The Shadow Brokers Vulnerability Equities Process: NSA Has Had at Least 96 Days to Warn Microsoft about These Files

On January 8, Shadow Brokers announced an auction of Windows Warez, with lists of the exploits he/they had for sale (these two posts from Malware Jake provide analysis of them). Four days later, SB released a different set of Windows exploits, a more dated set that (SB claimed) Kaspersky Labs had had some visibility onto.  The Windows files released today include the ones offered for sale back in January, down to the version numbers. Compare, in particular, the touch, exploit, and payloads with this screencap. SB announced Fuzzbunch and DanderSpritz in January, too.

That’s a critical detail for the debate going on on Twitter and in chats about how shitty it was for SB to release these files on Good Friday, just before (or for those with generous vacation schedules, at the beginning of) a holiday weekend. While those trying to defend against the files and those trying to exploit them are racing against the clock and each other, it is not the case that the folks at NSA got no warning. NSA has had, at a minimum, 96 days of warning, knowing that SB could drop the files at any time.

The big question, of course, is whether NSA told Microsoft what the files targeted. Certainly, Microsoft had not fully responded to that warning, as hackers have already gotten a number of these files to work.

With WikiLeaks’s Vault 7 files, it’s at least possible the CIA doesn’t know precisely what got leaked to WikiLeaks, even though the government immediately identified when and how the files were breached. The NSA cannot make that claim here, at least not with the Windows files. SB was kind enough to provide warning. The question is, what did NSA do with that warning.

The fact that SB provided that warning, though, should have very serious ramifications for the Vulnerabilities Equities Process, under which the NSA is supposed to consider whether it is better to alert companies to exploits or to sit on them and use them. It’s one thing to decide NSA’s spying takes precedence over the security of the customers of big American companies. It’s another thing to keep those exploits in a way that makes them vulnerable to theft, as both CIA and NSA have done.

But it should be beyond question that when an intelligence agency gets a very detailed list of a group of exploits a malicious entity plans to release, the agency should warn the American companies affected.

Update: Microsoft told Sam Biddle they haven’t heard from any “individual or organization.”

A Microsoft spokesperson told The Intercept “We are reviewing the report and will take the necessary actions to protect our customers.” We asked Microsoft if the NSA at any point offered to provide information that would help protect Windows users from these attacks, given that the leak has been threatened since August 2016, to which they replied “our focus at this time is reviewing the current report.” The company later clarified that “At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers.”

I think there’s actually some wiggle room in there. We shall see how long it takes MSFT to patch this stuff.

Update: MSFT released a statement that said all but three of these had been addressed. Three of them were addressed in their March update, and another this year. Which would suggest NSA did warn them.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

13 replies
  1. SpaceLifeForm says:

    Thinking outside the box (not much actually):

    What if SB is really an arm of MS?

    “you need to upgrade now, it would be a shame if you got hacked”

    The proverbial fork in the road.

     

     

     

     

    • SpaceLifeForm says:

      MS comment:

      https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

      Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

      [Interesting that they reference the exploit codenames. But, of course, push upgrades.
      Note the blog post URL: protecting customers (think protection racket), evaluating risk (think getting hacked, and difficulty of converting to a different platform). But long run, everyone must realize that MS provides no indemnity]

      [the grugq tweets]

      https://mobile.twitter.com/thegrugq/status/853142591289802752

      Books will be written about this brilliant marketing move.

      [There are related tweets that follow the grugq and my drift:

      “Unless Microsoft IS the leaker! Aha!
      Master class move ms, releasing your own vulns.” – @bigendiansmall

      “That’s some 4 dimensional solitaire” – @outsh1ned

      “if Microsoft knew the vulns existed and left them in for the NSA until they were exposed, I guess they wouldn’t have anyone to credit ” – @rjcc ]

      [Think outside the box. You are at a fork in the road]

      • SpaceLifeForm says:

        Hmmm. Let’s parse carefully.

        “which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.”

        First, I can find no references to Exchange in the SB dumps. So, what is MS really saying here?

        For starters, you have to be on 7 or later *AND* you have to be updated with latest patches. This would be a workstation, i.e., a client machine.

        But the reference to Exchange 2010 is interesting. Because Exchange needs an AD server on a separate server, best I can determine is that at least Server 2008 R2 is needed. But why does MS *not* say that?

        And why is Exchange even mentioned?
        Why not say that the servers should be 2008 R2 at minimum?

        Seems like this is a bit of obfuscation.

        I suspect more holes still to be exploited, especially in a business or government environment, where their IT reviews documentation, says meets the minimum requirements, and still works.

  2. Gama Xul says:

    Once people realize the civilian software systems are left vulnerable on purpose to allow Feds easy access to spy on Americans.. Eh, probably nothing will happen. Microsoft knows of their vulnerabilities but they don’t care because they’re already spying on you and your browsing habits because you’re leasing their operating system. They have so many telemetry and remote file access abilities; it’s ridiculous. The NSA and Microsoft have made backchannel deals to spy on us.

