Could WikiLeaks dumping CIA code create the next WannaCry or NotPetya?
Threat and Vulnerability Management

Could WikiLeaks dumping CIA code create the next WannaCry or NotPetya?

In an age of nation-state level cyberwarfare, countries with the best hacking tools are the new military powers. The US has been aggressive in efforts to find new and powerful vulnerabilities to exploit, and slow in disclosing them to technology vendors. But it has also not been effective in keeping those secrets from falling into the hands of hackers such as the Shadow Brokers and whistle-blower sites such as WikiLeaks and the Intercept.

Which raises the question: how much damage can such leaks do, and should the likes of WikiLeaks be disclosing them in the first place?

 

Vault 7 showed capabilities, Vault 8 shows actual code

With Vault 7, WikiLeaks documented many of the CIA’s activities and capabilities. Though it led to revelations about how the intelligence agency could hack all manner of devices and systems – from cars and smart TVs to web browsers and Operating Systems, it never outlined explicitly how these attacks were done.

The Vault 8 disclosures, however, sees the whistle-blower site take a different approach. The leaks will release source code for those CIA software projects. So far, only one project – a backend infrastructure project called Hive - has been released. But more are due to follow. And this could potentially have major repercussions.

NSA-based exploits published by the Shadow Brokers hacker group led to both the WannaCry and NotPetya attacks, while some suggest that many of the publicised methodologies used by the NSA have also been adopted by cyber criminals. WikiLeaks claims all the material published in Vault 8 will not contain the material published by zero-days or other vulnerabilities which could be repurposed by others. However, some remain unconvinced.

“Do they remember what happened last time such exploit code was leaked? Standby for another WannaCry,” tweeted Professor Alan Woodward, visiting professor at the University of Surrey's department of computing.

 

Does Hive pose a threat?

Hive, previously mentioned in Vault 7 documents, is a malware control system designed to help the CIA manage servers infected with its malware, including the ability to build fake security certificates for Kaspersky.

According to WikiLeaks’ analysis: “Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.”

Though Hive itself isn’t actually malware and doesn’t contain any zero-day vulnerabilities, it may well have its uses for bad actors.

“The methodology that is used for the Command and Control (C2) structure of The Hive is standard for botnets,” says Alex Heid, Chief Research Officer at risk monitoring startup SecurityScorecard. “But it makes use of several interesting advanced methods for obfuscation and evasion which are currently used by existing malicious actors, and portions of the source code and infrastructure design is likely to be repurposed by malicious actors in the near future.”

“Hackers already have existing tools but Hive may well contain new tricks and optimisations they could use,” says Lance Cottrell, Chief Scientist, Ntrepid. “The source code provides very little additional understanding of the programs in question, while absolutely helping criminal hackers become more effective.”

Even when they don’t contain vulnerabilities, they facilitate a 'raising of the bar' for hackers. If there’s nothing within the Hive source code that could benefit cybercriminals directly, such leaks often inspire them to create their own tools with similar capabilities or simply adopt certain principles used by the likes of the CIA to further their endeavours.

“Any time detail about specific tools, tactics, and procedures are made available to the public they are very quickly adopted into use for new emerging threat attack methodologies,” says SecurityScorecard’s Heid.

 

Should WikiLeaks be sharing source code?

While it’s easier to argue that the public have a right to know how the government is using technology to gather information on them, the question whether WikiLeaks is doing the public a service by publishing the actual source code to anyone who wants it is far more difficult to answer. Is it informing the public, educating companies about risks, or simply empowering hackers? It’s an issue made all the more complicated by WikiLeak’s often controversial political manoeuvres and its founder’s adversarial style.

WikiLeaks and its founder Julian Assange reportedly offered the details of the leaks to tech companies ahead of time back in March, though some companies did issue patches as a result it’s unclear how successful this process was. Many of the people contacted for this story agree that WikiLeaks should disclose vulnerability information (or Indicators of Compromise (IOC)) to vendors privately whether or not the rest of the code was released.

“Sometimes, with WikiLeaks, it can be difficult to decide whether the information it discloses is a public service or a threat to national security of some nation or other,” says Lee Munson, Security Researcher at Comparitech.com and security blogger. “In the case of potential source code leaks, I suspect it is intentioned as the former but likely to pan out like the latter.

“Given the fact that WikiLeaks doesn’t have an endless budget to throw at every document it reviews, it may not intend to release any zero days or other types of vulnerabilities, but you can bet the bad guys will be swarming over the code like vultures, looking for the next WannaCry or NotPetya type of attack vector.

“Letting the world know what the CIA is capable of is one thing, enabling attackers to replicate that capability is something else entirely.”

Andrew Howard, CTO Kudelski Security, is equally unsure:

“It is a classic cybersecurity ethical dilemma.  On one hand, releasing the source code will eliminate the information advantage by attackers, on the other, it will enable many attackers to conduct extremely effective attacks that they could not accomplish without the source code against victims who did not heed the warning.

