When too much is not enough too much

News has spread pretty quickly about the latest IE 0-day exploit. Unfortunately, in trying to publicize the quality of his employer’s product in relation to this new exploit, according to Ryan Naraine, a researcher at McAfee inadvertently divulged too much information about the vulnerability leading to some unintended consequences.

The consequences were – the prompt creation of a PoC Metasploit module for the vulnerability, turning what was once an exploit used in targeted attacks into a potentially widespread issue for users IE 6 and 7.

What exactly was divulged? Well, I was curious too, as I frequently am faced with what information I should or should not mention. It turns out that all that was divulged was a list of file names involved with the exploit and malware dropped by the exploit, and the domain name that the malware connected to.

It seems pretty reasonable to list that information in a blog post, right? Surely someone writing IDS signatures would find the URL used by the malware useful, and other anti-virus researchers might gain benefit from knowing the file names associated with the attack.

This leads to the question then, exactly what can be safely disclosed? Should nothing be disclosed? As a technical individual I get frustrated when an author redacts all important information in regards to indentifying a threat; the McAfee researcher was obviously trying to keep people like myself interested.

My suggestion for researchers writing about live threats is simple. If the domain(s) hosting un-patched exploits are still active, don’t post the URL or filenames associated with the exploit: frequently Google will happily locate the page for you.

Does this mean researchers shouldn’t share key information about live threats? Of course not, we do it all the time. But not in public – there are plenty of secure methods for sharing details about live threats.

When too much is not enough too much

Your email address will not be published.



Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox