05-23T01:56:45","modified_gmt":"2017-05-23T01:56:45","slug":"shadowbroker-notice-probably-want-to-pay-attention","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=234","title":{"rendered":"ShadowBroker Notice: Probably want to pay attention"},"content":{"rendered":"<p><a href=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/Mass_Effect_2_Lair_of_the_Shadow_Broker_logo.jpg\"><img decoding=\"async\" class=\"alignright size-medium wp-image-236 lazyload\" data-src=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/Mass_Effect_2_Lair_of_the_Shadow_Broker_logo-300x102.jpg\" alt=\"\" width=\"300\" height=\"102\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 300px; --smush-placeholder-aspect-ratio: 300\/102;\" \/><\/a>Mike Mimoso over at the Threat Post has a <a href=\"https:\/\/threatpost.com\/shadowbrokers-planning-monthly-exploit-data-dump-service\/125710\/\">great article up<\/a> about the next round of potential vulnerabilities from the Shadow Brokers. Now, of course I always love reading an article from Mike &#8211; he&#8217;s one of those folks that could write about bread mold and I&#8217;d find it interesting &#8211; but this particular one is absolutely, no-foolin&#8217; worth a read. \u00a0I say that of course because it covers the truly strange and ridiculous (but yet compelling to the outside observer) conflict between the Shadow Brokers and the Equation Group.<\/p>\n<p>To recap, the Shadow Brokers (going to call them SB to save letters from now on) are the <del>state-sponsored Russian hacking group<\/del> folks that brought us the EternalBlue exploit and the DoublePulsar tool a few months back. \u00a0They got it from the <del>NSA<\/del> Equation Group (EQ to save the space) originally, but it was all very strange because they tried first to auction off a miscellaneous set of tools to the highest bidder. \u00a0There weren&#8217;t any takers (because&#8230; would you expect there to be), so they dumped a bunch of\u00a0<em>really<\/em> <em>sophisticated<\/em> tools into the aether: some really nasty vulnerabilities, a fairly sophisticated (but <a href=\"https:\/\/github.com\/pwnieexpress\/metasploit-framework\">arguably unnecessary<\/a>) intrusion toolkit, backdoors, etc.<\/p>\n<p>The impact was off the charts. For example, the reason that WannaCry was possible was because of the issue it exploited &#8211; the CVSS 9.3 little gem in SMB that was fixed by <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a>. \u00a0Anyway, the SB are at it again &#8212; this time claiming that they have all sorts of other 0-day issues &#8211; potentially in browsers, potentially newer (post-2013) issues in Windows, issues in the banking ecosystem related to SWIFT transactions (funds transfer), etc. \u00a0 They are once again stating that they intend to try to auction these off, one per month (like an &#8220;exploit of the month club&#8221;).<\/p>\n<p>They could of course be bluffing. \u00a0Though personally I doubt it. \u00a0Any sysadmin will tell you how extraordinarily difficult it is to restore an already-hacked environment to a state where you have assurance that the bad guys don&#8217;t have access anymore. \u00a0If SB did in fact, have access to EG systems at some point (which clearly they did because of the last round of dumped tools), then there are a few ways that they could still have access now:<\/p>\n<ol>\n<li>\u00a0Whatever access path they had before wasn&#8217;t closed off (the &#8220;nobody noticed&#8221; scenario)<\/li>\n<li>The original exploitation vector and C&amp;C channel was closed off, but they established some other C&amp;C vector (the &#8220;filthy rootkit&#8221; scenario)<\/li>\n<li>They were able to extrapolate then-current research from data they collected while they did have access (the &#8220;reverse engineering&#8221; scenario)<\/li>\n<\/ol>\n<p>The other side of the coin is that maybe they were irrevocably locked out in 2013. \u00a0That&#8217;s possible. \u00a0But it would beg one to ask the question of what they get in return for bluffing now. \u00a0How exactly would that benefit them? \u00a0All someone would have to do is call them on the bluff and they&#8217;d look ridiculous. \u00a0I can&#8217;t see that happening &#8211; because I&#8217;m really skeptical that someone will pay them this time around. \u00a0So the bluff is very likely to get called. \u00a0Couple that with the relatively likely outcome that they still had some access pathway in past 2013 and the tea leaves suggest that there are more tools coming. That&#8217;s speculation on my part, but I wouldn&#8217;t be surprised.<\/p>\n<p>What&#8217;s interesting to me about this primarily is whether or not the EG (or someone else) will pay them. \u00a0SB says that they&#8217;re not particularly interested in the issues themselves &#8211; or, in fact, the money. \u00a0What they say is that they want is for the EG to address them\u00a0as equals. \u00a0So what exactly would the benefit be of someone paying them the money? \u00a0That the issues don&#8217;t get leaked? \u00a0The issues are still there whether or not they&#8217;re known publicly. \u00a0And I strongly doubt that EG is going to ante up a bunch of bitcoin to keep the issues from being posted (not to mention the whole non-negotiation policy.)<\/p>\n<p>For us on the sidelines, the practical effect is to be on the lookout. \u00a0If these issues do get published &#8211; and they&#8217;re as bad as SB says that they are &#8211; we could be looking at some serious impact once they surface. \u00a0Watch this space.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mike Mimoso over at the Threat Post has a great article up about the next round of potential vulnerabilities from the Shadow Brokers. Now, of course I always love reading an article from Mike &#8211; he&#8217;s one of those folks that could write about bread mold and I&#8217;d find it interesting &#8211; but this particular [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[52,108],"class_list":["post-234","post","type-post","status-publish","format-standard","hentry","category-security","tag-exploits","tag-shadowbrokers"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=234"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/234\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}