Vault7 and Shadow Brokers leaks – A commentary

Easter eggs: From the CIA and NSA with love…

Just as Network administrators the world over were enjoying our long Easter weekend, Wikileaks released yet another batch of documents from CIA’s virtual armoury, Vault7.

The documents detail the purpose and inner workings for the HIVE. The HIVE is a Command & Control (C&C) and data exfiltration infrastructure designed for performing covert operations against an already compromised target presumably via physical means or social-engineering.

According to previous leaks released by Wikileaks, the CIA’s virtual armoury contains zero-day exploits against many major consumer and enterprise products that we all directly or indirectly use.

At the same time, Shadow Brokers released what the Security community dubbed as ‘the most powerful cache of exploits’ to date which includes exploits against a range of Microsoft products and damning evidence that the NSA has used those exploits to infiltrate banks in the Middle East.

For those who are unaware of what Shadow Broker is, they are a hacker group claiming that it has compromised and stolen ‘weaponized’ exploits from a NSA linked hacker group.

Why the leak?

From this point onwards, all views or opinions expressed are mine and mine only. If you have got a disagreement, let’s talk about it like civilized human beings. 😉

The question on everybody’s mind is no doubt how could such a leak happen to an organization where secrecy is their way of life?

One would also think that these intelligence agency have robust user education, access control policies and network segmentation in place. In the case of the CIA’s Vault7 leak, it could be an insider job while the NSA’s Shadow Brokers leak could be a simple case of little or no oversight of exploit libraries being used and stored by NSA contractors.

This goes to show no matter how sophisticated Data Leak Protection is or how robust user education is, all it takes is a disgruntle employee or lack of control over sensitive assets to unravel all deployed countermeasures.

What’s next?

Microsoft released a statement advising that vulnerabilities listed in the leaks has been fixed by patches released a month prior while Cisco has sent out security advisories to customers advising of patches or workarounds.

Most of the exploits leaked are classed zero-day, hence there is not much proactive measures that consumers and enterprises can take except for updating their systems as patches are released and adhering to security best practices.

The deployment of these exploits require some element of social-engineering and physical access to work successfully. By denying potential attackers both pre-requisites will blunt their infiltration attempts but as I have mentioned; there is nothing more vulnerable than the human psyche.

Further Reading

For those who are interested, I have a couple of links for further reading.

  • https://www.wired.com/2017/04/major-leak-suggests-nsa-deep-middle-east-banking-system/
  • https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/
  • https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
  • http://www.wired.co.uk/article/longhorn-symantec-vault-7-cia-files

Leave a Reply

Your email address will not be published. Required fields are marked *