CISOs whose staff use the commercial Shellter Elite antivirus evasion software to detect vulnerabilities need to immediately update to the latest version after the recent discovery that threat actors are using a stolen version to distribute malware.
It’s not because the abuse of security tools is news — it isn’t. Threat actors have been leveraging stolen or copied versions of the Cobalt Strike adversary simulation tool for years to help in their attacks. But for CISOs, this incident raises another question: How fast should security researchers notify a vendor that a product has been compromised before publicly announcing the vulnerability?
In this case, on July 2, Elastic Security Lab, part of the Elastic search platform, which also makes an endpoint security solution, blogged that it found multiple infostealer campaigns using what appeared to be a compromised version of Shellter Elite 11.0 to get around IT defenses.
That version of the application was released April 16. Elastic says that, late that month, its researchers identified multiple campaigns deploying various information stealers protected by Shellter Elite.
In a reply on July 4, the Shellter Project thanked Elastic for providing manipulated samples that helped the vendor confirm the identity of the customer involved, who is believed to have leaked their copy of the software subsequently taken advantage of by threat actors. Shellter says it has a “rigorous vetting process” to determine who is allowed to buy its security products, but “a company which had recently purchased Shellter Elite licenses had leaked their copy of the software” to outsiders.
But Shellter also blasted Elastic for not alerting it quickly. “Elastic Security Labs chose to act in a manner we consider both reckless and unprofessional,” the company complained in its blog. “They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety.
“Due to this lack of communication, it was sheer luck that the implicated customer did not gain access to our upcoming release. Had we not postponed the launch for unrelated personal reasons, they would have received a new version with enhanced runtime evasion capabilities—even against Elastic’s own detection mechanisms.”
Shellter Elite has a number of capabilities, including managing the runtime evasion steps necessary for red teams to load their command and control beacons that would attempt to conceal test attacks from defending blue teams. These capabilities, which would be valuable to threat actors, include the ability to evade static and dynamic analysis.
Asked for a reply, in an email today to CSO, the Elastic Security Labs team said it became aware of potentially suspicious activity on June 18. Its blog, however, says that in late April its researchers noticed multiple financially motivated infostealer campaigns that had been using Shellter to package payloads.
Asked to explain the discrepancy in dates, Elastic said the file creation metadata of the malware samples were obtained in June.
Elastic also says in its statement to CSO that it “promptly began investigating behaviors we identified as previously undetected malicious activity using publicly available information and telemetry voluntarily shared by our users. Following our initial investigation and after rigorous analysis, we determined that the publicly available tool, Shellter, was being used for evasion purposes. Our findings were published within two weeks of this determination.”
The blog and research were “conducted in line with our commitment to transparency, responsible disclosure, and a defender-first mindset,” the statement says.
“We publish our findings directly and transparently to inform defenders as quickly as possible, as is industry standard and part of the work for our customers and users,” the statement adds. “Our priority is to inform the security community promptly and accurately about our research. We believe the public interest is best served by disclosing research as quickly as possible, once a thorough analysis has been concluded, to help defenders respond to emerging threats, including techniques used to bypass security controls.”
Asked for comment on whether it has heard from Elastic, a Shellter spokesperson said it outlined its position in its blog.
However, one expert says this isn’t a case of ethical vulnerability disclosure. Instead, says Robert Beggs, head of Canadian incident response firm Digital Defence and a user of Shellter products, it’s a clash of very different perspectives on keeping networks secure: Offensive (Shellter) versus defensive (Elastic).
“The entire goal of Elastic is to be able to detect the Shellter application,” Beggs said in an email to CSO.
“Why wouldn’t Elastic want to publicize that it has the ability to detect a tool like Shellter’s? Being able to do so goes beyond good publicity, it demonstrates the real value of Elastic against a tool that is designed to hide from it.”
“Shellter might not like it,” he said, “but Elastic did a good analysis of the event” in its blog.
There are no ethics between two diametrically opposed vendors, he argued. “Imagine if a company found that their product was used to bypass Microsoft Defender, a common defensive tool,” he said. “Is there an ethical obligation to immediately warn Microsoft? Or, is it the responsibility of Microsoft to monitor the environment, identify failures of its own tool, reverse engineer WHY the failure took place, and then alter Defender to compensate for the new attack? Clearly, Microsoft has always assumed the responsibility of looking after its own tool, and making it effective at its job.
“In the same way, Elastic is not responsible to go to Shellter to tell Shellter how their tool is being used, or how they can detect it,” he wrote.
“Shellter has not made its case,” Beggs maintained. “There is no ‘ethical violation’. Elastic did a great job of finding the ‘enemy’ and should enjoy the reward of reporting this to the world. Shellter has tried to take the high moral road, apologizing to its customers for ‘the inconvenience this may have caused’. What inconvenience? Someone else misused a product that does not impact any other customer in any way.
“Shellter has created a tempest in a teapot, invoking a concept of ‘responsible disclosure’ that really does not exist between vendors of offensive and defensive products. And considering this to be some violation of non-existent ethics is an extreme, and poor, interpretation of the events,” Beggs said.
There are no hard rules for vulnerability disclosure. However, a number of organizations do have guidelines.
For example, the Open Web Application Security Project (OWASP) has guidelines for researchers and vendors or organizations. One key recommendation: Researchers may decide to publicly disclose a hole, but it should be done in response to an organization ignoring reported vulnerabilities to put pressure on them to develop and publish a fix.
OWASP prefers a vulnerability be reported privately to the developers. The organization or individual developer may then choose to publish the details of the vulnerabilities, but, OWASP stresses, this is done at the discretion of the developer or organization, not the researcher.
Security researchers, OWASP says, should
ensure that any testing is legal and authorized;
respect the privacy of others;
make reasonable efforts to contact the security team of the organization;
provide sufficient details to allow the vulnerabilities to be verified and reproduced;
not demand payment or rewards for reporting vulnerabilities outside of an established bug bounty program.
Organizations should
provide a clear method for researchers to securely report vulnerabilities;
clearly establish the scope and terms of any bug bounty programs;
respond to reports in a reasonable timeline;
communicate openly with researchers;
not threaten legal action against researchers;
request CVEs where appropriate;
publish clear security advisories and changelogs;
offer rewards and credit for discoveries.
No Responses