It’s been another banner year for leakers. In May, Wikileaks released the CIA’s Vault7 cyberwarfare documentation,1 and the Shadow Brokers released NSA exploit information, including the Windows EternalBlue2 exploit. EternalBlue was quickly weaponized into the WannaCry ransomware that pummeled the Internet for days. The Petya/NotPetya ransomware hitting Eastern Europe is also reportedly using EternalBlue to infect machines. This is all bad, but what’s worse is the revelation of how the intelligence community uses tools and methodologies to find vulnerabilities and build exploits. It’s akin to how Eli Whitney’s principle of interchangeable parts3 marked the beginning of the industrial revolution. The information in these leaks provides a blueprint on how to build a semi-automated malware factory. This how-to manual for advanced exploitation is a quantum leap in hacking techniques, which bad guys are already learning from. Intelligence agency high-powered attack frameworks like FuzzBunch, Athena/Hera, and OddJob are all laid out for review with technical notes, assembly instructions, and experimental commentary. It’s a treasure trove for someone looking to build a similar system. In all, there were three significant revelations within these leaks:
Scary stuff. What are the implications? In the next 12 to 36 months, we’re going to see the bad guys using these techniques to build the next generation of attacks. We can expect to see:
Imagine the WannaCry type of attack as the new normal. Be prepared to weather continuous attacks by zero-day exploits against any and all applications and platforms. The background radiation of the Internet is going to tick up to a new level of toxicity.
Powered by big data, machine learning, and natural language processing engines, expect phishes and false websites to be nearly indistinguishable from the real things. Natural language processing tools will eliminate the clunky non-native language that often gives away the fake sites. It’s already hard enough for users to discern reality. It’s going to be much worse.
I don’t mean just new worms, but imagine the equivalent of a web drive-by attack extended to major services and even mobile platforms. This means attacks going after the major application platforms where just using a client app on a phone can mean getting hit with something nasty. We’re talking mass exploitation automatically scaled.
Attacks will be launched from C&C networks that have never been seen before and will never be seen again. Domain analysis for malware C&C networks will become an obsolete art. IP reputation filters will become useless.
If there will be continuous attacks powered by rapid-fire of large numbers of zero-day exploits, you will need strong incident response capabilities coupled with a solid anti-DDoS strategy. With nearly perfectly customized lures to get users to click as well as “click-free” attacks, organizations will likely require more advanced defensive technical measures for stopping phishing and malware attacks. With attacks being launched, untraceable disposable infrastructures, better threat intelligence and smarter blocking will be required because static domain and IP filtering will be useless. If you are considering a move to multifactor authentication, now would be the time to start. And, as always, patch as fast you can.
MODIFIED: Aug 09, 2017