Archive for the ‘NSA’ Category

10000 Windows computers may be infected by advanced NSA backdoor – Ars Technica

Enlarge / A script scanning the Internet for computers infected by DoublePulsar. On the left, a list of IPs Shodan detected having the backdoor installed. On the right are pings used to manually check if a machine is infected.

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

A map of affected countries.

Below0day

Countries most affected based on IP addresses returned in a scan performed by Below0day.

Below0day

Partial results of a Below0day scan.

Below0day

Not everyone is convinced the results are accurate. Even 30,000 infections sounds extremely high for an implant belonging to the NSA, a highly secretive agency that almost always prefers to abort a mission over risking it being detected. Critics speculate that a bug in a widely used detection script is generating false positives. Over the past 24 hoursas additional scans have continued to detect between 30,000 and 60,000 infectionsa new theory has emerged: copycat hackers downloaded the DoublePulsar binary released by Shadow Brokers. The copycats then used it to infect unpatched Windows computers.

"People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could," Dan Tentler, founder of security consultant Phobos Group, told Ars. "On the part of Shadow Brokers, if their intention was to get mass infections to happen so their NSA zerodays got burned, the best [approach] is to release the tools [just before] the weekend. DoublePulsar is a means to an end."

Tentler is in the process of doing his own scan on the Shodan computer search service that makes use of the DoublePulsar detection script. So far, he has run a manual spot check on roughly 50 IP addresses that were shown to be infected. All of the manual checks detected the hosts as running the NSA backdoor. Once installed, DoublePulsar waits for certain types of data to be sent over port 445. When DoublePulsar arrives, the implant provides a distinctive response. While security practices almost always dictate the port shouldn't be exposed to the open Internet, Tentler said that advice is routinely overridden.

In a statement issued several hours after this post went live, Microsoft officials wrote: "We doubt the accuracy of the reports and are investigating." For the moment, readers should consider the results of these scans tentative and allow for the possibility that false positives are exaggerating the number of real-world infections. At the same time, people should know that there's growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.

Post updated to add Microsoft comment.

View original post here:
10000 Windows computers may be infected by advanced NSA backdoor - Ars Technica

Leaked NSA hacking tools are a hit on the dark web – CyberScoop

Undergroundhackers are now sharing, promoting and working to adopt executable computer code evident in NSA documents that were published last week by the Shadow Brokers, private sector intelligence analysts tell CyberScoop.

Tutorials on how to utilize some of the tools began appearing the same day the NSA documents were originally published, according to researchers at Israel-based dark web intelligence firm SenseCy. Forum members have shown a particular interest in a leakedframeworksimilar to Metasploit thats unique to the NSA called Fuzzbunch.

SenseCy, a firm focused on the dark web staffed by former intelligence officials, identifieda series of conversationsoccurring in a hidden Russian cybercrime forum discussing how members could exploit a bug in Windows Server Message Block, a network file sharing protocol.

Hackers [have] shared the leaked [NSA] information on various platforms, including explanations [for how to use the tools]published by Russian-language blogs, said SenseCy Director Gilles Perez. We identified [one] discussion dealing with the SMB exploit [ETERNALBLUE], where hackers expressed interest in its exploitation and share instruction on how to do so.

Perez declined to name the dark web forums surveilled by SenseCy, but provided CyberScoop with screenshots of conversations between members discussing the matter indiscussion boards We can never provide the names of the forums as that could jeopardize our operations, he wrote in an email.

One of the powerful tools shared by the Shadow Brokers last week, and addressed by a March Microsoft security update, is codenamed ETERNALBLUE in the leaked documents it is also referred to as vulnerability MS17-010 by Microsoft.

ETERNALBLUE allows for an attacker to remotely cause older versions of Windows to execute code.

Security researcher Matthew Hickeywas able to show in a video that ETERNALBLUE is effective against machines running Windows Server 2008 R2 SP1, an old but popular version of Windows Server.

SenseCy researchers told CyberScoop theyve already seen cybercriminals attempt to utilize the MS17-010 vulnerability in ransomeware-style attacks.

We are now seeing a trend, that most likely will gain momentum in the following weeks, of infecting Windows servers with Ransomware utilizing the [NSA] leaked exploits, Gilles said.

