Last week, an anonymous group calling itself the Shadow Brokers leaked a bunch of National Security Agency hacking tools. Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.
All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.
Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt---a security researcher at NYU---set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities. For his experiment, Dolan-Gavitt used a Cisco security software bug from the leak that people have learned to fix with workarounds, but that doesn't have a patch yet.
Within 24 hours Dolan-Gavitt saw someone trying to exploit the vulnerability, with a few attempts every day since. "I’m not surprised that someone tried to exploit it," Dolan-Gavitt says. Even for someone with limited technical proficiency, vulnerable systems are relatively easy to find using services like Shodan, a search engine of Internet-connected systems. "People maybe read the blog post about how to use the particular tool that carries out the exploit, and then either scanned the Internet themselves or just looked for vulnerable systems on Shodan and started trying to exploit them that way," Dolan-Gavitt says. He explains that his honeypot was intentionally very visible online and was set up with easily guessable default passwords so it would be easy to hack.
The findings highlight one of the potential risks that come with hoarding undisclosed vulnerabilities for intelligence-gathering and surveillance. By holding on to bugs instead of disclosing them so they can be patched, spy agencies like the NSA create a potentially dangerous free-for-all if their exploits are exposed.
Companies like Cisco, Juniper, and Fortigate, which had products affected by the Shadow Brokers leak, scrambled for days to patch the bugs or offer workarounds. But even if a patch exists, people have to install it. A leak like this calls attention to particular bugs, putting systems with the vulnerabilities at high risk for being targeted. "Once these zero days are exposed, there's a very small window that you have in order to address those vulnerabilities or exposures," says David Kennedy, CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps' signal intel unit. "There are a number of groups that actively scan the Internet looking for exposures and vulnerabilities so they can get their own access---everything from organized crime to hacker groups to people who are doing ransomware techniques."
The data in last week's Shadow Brokers leak has been definitively linkedto the National Security Agency, but speculation continues about how it got out and who leaked it. Maybe someone inside the NSA stole the code. Maybe a nation state like Russia hacked the agency.
Whether you agree with the agency's overarching mission or not, it is clear that there is danger and collateral damage when guarded exploits leak. Intelligence officials told The Week on August 19 that the NSA knows that outsiders sometimes steal its exploits. "It's kind of dangerous," Kennedy says, "because the NSA had these capabilities, which I believe they definitely should have, but when an exploit is discovered I think they should work on responsible disclosure with the affected parties."
The irony is that incredibly clever and sophisticated exploits that potentially cost millions of dollars to develop can end up in the hands of the masses and wreak havoc. As Dolan-Gavitt puts it, "Now bored teenagers can use them."