    Yes, it’s illegal. But they don’t care, and who’s going to stop them? Seriously.

  3. jerryy says:

    “… Which would suggest NSA did warn them.”

    If they did, it was more due to the threat of the SB releasing the information than a beforehand regard for the safety of the millions of US citizens in some kind of danger because of these exploits.

    It is also possible that Microsoft decided to pay the bounty to the SB after the SB initially came forth with their claims way back when about having the tools. Or some other researcher(s) could have also independently found these and reported them to Microsoft. There are lots more groups than the NSA looking for the holes.

  4. SpaceLifeForm says:

    No way MS paid SB. It conflicts with yesterdays dump even happening and the fact that MS did not do the February patch tuesday 2017-02-14.

    Likely the February patch tuesday was skipped because the exploits were not easily fixed.

    Which says that MS was well aware of the holes before then. Which they *should* have been if they were being proactive because of the initial dumps. Alternatively, they always knew they existed (at least some inside MS – MS is heavily compartmented, like MIIC), so then it became a CYA mode for cover.

    Interestingly, Office updates were also skipped for February.

  5. jerryy says:

    SpaceLifeForm
    April 15, 2017 at 3:04 pm

    “No way MS paid SB. It conflicts with yesterdays dump even happening and the fact that MS did not do the February patch tuesday 2017-02-14.

    Likely the February patch tuesday was skipped because the exploits were not easily fixed.”

    These do not contradict the idea of Microsoft paying bounties to the SB. If the vulnerabilities were tricky to fix, then the extra time needed to patch the problem would be taken into consideration before releasing the information to the general public.

    “Microsoft offers direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques.”
    https://technet.microsoft.com/en-us/library/dn425036.aspx
    https://technet.microsoft.com/en-us/security/dn425055.aspx

    • SpaceLifeForm says:

      Good point but does not preclude SB being an arm of MS. Originally, SB would dump all to a highest bidder. Let’s see if more gets dumped.

      “you can observe a lot by just watching” – Yogi Berra

  6. bloopie2 says:

    Whoever’s watching the Bahrain F1 race is a hypocrite.  Giving it your eyeballs so they can get higher ratings.  Support that brutal dictatorship!   Good Work!

  7. SpaceLifeForm says:

    Re the Vault7 dump.

    Objection! Assumes facts NOT in evidence.

    “With WikiLeaks’s Vault 7 files, it’s at least possible the CIA doesn’t know precisely what got leaked to WikiLeaks, even though the government immediately identified when and how the files were breached. ”

    No. All we really know is that they have excuses. Some have alleged that those who have leaked stuff from CIA to media (NYT,WP) have been identified. But there is no word that they are even closely related to Vault7.

    As to the ‘when’ and ‘how’, they are likely just guesses at this point. They may have been fooled by misdirection.

    CIA should be working hard right now studying the SB dump.

    Spy vs Spy.

    • SpaceLifeForm says:

      Some “fingerprints” that may point to where the Vault7 dump came from, but not the ‘who’.
      The “fingerprints” I am referring to is the description of the comms between the target machines and the C2 machines.

      https://theintercept.com/2017/03/30/meet-the-midwestern-contractor-that-appears-hundreds-of-times-in-the-cia-wikileaks-dump/

      “Another document says that Xetron developed software that routes communications back and forth between computers compromised by the CIA and command servers also controlled by the agency.”

      And this tibit from last Friday from WL that may have flown under the radar because of the SB dump the same day.

      https://wikileaks.org/vault7/?hive#Hive

      “Today, April 14th 2017, WikiLeaks publishes six documents from the CIA’s HIVE project created by its “Embedded Development Branch” (EDB).

      HIVE is a back-end infrastructure malware with a public-facing HTTPS interface which is used by CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute specific tasks on the targets. HIVE is used across multiple malware implants and CIA operations. The public HTTPS interface utilizes unsuspicious-looking cover domains to hide its presence.

      Anti-Virus companies and forensic experts have noticed that some possible state-actor malware used such kind of back-end infrastructure by analyzing the communication behaviour of these specific implants, but were unable to attribute the back-end (and therefore the implant itself) to operations run by the CIA. In a recent blog post by Symantec, that was able to attribute the “Longhorn” activities to the CIA based on the Vault 7, such back-end infrastructure is described:

      For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.”

      [If the developers of Vault7 tools actually are at Xetron, this does not mean someone there was the source. It may be that someone at Xetron got phished, which provided a path to CIA network, where ultimately the set was retrieved from (WL says was CIA machine).
      Another possibility is that enough peices of info were exfiltrated from Xetron to peice together the comms and a honeypot was set up that ultimately provided the path to CIA machines.]

      [Xetron folks should be busy analyzing the SB dump too. They may be infected and have been the vector to the Vault7 dump]

Comments are closed.