Some security researchers believe that exploiting MS17-010will become popular amongst cybercrime gangs because it allows for a more damaging ransomware infection.

Researchers at cyber intelligence firm Recorded Future told CyberScoop that they too have spotted separate discussions in several Russian and Chinese hacker forums in which users successfully reversed engineered some of the Windows tools and were openly sharing their findings.

The surprising recent release one of the most comprehensive and up to date of hacking tools and exploits by the notorious Shadow Brokers group stirred up great interest among Russian-speaking cyber criminals, said Andrei Barysevich, Recorded Futures director of advanced collection. Only three days after the data was leaked, we identified a discussion among members of an elite dark web community sharing expertise in weaponizing the EternalBlue exploit as well as the DoublePulsar kernel payload.

He added, considering that Microsoft patched the EternalBlue vulnerability as recently as March 14, the number of potentially affected systems could still be tremendous.

Recorded Future similarly declined to name the forums where they discovered this content.

[In the Chinese forum], they were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE) and privilege escalation tool (ETERNALROMANCE), members of Recorded Futures research team wrote in an email. Actors were focused on the unique trigger point for [ETERNALBLUE] and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.

These discussions indicate that theres broad interest in the unique malware triggers published by the Shadow Brokers and a belief that the underlying vulnerabilities being exploited had not been completely mitigated by Microsofts patches, according to Recorded Future. These two factors combine to increase the risk that malicious Chinese actors may reuse or repurpose this malware in the future, a spokesperson explained.

Most of the exploits and implants mentioned in the latest release are designed to exploit software vulnerabilities apparent in older Microsoft products, including Office and various operating systems. The technology giant stated in a blog post over the weekend that it had patched most of the exploits. Discontinued, end of life version of Windows, such as XP and 2003, remain vulnerable as they did not receive a security patch.

More than 65 percent of desktop computers connected to the internet last month ran on older versions of Windows like Vista, according to estimates from the tracking firm Net Market Share.

While many of the Microsoft Windows-specific exploits contain remote code execution vulnerabilities, they need to be deployed against a host in order to be successful. In other words, a connection to the organization must already be established for many of these exploits to work as port 445, which is used in Microsofts SMB, is typically blocked internet-wide.

Microsoft declined to answer questions pertaining to how the company originally became aware of the aforementioned vulnerabilities, which were supposedly once exploited by the NSA.

Though it remains unclear whether anyone has been able to successfully leverage any of the leaked hacking tools to launch their own computer intrusion, security researchers fully expect and are preparing for a barrage of new attacks supported by NSAs quality engineering.

Even though the vulnerabilities released were patched, we feel confident that it will only be a matter of time before we see exploitation in the wild, said Cylance Chief Research Officer Jon Miller. The scale will be on par with any other known and patched vulnerability. Only those that arent judicious in patching their systems will be affected, mitigating the risk that comes from a true zero day.

Liam OMurchu, the director of Symantecs security technology and response group, said he expects it will take a little longer for attackers to begin incorporating the leaked tools into their own attacks.

From a defensive perspective, one of the main problems is the volume of data released, said OMurchu. We need to analyze all the files to understand how they could be changed or used to fit in with current cybercrime attacks with ~7000 files disclosed, it is very resource intensive to understand all of the tools, the full capabilities and how they can be used. That is what we are working on now.

A cohort of independent researchers and security firms are finding new capabilities and targeted software vulnerabilities hidden in the massive trove of documents on a near daily basis since Fridays release.

We have only begun to scratch the surface on these tools and now that they are out there its important we can analyze them to determine servers that are impacted as well as what steps can be taken to protect against them, Hickey wrote in a blog post, Wednesday.

The tools are released in binary format and as reverse engineering efforts are underway. We will likely discover more interesting features about the attacks, wrote Hickey. We are under no illusion that such a huge data trove will not be completely analyzed in its first few days of discovery and neither should you.

The rest is here:
Leaked NSA hacking tools are a hit on the dark web - CyberScoop

Is There a Russian Mole Inside the NSA? The CIA? Both? – Daily Beast

The latest leak by the Shadow Brokers hackers exposed classified information that could only have come from within the NSA, setting the stage for a Cold War ritualthe mole hunt.