“If the only option is a one-shot public release, I would advocate against the release – the short-term impact to worldwide-security far out ways the transparency advantages.”

For others, it’s not so black and white: WikiLeaks is in the wrong.

“There is no moral justification for these source code releases which don’t even have an arguable social good and certainly create societal harm,” says Ntrepid’s Cottrell. “Past WikiLeaks source code dumps have included unknown exploits which inflicted massive damage to innocent businesses and individuals.”

“Leaking of classified material in this way is reckless,” warns Graeme Park, Senior Consultant at Mason Advisory. “If it contains details of old or supposedly patched vulnerabilities there are likely still some legacy systems that will be exploitable, and if they can also damage intelligence agencies’ abilities to collect sensitive data on high value targets. A more cautious approach should be taken, by ensuring vendors have time to patch before disclosure and liberalist political agendas do not endanger further lives through irresponsible actions.”

“The code shouldn't have been leaked but it was and now we have to deal with the fallout from it,” said Cody Swann, CEO of Gunner Technology. “To take WikiLeaks at their word [over there being no Zero-days in the leaks] is almost as irresponsible as letting the code leak in the first place.”

However, if one were to take an optimistic view, it could be argued that public information about hacking techniques can also empower security teams.

“The intelligence being leaked, including true methods and frameworks for attack, actually goes beyond a single exploit,” says Stephen Moore, Chief Security Strategist at Exabeam. “It’s not every day that intelligence such as this becomes available to so many. The contents of Vault 8 are beneficial to both defenders and attackers and will, without question, change the defences of the advanced and cause others to refactor their future operations.”

Marc Laliberte, Information Security Threat Analyst WatchGuard, agrees:

“These [Hive and the CIA’s Marble Framework from Vault 7] releases thus far are to the benefit of security professionals as they enable us to better understand how the CIA used these tools and gives us a better chance at detecting them and similar tools.

“If WikiLeaks sticks to their “no exploit code” stance, I don’t think we have anything to fear from their source code leaks."”

 

More proof vulnerability disclosure needs reassessing?

If nothing else, these leaks reaffirm the fact that vulnerability discovery and disclosure by intelligence agencies – and especially how such vulnerabilities are kept and secured – needs to be brought under the microscope.

“Government investment in offensive cyber capabilities across the entire world has a profound impact on the overall threat level businesses and individuals have to contend with, even if not specifically targeted,” says Charl van der Walt, Chief Security Strategist at SecureData. “We can observe that directly in specific exploits and tools as we did with WannaCry or NotPetya. Or we can observe it in the form of directed attacks on the Ukrainian power grid or against the US Elections.”

The WannaCry and NotPetya attacks showed that while the government has sophisticated cyber offensive capabilities, its own security practices to keep those damaging capabilities secret and protected were not up to scratch, which is why many organisations show concern that the government continues to defend its stance on finding but not sharing discovered exploits.

“One of the risks of holding onto this information is the possibility of it getting stolen or leaked which we saw with the NSA’s EternalBlue exploit, which was used in the WannaCry attack,” says Chris Wysopal, co-founder and CTO of Veracode.

“The vulnerability information, exploit tools, and attack software developed by the US Govt intelligence agencies is extremely powerful given the resources put into their creation and the fragility of global IT infrastructure.”

The White House recently released a new Vulnerabilities Equities Process (VEP) Charter, designed to bring more clarity to the processes of how the US Government and intelligence agencies decide when to hold on to or disclose vulnerability information. Rob Joyce, Special Assistant to the President and Cybersecurity Coordinator, has previously claimed that “north of 90%” of the vulnerabilities discovered by the NSA are disclosed and patched. He recently gave a talk outlining some of the details around the inner workings of the VEP:

“For any organisation, including the CIA, to operate on the pretence that it can keep secrets is a doomed strategy from the very beginning,” according to the Prpl Foundation’s Chief Security Strategist Cesare Garlati, “For the simple reason that there is little accountability for the responsibility of keeping these secrets.”

“Just because a vulnerability may not be considered a zero-day any longer, doesn’t mean it can’t be exploited widely – just look at how much “end of life” technology is in use still today; for example, Windows XP. So in this case, yes it is irresponsible to release it under the assumption that it couldn’t possibly have a devastating effect.”

 

Also read:
WannaCry can be patched, but NSA-based methodologies are harder to fight
Security experts on the Shadow Brokers and the next WannaCry
Why does China spot security vulnerabilities quicker than the US?

PREVIOUS ARTICLE

«Why you need an effective IP exit strategy

NEXT ARTICLE

Why the retreat from the public cloud?»
author_image
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should the government regulate Artificial Intelligence?