How a Private Dust-Up Over Publicizing Exploits Became Very Public
Share with Your Network
A recent article in The Washington Post brought to the public eye an issue most non-Security folks have probably never thought about. It centers on a Jan. 11 press announcement from BitDefender, a Romanian cybersecurity firm that published a free tool designed to help victims of DarkSide ransomware attacks decrypt data locked up by the hacker group’s malicious code. Turns out BitDefender found a vulnerability in DarkSide code that could be exploited by the tool—exploited for good.
BitDefender generated some (at least temporary) goodwill by galloping in on its white-hat horse to rescue companies from the DarkSide. Everything was great for 24 hours, until the next day when DarkSide announced it had patched its own vulnerabilities, rendering the BitDefender exploit kit useless.
“New companies,” the hacker group said, “have nothing to hope for.”
The price of going public
One of those hopeless companies turned out to be Colonial Pipeline Co., another low-profile entity suddenly thrust into public view in May when a DarkSide ransomware attack shut down Colonial’s 5,500-mile fuel pipeline.
As ransomware exploits go, the Colonial attack was especially pernicious. Because Colonial’s pipeline carries 45% of the fuel used on the East Coast, its shutdown triggered soaring gas prices, panic buying throughout the Southeast, and the closure of thousands of gas stations. Colonial paid $4.4 million in ransom (though the FBI managed to seize $2.3 million of that amount by snatching up 63.7 bitcoin, a rare partial win for a ransomware victim).
The interesting twist in this story is that BitDefender wasn’t the only entity with exploit code capable of helping DarkSide victims. Two other researchers, Fabian Wosar and Michael Gillespie, discovered the DarkSide vulnerability and quietly offered their own decryption tool to victims. BitDefender could have taken that approach. But while it was less likely to tip off the hacker group, it’s also admittedly haphazard, since Wosar and Gillespie could only offer their tool to organizations known to have been attacked by DarkSide, and many ransomware attacks aren’t made public.
The question is, had BitDefender also stayed below the radar, could the damage from the Colonial shutdown have been minimized? Put another way, did BitDefender’s going public with their decryption tool give DarkSide an edge?
By now it’s clear the answer to both questions is most likely yes. The public release of BitDefender’s DarkSide neutralizer prompted the hacker group to quickly find and patch its own vulnerabilities. New victims now had only one way to unlock their networks once attacked: pay the ransom.
This isn’t a new controversy
All this brought to light the age-old controversy within the Security community about whether publishing exploit or proof-of-concept code is a net positive or negative for defenders.
Until recently, it was largely a philosophical debate, one fueled by the belief among certain Security researchers that transparency is preferable to secrecy in almost every scenario. These researchers, after all, generally announce newly discovered vulnerabilities or publish exploit code not to aid bad actors, but to prompt vendors to publish the patches their customers need to protect their infrastructures. (Vendors, of course, would much prefer being alerted first so they can have time to write and release that patch before hackers can pick up the scent. And as I’ve noted before, how quickly vendors respond to possible exploits has a huge impact on the efficacy of their customers’ vulnerability management programs.)
Thanks to some new research, however, this debate is no longer philosophical. In fact, the data shows releasing exploit code before a patch is available does more harm than good.
You’ll find the details in the seventh and most recent edition of our joint research series with Cynthia Institute. In Prioritization to Prediction 7: Establishing Defender Advantage, we analyzed more than 6 billion vulnerabilities affecting 13 million active assets across nearly 500 organizations.
Among the discoveries:
- When exploit code is published before vendors offer a patch, it gives attackers a nearly 100-day head start against defenders, allowing attackers to deploy an exploit faster and more frequently than defenders can patch the vuln.
- The disclosure of exploit code—usually in repositories like GitHub or in exploit kits or tools—triggered a massive volume of exploitation.
- About 85 percent of exploitation volume comes from vulnerabilities with published exploit code.
This research builds on analysis in Prioritization to Prediction 6: The Attacker-Defender Divide. That report showed release of exploit code does not lead to earlier remediation. So while the intentions of researchers who publish exploit code may be to help defenders, the result is actually the opposite.
Most cybersecurity ecosystem dramas play out far away from the eye of the general public. That changed this year when an exploit kit targeting infamous ransomware code suddenly became publicly available. Was it a good thing for BitDefender to go public with its DarkSide rescue tool? Before you decide, you might want to ask Colonial Pipeline.
Take a deep dive into the implications of exploit code releases in Prioritization to Prediction 7: Establishing Defender Advantage.