A message from Vladimir Putin can take many forms.

It can be as heavy-handed as a pair of Russian bombers buzzing the Alaska coast, or as lethal as the public assassination of a defector on the streets of Kiev. Now Putin may be sending a message to the American government through a more subtle channel: an escalating series of U.S. intelligence leaks that last week exposed a National Security Agency operation in the Middle East and the identity of an agency official who participated.

The leaks by self-described hackers calling themselves the Shadow Brokers began in the final months of the Obama administration and increased in frequency and impact after the U.S. bombing of a Syrian airfield this montha move that angered Russia. The group has not been tied to the Kremlin with anything close to the forensic certitude of last years election-related hacks, but security experts say the Shadow Brokers attacks fit the pattern established by Russias GRU during its election hacking. In that operation, according to U.S. intelligence findings, Russia created fictitious Internet personas to launder some of their stolen emails, including the fake whistleblowing site called DCLeaks and a notional Romanian hacker named Guccifer 2.0.

I think theres something going on between the U.S. and Russia that were just seeing pieces of, said security technologist Bruce Schneier, chief technology officer at IBM Resilient. What happens when the deep states go to war with each other and dont tell the rest of us?

The Shadow Brokers made their debut in August, appearing out of nowhere to publish a set of secret hacking tools belonging to the Equation Groupthe security industrys name for the NSAs elite Tailored Access Operations program, which penetrates foreign computers to gather intelligence. At that time, the Shadow Brokers claimed to be mercenary hackers trying to sell the NSAs secrets to the highest bidder. But they went on to leak more files for free, seemingly timed with the public thrusts and parries between the Obama administration and the Russian government.

From the start, outside experts had little doubt that Russian intelligence was pulling the strings. Circumstantial evidence and conventional wisdom indicates Russian responsibility, exiled NSA whistleblower Edward Snowden tweeted last August. Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the [Democratic National Committee] hack.

The FBI started investigating, and in August agents arrested an NSA contractor named Hal Martin after discovering that Martin had been stockpiling agency secrets in his house for two decades. But even as Martin cooled his heels in federal custody, the Shadow Brokers continued to post messages and files.

Snowden and other experts speculated that the Russians obtained the code without the help of an insider. As a matter of tradecraft, intelligence agencies, including the NSA, secretly own, lease, or hack so-called staging servers on the public internet to launch attacks anonymously. By necessity, those machines are loaded up with at least some of the agencys tools. Snowden theorized that the Russians penetrated one of those servers and collected an NSA jackpot. NSA malware staging servers getting hacked by a rival is not new, he wrote.

Whatever their origin, the leaks dried up on Jan. 12, when the Shadow Brokers announced their retirement 10 days before Donald Trumps swearing-in. The group didnt reemerge until this month, after the Syrian militarys deadly chemical-weapons attack in Ghouta. Reportedly moved by images of the Syrian children injured or killed in the attack, Trump responded by ordering the launch of 59 Tomahawk missiles at a Syrian government air basedeparting drastically from the will of Putin, who considers Syrian President Bashar al-Assad a strategic ally.

The Russian government immediately condemned the U.S. response. Two days later, so did the Shadow Brokers. The group broke its months-long silence and released another tranche of NSA secrets along with a lengthy open letter to Trump protesting the Syrian missile strike. Abandoning any pretense of a profit motive, the Shadow Brokers claimed now to be disillusioned U.S. votersthe peoples who getting you elected, as they put in, using phrasing that holds dual meaning coming from a suspected Kremlin operation.

The Shadow Brokers have been playing hardball ever since. Their most recent release, on Friday, exposed the code for a sophisticated NSA toolkit targeting Windows machines, putting some of the agencys capabilities, circa 2013, in the hands of every newbie hacker able to use a keyboard.

This time, the Shadow Brokers didnt stop with code. For the first time in their short history, they also released internal NSA spreadsheets, documents, and slide decks, some bedecked with the insignia and Top Secret markings familiar to anyone whos browsed the Snowden leaks.

Thank You!

