blog / Jun 27, 2017

NSA, CIA Leaks Provide a Roadmap to Stealthier, Faster, More Powerful Malware Like SambaCry and NotPetya

by Mike Convertino

It’s been another banner year for leakers. In May, Wikileaks released the CIA’s Vault7 cyberwarfare documentation,1 and the Shadow Brokers released NSA exploit information, including the Windows EternalBlue2 exploit. EternalBlue was quickly weaponized into the WannaCry ransomware that pummeled the Internet for days. The Petya/NotPetya ransomware hitting Eastern Europe is also reportedly using EternalBlue to infect machines. This is all bad, but what’s worse is the revelation of how the intelligence community uses tools and methodologies to find vulnerabilities and build exploits. It’s akin to how Eli Whitney’s principle of interchangeable parts3 marked the beginning of the industrial revolution. The information in these leaks provides a blueprint on how to build a semi-automated malware factory. This how-to manual for advanced exploitation is a quantum leap in hacking techniques, which bad guys are already learning from. Intelligence agency high-powered attack frameworks like FuzzBunch, Athena/Hera, and OddJob are all laid out for review with technical notes, assembly instructions, and experimental commentary. It’s a treasure trove for someone looking to build a similar system. In all, there were three significant revelations within these leaks:

  • The assembly line of vulnerability exploitation. Intelligence agencies use highly simplified tools to find vulnerabilities, and then provide a framework to simplify exploitation of those vulnerabilities. The leaks show exactly how to operate the tools with specific configurations, products, and methods to go against specific targets. I’m sure someone is already working on their own version of this.
  • Obfuscated infrastructure. The leaks specify how to generate obfuscated infrastructure to support the attack with segregated environments for exploitation, command and control (C&C), and exfiltration. The frameworks provide the most thorough obfuscation seen so far in the public record.
  • The use of APIs to mix-and-match on the fly. The WannaCry malware used one exploit, EternalBlue. However, look at EternalRocks.4 It has seven discrete exploits combined. The leaks showed that the tools can dynamically combine and recombine exploits and payloads as needed for a specific target.

What Happens Now?

Scary stuff. What are the implications? In the next 12 to 36 months, we’re going to see the bad guys using these techniques to build the next generation of attacks. We can expect to see:

Perpetual Storms of Malware

Imagine the WannaCry type of attack as the new normal. Be prepared to weather continuous attacks by zero-day exploits against any and all applications and platforms. The background radiation of the Internet is going to tick up to a new level of toxicity.

Perfect Lures

Powered by big data, machine learning, and natural language processing engines, expect phishes and false websites to be nearly indistinguishable from the real things. Natural language processing tools will eliminate the clunky non-native language that often gives away the fake sites. It’s already hard enough for users to discern reality. It’s going to be much worse.

Click-Free Attacks

I don’t mean just new worms, but imagine the equivalent of a web drive-by attack extended to major services and even mobile platforms. This means attacks going after the major application platforms where just using a client app on a phone can mean getting hit with something nasty. We’re talking mass exploitation automatically scaled.

Untraceable Attacks

Attacks will be launched from C&C networks that have never been seen before and will never be seen again. Domain analysis for malware C&C networks will become an obsolete art. IP reputation filters will become useless.

Preparing for the Onslaught

If there will be continuous attacks powered by rapid-fire of large numbers of zero-day exploits, you will need strong incident response capabilities coupled with a solid anti-DDoS strategy. With nearly perfectly customized lures to get users to click as well as “click-free” attacks, organizations will likely require more advanced defensive technical measures for stopping phishing and malware attacks. With attacks being launched, untraceable disposable infrastructures, better threat intelligence and smarter blocking will be required because static domain and IP filtering will be useless. If you are considering a move to multifactor authentication, now would be the time to start. And, as always, patch as fast you can.


1 https://en.wikipedia.org/wiki/Vault_7

2 https://en.wikipedia.org/wiki/EternalBlue

3 http://www.history.com/topics/inventions/interchangeable-parts

4 https://www.cnet.com/news/doomsday-worm-eternalrocks-seven-nsa-exploits-wannacry-ransomware/

MODIFIED: Aug 09, 2017

Tags: , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.