You are here

China eats NSA's lunch, uses its zero-days for a year

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Chinese state-sponsored hackers have been making fools of the US National Security Agency. It turns out that Shadow Brokers weren’t the first to steal the NSA’s secret exploits.

NObody But US”—NOBUS, the NSA doctrine of not reporting vulnerabilities so it can keep them for itself—is once again under fire. It’s now believed that China has been using the NSA’s own spy tools since early 2016—months before any previously known leak.

You gotta be kidding me! Nope. In this week’s Security Blogwatch, we jest not.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: forgotten history.

[ Effective SecOps requires staying one step ahead. Get up to speed with this upcoming Webinar covering UEBA and MITRE ATT&CK ]

NOBUS? NOPE.

What’s the craic? Nicole Perlroth, David E. Sanger, and Scott Shane ’splain—How Chinese Spies Got the N.S.A.’s Hacking Tools:

[It’s] like a gunslinger who grabs an enemy’s rifle and starts blasting away. … The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.

The losses have touched off a debate within the intelligence community over whether the United States should continue to develop … cyberweapons if it is unable to keep them under lock and key. … Repeatedly over the past decade, American intelligence agencies have had their hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups.

Buckeye is also referred to as APT3. [They] seem to have spotted an American cyberintrusion and snatched the code, often developed at huge expense to American taxpayers. … The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the agency’s analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo.

[The] contractors used the repurposed American tools to carry out cyberintrusions in at least five countries: Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. [They] included scientific research organizations, educational institutions and the computer networks of at least one American government ally.

For American intelligence agencies [the] discovery presents a kind of worst-case scenario. … An N.S.A. spokeswoman said the agency had no immediate comment.

And Dan Goodin, in NSA has a new lapse:

One of the most significant events in computer security happened in April 2017, when a … group calling itself the Shadow Brokers published a trove of the [NSA’s] most coveted hacking tools. … The subsequent repurposing of the exploits in the WannaCry and NotPetya worms … made the theft arguably one of the NSA’s biggest operational mistakes ever.

On Monday, security firm Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. … The revelation that the powerful NSA tools were being repurposed much earlier … is sure to touch off a new round of criticism [of] the agency.

The researchers speculated that the hackers may have reverse-engineered technical “artifacts” they captured from attacks the NSA carried out on its own targets.

By the time … Microsoft patched the vulnerability in March 2017 [it] had already been exploited in the wild for [at least one year]. The earliest known instance of Buckeye using [it] came on March 31, 2016 in an attack on a target in Hong Kong. … An hour after the Hong Kong attack, Buckeye used [it] against an educational institution in Belgium.

Sometime in September, 2016, Buckeye unleashed a significantly updated variant … on an educational institution in Hong Kong. [It] was used again in June 2017 against a target in Luxembourg. From June to September of that year [it] infected targets in the Philippines and Vietnam.

Give me chapter and verse? Here are Symantec’s anonymous investigative gnomes:

In March 2016, Buckeye began using a variant of DoublePulsar … a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool … Bemstour.

Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) … due to the way the Windows SMB Server handles certain requests. … The second Windows vulnerability (CVE-2017-0143) … is a message type confusion vulnerability [and] was patched in March 2017 after it was discovered to have been used by two [NSA] exploit tools—EternalRomance and EternalSynergy … released as part of the Shadow Brokers leak.

The zero-day vulnerability allows for the leaking of information and can be exploited in conjunction with other vulnerabilities to attain remote kernel code execution. It was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019.

What a mess. Brendan Karet—@bad_takes—blinks rapidly: [You’re fired—Ed.]

Everything Snowden warned us about is just being directed back at the US.

Flame on! Matt Blaze burns bright:

Exploits are, in effect, "secret weapons," with all that that implies: Once deployed, they don't stay secret for long (especially when used against sophisticated targets). Once this happens, only sensible policy is to disclose/fix the underlying vulnerability.

This is why we advocate … that exploits be understood as part of an ongoing lifecycle, culiminating in disclosure. … I understand that this is inconvenient for NSA and its suppliers.

It's natural that the people and agencies who find and use exploits would want to keep them secret forever. That's why we need a strong, meaningful policy process that considers other equities (namely, protecting the rest of us when others inevitably re-discover them).

Here’s an idea, from RandomDude:

Here’s an idea: Stop creating new frontiers of war, especially ones you can’t control.

Every company on Earth that makes cheap electronics is compromised in so many ways constantly that infosec is just basically non-existent in the real world. It might be wiser to stop exacerbating the problem and instead look for ways to bolster security fundamentally throughout society.

My professional opinion? We’re just ****ed.

But shouldn’t we just get used to the global supply chain? Areyoukiddingme responds to the oft-levied charge that it’s now “impossible for America to build its own computers”:

There are chip fabs. That's all. There are no mainboards made in the US anymore, and no company capable of doing it without expensive capital investment and a very long spin-up time.

Nor can you build a power supply. … It contains components which are manufactured nowhere in the US. There are essentially no discrete electronics manufactured in the US anymore, so anything built out of resistors, capacitors, diodes, or small transformers can not be made with US components. You can't even get the fiberglass sheet used as board insulator from a US factory anymore.

You can't even directly use the output of the US chip fabs anymore. They etch the wafers in the US, then ship them overseas for packaging.

And this Anonymous Coward manifestly approaches our destination:

How dare they hack us! With tools they took from us! That were meant for us to hack them!

You know: The kind that we declared not evil! Because it's us! And we are not the baddies! No siree! We just got them hacking tools to represent … freedom, I guess?

Meanwhile, Chris Wysopal—@WeldPond—sounds semi-serious:

Why have a vuln discovery and exploit development program when you can have a zero day detection and repurposing program?

The moral of the story?

Hobbs, Kerckhoffs, and Shannon were right: Security by obscurity is no security at all. Because a weapon in the wild can be reverse-engineered and used against you.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

And finally

The Flint Wedding Sting

“Those who do not learn from history are doomed to repeat it.”


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Scott J. Waldron (cc:by)

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]