You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason

The leak exposes in detail a 2013 NSA hacking operation called Jeep Flea Market that gained deep access to Dubai-based EastNets, a company that handles wire transfers for a number of Middle East banks, something of obvious interest to U.S. intelligence. (EastNets denies the breach.) But the Shadow Brokers exposed more than just an NSA operation. Metadata left in the files identified the full name of a 35-year-old NSA worker in San Antonio who was apparently involved in the hack. (The Daily Beast was unable to reach him for comment.)

NSA hackers dont face the same danger as CIA officers working undercover in a foreign country, but the likelihood that Russia has begun exposing them by name, while linking them to specific operations, raises the stakes for the intelligence community. If nothing else, the San Antonio NSA worker could plausibly face criminal and civil charges in the United Arab Emirates, just as hackers working for Russian and Chinese intelligence have been indicted in the U.S.

Its conceivable that the Shadow Brokers included the name by mistake. Groups like WikiLeaks and the journalists with the Snowden cache are accustomed to scrubbing identifying metadata from documents. But a less-experienced hand might overlook it. Schneier is doubtful. If were assuming an intelligent and strategic actor, which I think we are, then you have to assume that they did that on purpose, he said.

Nothing is certain; the Shadow Brokers are a puzzle with missing pieces. But Fridays Shadow Brokers release obliterated one theory on the spot. The NSA would never have put classified spreadsheets and PowerPoint slides on a staging server. They could only have come from inside the NSA.

Which sets the stage for a revival of a storied Cold War intelligence ritual, with the declining agency morale that comes with it: the Russian mole hunt. I think were most likely looking at someone who went rogue from within, or a contractor who had access to this information, said Eric ONeill, national-security strategist for Carbon Black. Either way, we have someone in the intelligence community thats a pretty high-placed spy.

A former FBI surveillance specialist, in 2001 ONeill helped bring down Robert Hannsen, a double agent in the bureau whod been secretly spying for Russia. The FBI must be scrambling right now, he said. Theres so many leaks going on: this leak, the CIA Vault7 leaks, and at the same time theres the investigation into any administration ties to Russia, and the DNC intrusion, and all these leaks coming out of the White House. Theres only so much that the FBIs national security agents can do.

If Russia did have a mole inside the NSA in 2013, the most recent date of the documents, Schneier thinks it unlikely that it does now, or else the Shadow Brokers wouldnt exist. You only publish when its more useful as an embarrassment than as intelligence, he said. So if you have a human asset inside the NSA, you wouldnt publish. That asset is too important.

Its also possible, though unprecedented in the public record, that Russia found a way into the NSAs classified network. A competing theory focuses on the FBIs early suspect, Hal Martin. Hes not the Shadow Brokers, but he reportedly worked in the NSAs Tailored Access Operations program and had 50,000 gigabytes of classified material in his home. Might he himself have been hacked? Martin is charged in Maryland with 20 counts of willful retention of national defense information, but prosecutors have not made any accusation that his trove slipped into enemy hands.

As Snowden demonstrated when he walked out of the NSA with a thumb drive of secrets, its comparatively easy now to steal and smuggle classified information. But ONeill says the FBIs counterintelligence mission is easier too, because of the rampant audit trails and server logs in classified networks.

Its much easier getting the secrets out now, but on the flip side, its also easier for law enforcement and the FBI to track down who had access to the data, he says. I like to think this mole hunt is going to be a little easier than it was in the past.

Until then, expect the Shadow Brokers to stick around. In their Friday dump, they hinted at more revelations this week: Who knows what we having next time?

Here is the original post:
Is There a Russian Mole Inside the NSA? The CIA? Both? - Daily Beast

What you need to know about that latest NSA data dump – Recode

A group of hackers released on Friday what appears to be the most extensive data dump yet from the National Security Agency.

The hack could have consequences for the relationship between big software companies and the U.S. government and could make it harder for Europe to trust the U.S. to respect privacy agreements.

Experts believe the hacker group behind the leak, Shadow Brokers, is connected with the Russian government. The group has released stolen information from the NSA before.

If documents released by the hack are authentic, it would show that the NSA has compromised a Dubai-based firm that routes bank transfers between countries. The hack also revealed how to break into Microsoft software. Heres a more detailed explainer from George Washington University professor Henry Farrell.

