First we had “CloudBleed”. Now we have a “massive” CIA “hack”. If you’re a conspiracy theorist does it get much better than that. Yep. Sure does. I’m departing from my usual fare this time to address some technical issues that seem to me to go way beyond the conspiracy hype we are seeing a lot of lately.
I wonder how closely “Cloudbleed” and these “Vault 7” exploits are linked with each other. We have had two major security issues within a couple of weeks. This is not good for 3rd party systems linked to Bitcoin.
— Kakmakr in the bitcointalk.org forum
Then, of course, for hard-core conspiracy buffs there’s always Kim Dotcom:
I call for @BillGates to tell the truth. MS let the government in. MS aided them in creating those backdoors. Bill knew what was going on.
— Kim Dotcom – Twitter
Let’s start with “Vault 7” and the CIA hack. The latest on this is that it likely was not a hack – I do agree with that… not likely that some hacker is going to break into one of our classified networks and judging from the notations on the Directory for this first batch, there are classified documents/tools suggesting that they would be behind a classified infrastructure. Current wisdom is that a contractor filched the stuff and hustled it over to WikiLeaks.
I went through the first batch – superficially, I admit, but there is a lot to look through here. However, at first blush, I see a lot of things I see regularly in the underground. While it is rare for everything in this particular batch to appear in the same place at the same time, many of the tools and techniques are pretty standard fare in the hacking community.
What I did see, however, was a pretty good effort at post mortems on TTPs and an effort to improve. Some of our commercial companies could benefit from learning how to do that. There were some interesting approaches to spying, but none of the drama that I was expecting based upon reports in the mainstream media. There were some nice frameworks for new developer training, although they mostly were empty of any meat. That said, there was a fair bit of unclassified training material that I recommend to anyone teaching malware or software forensics.
While this collection has largely been touted as a collection of hacking tools, it more accurately is a collection of technical training modules (yes, with some hacking tools), and pretty good ones at that. While it is quite unfortunate that this has been leaked, the cat is out of the bag and the question, in my view, is how to make lemonade out of this lemon. There are some excellent university security programs that have good technical capabilities. While I never would recommend that classified pieces of this be used, there are some superb modules that enterprising professors might well incorporate into various technical security – and computer science – courses.
Reuters has reported that WikiLeaks is holding back binaries until some of the larger tech companies have analyzed them and responded accordingly. That being the case, my view is that this is a very positive step. I tend to have mixed emotions of WikiLeaks. On one side, they tend to be pretty reliable, like it or not. On the other, there is a huge space for debate – and quite a polarized one at that – on their motives versus national security. I don’t intend to enter that debate since I tend to be a dispassionate technical analyst. Facts are facts and that is my focus, not politics.
That said, when WikiLeaks comes up with a dump it certainly is worth taking seriously. In this case there is nearly no doubt that the leak occurred, original source notwithstanding, and, in fact, that the CIA has been aware of it since late 2016.
Now on to CloudBleed. Did it happen? Really? Yes, and Cloudflare admits it and has described exactly what caused the problem. Assuming that they’re telling the truth (and it certainly looks as if they are) that’s a pretty good example of transparency. But let’s take a deeper look at both sides of that coin. Without going into a lot of depth the technical analysis seems reasonable. Jumping back into the Dark Web, though we find on CVV2Finder (see Figure 1)
Figure 1 – CVV2Finder Dark Web Dump Shop
the following offer:
Figure 2 – Cloudflare Breach For Sale
Figure 3 from the same card shop suggests that they are so busy organizing the results of the breach that they don’t have time for some of their regular business. That is the side of the coin that suggests that the breach happened (rather than a leak, which is what really happened) and CVV2Finder was able to harvest the results (which is what Cloudflare denies).
If we do a bit of skulking around the Dark Web looking for evidence that supports CVV2Finder we find none. That does not, by itself, obviate the statement that CVV2Finder has 150 million fresh logins for sale at a paltry $250K. However, it does raise one’s “Spidey Sense” and suggests that all is not right with the claim. I reached out to CVV2Finder for his answer and he has yet to respond… when/if he does I’ll put the response here.
In the interest of getting this out while it still is of interest, I’ll pass on your numbers this time and we’ll pick them up on the next round.