Triton/Trisis malware: an unexpected follow-up

After the discovery of Triton/Trisis malware, the security teams, part of private organisation or governmental CERT, have been working to understand its real impact, its modus operandi and to provide solutions to mitigate the risk. Siemens team, as the main actor, has been one of them.

However, as mentioned an online article of Cyberscoop the 16th January 2018, the investigation should follow a specific process to avoid new risk. It seems that, in this case, the process has not been defined properly as sensitive data has been released to open internet (via an upload of library file in open database VirusTotal) without control. Even if the information has been removed from the database in 24 hours, researchers and potentially anyone had been able to download the file and learn more about the malware for good or bad reasons. We could find information on GitHub account. Even if the vulnerability rating score for the corresponding  CVE is not yet decided, this computation should include this unexpected event, as exploiting the vulnerability should be easier or at least within reach of many.

How should we consider this “incident” from a general security management point of view and from the ATENA project point of view:

  • From a general security point of view, we can mention several critical points: first of all the classification of such information seems to be not really managed. If the targeted Library file has been classified properly as confidential information, the storage in a public repository has been forbidden. If the file has been properly classified, the main point was the access right to this document especially the right to copy or download the file without specific access rights or management process. More strategic remark: it seems that the key point was that the responsible of the uploading action thought that the VirusTotal community could be an asset to understand, to avoid risk or to make awareness ? Even if good reason has led to this action, the management process of such dissemination should have assessed collateral risk before any dissemination.
  • From ATENA project point of view, we should mention one fact: the ATENA architecture has been designed in order that all the information regarding the incident has been recorded in a specific forensic database with specific access rules and shareable to investigation organisation according to a specific and controlled process.

In conclusion, parodying the wise man said : “there is a time to speak, there is a time to be quiet”. This wise statement should also be applied for forensic analysis to avoid that awareness action moves to leak action and increase the risk of everybody.


Comments are closed.