Here are some things found in the dump.

Why it matters: The U.S. government is technically allowed to access data from Swift only through a formal safeguarded process, but information revealed in the hack indicates the NSA is secretly accessing information outside this agreement. This is bound to upset European regulators.

Why it matters: If the NSA didnt let Microsoft know about the zero-day vulnerabilities, that could further undermine tech companies already eroded trust of the government.

Read more from the original source:
What you need to know about that latest NSA data dump - Recode

5G Summit panel optimistic about industry meeting December deadline for 5G NSA – FierceWireless

The industry, namely 3GPP, has a lot of work to do if its going to meet the December 2017 deadline to finalize the specifications for Non-Stand Alone (NSA) 5G New Radio (NR), but participants in a panel appearing at the Brooklyn 5G Summit seem to think its achievable.

A member of the audience, who is thoroughly involved in the 3GPP standards debates, cited challenges around the radio side and very specific items, saying hes concerned there are major problems to be solved before the end of the year and not enough time to address them. He asked the panel, which included representatives from AT&T, Deutsche Telekom, NTT DoCoMo, KT and Intel, if they share those concerns or think it will all magically sort itself out.

Theres always a concern, said Dave Wolter, assistant VP, Radio Technology & Architecture at AT&T. We share those concerns, we talk with our vendors, we talk with other service providers and the feeling right now, I think you saw that going into the last 3GPP meeting where we had, I think it was 22 companies sign onto the acceleration, the feeling is it can get done. At this point, Id leave it to my standardization colleagues to really address some of the specifics, but I think at this point I have to trust that theyre going to get there and well be doing the testing to ensure that it does, along the way, and well have to adjust as required, but Im cautiously optimistic.

Ken Stewart, senior fellow at Intel, said RAN 4, the radio performance group, to some extent is the victim of the other groups inside the 3GPP because they have to define in many ways the fundamental performance requirements that devices and base stations, to some extent, live up to. The workload on that group over the next 12 months will be extraordinary, Stewart said.

There may be ways to reduce the load, but my personal view is it will require all of the skill of all the delegates who have been in the group for many years to get the job done. It will be a very significant task, but with pragmatism, its just about achievable, he said, adding with a smile to the audience member who posed the question: I want to thank you right now for all the work youre going to be doing over the next 12 months.

Related: Controversial plan to accelerate 5G NR timeline gets OK in 3GPP

After months of debate, the 3GPP agreed last month to accelerate some elements in the 5G NR timeline, and for AT&T, that means it will be able to launch standards-based mobile 5G services starting as early as late 2018. That was announced last month by Andre Fuetsch, president, AT&T Labs and CTO, and when Fuetsch talks about delivering something in that kind of timeframe, we take that as a command to make it happen before 2018 is over, Wolter said during his keynote at the Summit on Thursday.

Related: AT&T moves needle on standards-based 5G to late 2018

A number of things have to be addressed and decided, including MIMO transmit schemes, for the industry to meet its goals for 5G.

Its a pretty aggressive list, so were all going to have to kind of buckle down as an industry and really work hard to make sure that we can get this done, but we think thats really going to pay off in much earlier equipment availability that is NR based, Wolter said.

AT&T is prioritizing the NSA version as opposed to the stand-alone (SA) version in part because weve got a lot of LTE out there, and there isnt going to be widespread 5G coverage for a while, he said.

Plus, in the U.S., there hasnt been new spectrum that has been allocated that the industry can use for 5G with the possible exception of 3.5 GHz. That CBRS band, however, has some rules that dont make it terribly attractive for a base 5G layer. The FCC is taking another look at some of those rules around the licensing structure, and that may change, he said. If that licensing structure changes, we may find that the 3.5 GHz band is a good band for us to be looking at, and it goes from 3.55 to 3.7 GHz.

In general for millimeter wave spectrum, AT&T will be relying heavily on 39 GHz spectrum since Verizon pretty much snapped up a lot of the 28 GHz and AT&T is making some key acquisitions for 39 GHz, but it still will probably be doing some things at 28 GHz.

Read more from the original source:
5G Summit panel optimistic about industry meeting December deadline for 5G NSA - FierceWireless