13 May 2019

THE STRANGE JOURNEY OF AN NSA ZERO-DAY VULNERABILITY INTO MULTIPLE ENEMIES HANDS; THE DIGITAL BOOMERANG EFFECT; DID EDWARD SNOWDEN PLAY A ROLE?


The title above comes from Andy Greenberg’s May 7, 2019 article in the cyber security and technology publication, WIRED.com. Mr. Greenberg begins by explaining that “the notion of a zero-day vulnerability in software is supposed to mean, by definition, that it’s secret.The term refers to a hackable flaw in code that the software maker doesn’t know about, but, a hacker does — in some cases offering that hacker a powerful, stealthy, skeleton key into the hearts of millions of computers. But according to new findings from the cyber security and technology firm, Symantec, one extraordinarily powerful flaw in Microsoft software, at one point remained “Secret,” to Microsoft, while at least three active hacker groups knew about it,” Mr. Greenberg notes. “And, both before and after that secret became public in early 2017, it took a long, strange trip through the hands of intelligence agencies around the world, enabling years of espionage, and eventually, mayhem.”

On Monday, Symantec “revealed that it had traced how a hacker group it calls Buckeye — also known as APT3, or Gothic Panda, and widely believed to be a contractor of the Chinese Ministry of Security Services — used NSA hacking tools, apparently intercepted from the networks of NSA targets and repurposed those tools to use against other victims, including U.S. allies,” Mr. Greenberg wrote. “Most notably, Symantec said, the Chinese groups’ hacking had implanted an NSA backdoor on the network of its victims,’ using a zero-day vulnerability in Microsoft’s Server Message Block (SMB) software, also seemingly learned by studying [reverse engineering] NSA’s hacking tools.”

“That newly revealed hijacking of NSA’s intrusion [intelligence collection] techniques doesn’t just dredge up longstanding questions about how and when the NSA should secretly exploit software vulnerabilities to use for spying, rather than help software companies fix them,” Mr. Greenberg wrote. “It also adds another chapter to this strange story of this particular zero-day’s journey: Created by the NSA, intercepted by China, later stolen, and leaked by another mysterious hacker group known as the Shadow Brokers, and ultimately used by North Korea and Russia in two of the most damaging and costly cyber attacks in history.”

“Based on what we know historically, it’s extremely unusual to have a zero-day be utilized like this by multiple groups, some of them unbeknownst to each other, for years,” said Eric Chien, a Symantec security analyst. “I can’t think of another case where something like this has ever happened.”

“With the addition of the Symantec findings, here’s what we know about the timeline of that zero-day’s path,” Mr. Greenberg wrote.

Born At The NSA

“The SMB vulnerability — labelled as CVE-2017-0143V and CVE-2017-0144, in two slightly different forms — appears to have been first discovered by NSA sometime before 2016,” Mr. Greenberg wrote; “though, the NSA has never publicly admitted to having used it; it wouldn’t be tied to the agency until it leaked in 2017, revealing its integration in NSA tools called EternalBlue, EternalRomance, and EternalSynergy.”

“The SMB zero-day, no doubt represented a kind of precious specimen for the agency’s spies: Microsoft’s SMB feature allows the sharing of files between PCs,” Mr. Greenberg wrote. “But, NSA’s researchers found that it [the zero-day] could be tricked into confusing harmless data with executable commands that an attacker injected via SMB into a computer’s memory. That made it a rare entry point that the NSA’s hackers could use to run their own code on practically any Windows machine with no interaction from the target user, and one that offered access to the computer’s kernel, the deepest part of its operating system.” “It’s exactly the kind of vulnerability someone would want,” Chien said.”The target doesn’t have to open a document, or open a website. You have a machine on the Internet and I can get you with it. I immediately have the highest privileges available to me.”

Or, as Matthew Hickey, founder of the cyber security firm, Hacker House, at one point described it: “It’s Internet God mode.”

Adopted By China

“Symantec found that by March 2016, the SMB zero-day had been obtained by the Chinese BuckEye [hacking] group, which was using it in a broad spying campaign,” Mr. Greenberg wrote. “The BuckEye hackers seemed to have built their own hacking tool from the SMB vulnerability; and just as unexpectedly, were using it on the victim’s computers to install the same backdoor tool, called DoublePulsar, that the NSA had installed on its targets’ machines. That suggests the hackers hadn’t merely chanced upon the same vulnerability in their research — what the security world calls bug collision; they seemed to somehow have obtained parts of the NSA’s [intelligence collection] toolkit.”

“Symantec researchers say they still don’t how the BuckEye hackers got the NSA’a hacking secrets,” Mr. Greenberg wrote. “But, Symantec’s Chien said “their theory is the tools were found in victims’ networks, reverse-engineered, and repurposed.” “It doesn’t look like they had the exploit executables,” said Jake Williams, a former NSA hacker and now founder of the cyber security firm, Rendition InfoSec, who reviewed Symantec’s findings. “But, it’s possible they were able to steal them [when they were] being thrown at targets by monitoring network communications.”

“Symantec said it detected BuckEye hackers in five different intrusions, stretching from March 2016, to August 2017, all using the combination of the SMB exploit, and the NSA’s backdoor exploit, DoublePulsar,” Mr. Greenberg wrote. “Those intrusions, all seemingly bent on espionage, hit telecommunications companies, as well as research and educational organizations in Hong Kong, the Philippines, Vietnam, Belgium, and Luxembourg.”

Leaked And Weaponized

“Starting a year after those stealthy intrusions began, however, NSA’s zero-day was hijacked in a far more public fashion,” Mr. Greenberg explained. “In April 2017, a still mysterious [hacking] group calling itself the Shadow Brokers, dumped the NSA’s EternalBlue, EternalRomance, EternalSynergy, and DoublePulsar tools into public view, part of a series of leaks from that group that had started the previous summer with a failed attempt to auction the [data collection] tools to the highest bidder. It’s still entirely unclear how the NSA’s crown jewels ended up in the hands of the Shadow Brokers, though theories include a rouge NSA insider selling the tools, and hackers chancing upon an NSA “staging server,” a machine used as a kind of remote outpost from which to launch [intelligence/data collection] operations.”

“Anticipating the leak, Microsoft had pushed out an emergency SMB patch, after a warning from the NSA,” Mr. Greenberg wrote. “Nonetheless, over the next two months, EternalBlue and EternalRomance were integrated into a pair of nation-state cyber attacks that hit the vast numbers of [then] still unpatched computers across the globe. with catastrophic consequences.”

“First, the North Korean-coded WannaCry worm, tore through the Internet, combing EternalBlue with a ransomware payload that encrypted hundreds of thousands of computers, from police departments in India, and universities in China, to the National Health Service in the United Kingdom,” Mr. Greenberg wrote. The next month, Russian military intelligence hackers [GRU], combined EternalBlue and EternalRomance with the open source hacking tool, Mimikatz to create an even larger digital debacle. That second worm was targeted at Russia’s enemies in Ukraine, and wiped an estimated 10 percent of the country’s computers. But, it quickly spread beyond Ukraine’s borders, paralyzing companies such as Maersk, a European subsidiary of FedEx, U.S pharmaceutical giant Merck, and many others, costing a record-breaking $10B in damage.”

“Despite NSA’s decision to help Microsoft patch Microsoft’s SMB flaw before those attacks, the agency has already faced plenty of criticism for having kept its zero-day secret for as long as it did,” Mr. Greenberg observed. “But, with Symantec’s latest revelations, the knowledge of yet another hacker campaign that somehow obtained that zero-day and using it for global spying will no doubt spark those criticisms again.” “The entire affair “may lead to a re-examination of the White House’s so-called Vulnerabilities Equities Process, a system of determining which flaws that U.S. agencies discover, should be patched, and which ones should be used [exploited] for operations,”intelligence/data collection. “No matter how you play it, the fact that someone else besides the Shadow Brokers had these exploits — is extremely concerning, and raises serious issues about our Vulnerabilities Equities Process,” Williams said.

“But, others counter that the reuse of hacking tools by adversaries, should be part of the expected cost of using them in the first place,” Mr. Greenberg wrote. “And as Symantec’s BuckEye research shows, that cost may be entirely hidden: The reuse of a zero-day by an adversary can remain as secret as its initial use years afterward — more than three years in this case.”

“When you utilize a vulnerability, it has a chance to be discovered,” Chien said. We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies.”

“Now that nation-state cyber weapons have been leaked, hacked, and repurposed by American adversaries,” Mr. Chien added, “it’s high time nation-states “bake that into” their analysis of the risk of using cyber weapons — and the very real possibility they will be reassembled [reverse engineered] and shot back at the United States, or its allies,” the May 6, 2019 edition of the New York Times wrote.

“The Chinese appear not to have turned the weapon back on the United States for two possible reasons,” Symantec said: “They might have assumed the Americans have developed defenses against their own weapons; and, they might not want to reveal to the United States that they had stolen the tools.”

According to all the publicly available reporting on this, the NSA zero-day got into the digital wild at least sometime in 2016, if not sooner. It was in May of 2016, that former NSA contractor and U.S. fugitive Edward Snowden initially fled to Hong Kong, before seeking asylum in Putin’s Russia. While in Hong Kong, Mr. Snowden wittingly or unwittingly, was likely ‘hosted’ by the Chinese Ministry of State Security. The idea that China did not find a way to surreptitiously steal at least some, if not all the highly sensitive, purloined NSA tools and collection techniques Snowden had in his possession — does not pass the smell test. Given that real possibility, it was only another year-and-a-half or so that this zero-day exploit appeared in the wild, The time lag could be explained for several reasons. It may have taken the Chinese intelligence analysts to understand just what they had in the first place; and, make a judgment as to whether the information was genuine or, a well-conceived deception operation. It would also have taken the Chinese some period of time to reverse-engineer the data collecting/stealing malware, and conduct some trial-and-error operations to witness its effectiveness, as well as any weaknesses. Finally, the Chinese may not have wanted U.S. intelligence officials to know that Beijing had scored an intelligence coup with Edward Snowden, and decided to carefully, and surgically employ these precious cyber intelligence weapons elsewhere. The unanswered question is, was this collection tool already developed and in use before Mr. Snowden defected to Russia? If yes, then, this is something to strongly consider. If not, then perhaps from the files that former NSA employee Nghia Hoang Pho took to his residence several years ago.

Whatever the case, it is clear that these very precious cyber intelligence weapons will remain vulnerable to the trusted insider; and, there will always be the threat that somehow, at some point, they will either fall into the wrong hands, and/or, be discovered and reverse-engineered. The biggest worry is that some of the ones that we currently employ may have already been compromised; and, we’re being fed what appears to be genuine intelligence; but, is instead, part of a sophisticated denial and deception (D&D) campaign. And, since we have let that skill set (D&D), wither on the vine in the intelligence community — we are more susceptible to being deceived.

No comments: