Leaked NSA hacking tools are a hit on the dark web – CyberScoop
Undergroundhackers are now sharing, promoting and working to adopt executable computer code evident in NSA documents that were published last week by the Shadow Brokers, private sector intelligence analysts tell CyberScoop.
Tutorials on how to utilize some of the tools began appearing the same day the NSA documents were originally published, according to researchers at Israel-based dark web intelligence firm SenseCy. Forum members have shown a particular interest in a leakedframeworksimilar to Metasploit thats unique to the NSA called Fuzzbunch.
SenseCy, a firm focused on the dark web staffed by former intelligence officials, identifieda series of conversationsoccurring in a hidden Russian cybercrime forum discussing how members could exploit a bug in Windows Server Message Block, a network file sharing protocol.
Hackers [have] shared the leaked [NSA] information on various platforms, including explanations [for how to use the tools]published by Russian-language blogs, said SenseCy Director Gilles Perez. We identified [one] discussion dealing with the SMB exploit [ETERNALBLUE], where hackers expressed interest in its exploitation and share instruction on how to do so.
Perez declined to name the dark web forums surveilled by SenseCy, but provided CyberScoop with screenshots of conversations between members discussing the matter indiscussion boards We can never provide the names of the forums as that could jeopardize our operations, he wrote in an email.
One of the powerful tools shared by the Shadow Brokers last week, and addressed by a March Microsoft security update, is codenamed ETERNALBLUE in the leaked documents it is also referred to as vulnerability MS17-010 by Microsoft.
ETERNALBLUE allows for an attacker to remotely cause older versions of Windows to execute code.
Security researcher Matthew Hickeywas able to show in a video that ETERNALBLUE is effective against machines running Windows Server 2008 R2 SP1, an old but popular version of Windows Server.
SenseCy researchers told CyberScoop theyve already seen cybercriminals attempt to utilize the MS17-010 vulnerability in ransomeware-style attacks.
We are now seeing a trend, that most likely will gain momentum in the following weeks, of infecting Windows servers with Ransomware utilizing the [NSA] leaked exploits, Gilles said.
Some security researchers believe that exploiting MS17-010will become popular amongst cybercrime gangs because it allows for a more damaging ransomware infection.
Researchers at cyber intelligence firm Recorded Future told CyberScoop that they too have spotted separate discussions in several Russian and Chinese hacker forums in which users successfully reversed engineered some of the Windows tools and were openly sharing their findings.
The surprising recent release one of the most comprehensive and up to date of hacking tools and exploits by the notorious Shadow Brokers group stirred up great interest among Russian-speaking cyber criminals, said Andrei Barysevich, Recorded Futures director of advanced collection. Only three days after the data was leaked, we identified a discussion among members of an elite dark web community sharing expertise in weaponizing the EternalBlue exploit as well as the DoublePulsar kernel payload.
He added, considering that Microsoft patched the EternalBlue vulnerability as recently as March 14, the number of potentially affected systems could still be tremendous.
Recorded Future similarly declined to name the forums where they discovered this content.
[In the Chinese forum], they were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE) and privilege escalation tool (ETERNALROMANCE), members of Recorded Futures research team wrote in an email. Actors were focused on the unique trigger point for [ETERNALBLUE] and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.
These discussions indicate that theres broad interest in the unique malware triggers published by the Shadow Brokers and a belief that the underlying vulnerabilities being exploited had not been completely mitigated by Microsofts patches, according to Recorded Future. These two factors combine to increase the risk that malicious Chinese actors may reuse or repurpose this malware in the future, a spokesperson explained.
Most of the exploits and implants mentioned in the latest release are designed to exploit software vulnerabilities apparent in older Microsoft products, including Office and various operating systems. The technology giant stated in a blog post over the weekend that it had patched most of the exploits. Discontinued, end of life version of Windows, such as XP and 2003, remain vulnerable as they did not receive a security patch.
More than 65 percent of desktop computers connected to the internet last month ran on older versions of Windows like Vista, according to estimates from the tracking firm Net Market Share.
While many of the Microsoft Windows-specific exploits contain remote code execution vulnerabilities, they need to be deployed against a host in order to be successful. In other words, a connection to the organization must already be established for many of these exploits to work as port 445, which is used in Microsofts SMB, is typically blocked internet-wide.
Microsoft declined to answer questions pertaining to how the company originally became aware of the aforementioned vulnerabilities, which were supposedly once exploited by the NSA.
Though it remains unclear whether anyone has been able to successfully leverage any of the leaked hacking tools to launch their own computer intrusion, security researchers fully expect and are preparing for a barrage of new attacks supported by NSAs quality engineering.
Even though the vulnerabilities released were patched, we feel confident that it will only be a matter of time before we see exploitation in the wild, said Cylance Chief Research Officer Jon Miller. The scale will be on par with any other known and patched vulnerability. Only those that arent judicious in patching their systems will be affected, mitigating the risk that comes from a true zero day.
Liam OMurchu, the director of Symantecs security technology and response group, said he expects it will take a little longer for attackers to begin incorporating the leaked tools into their own attacks.
From a defensive perspective, one of the main problems is the volume of data released, said OMurchu. We need to analyze all the files to understand how they could be changed or used to fit in with current cybercrime attacks with ~7000 files disclosed, it is very resource intensive to understand all of the tools, the full capabilities and how they can be used. That is what we are working on now.
A cohort of independent researchers and security firms are finding new capabilities and targeted software vulnerabilities hidden in the massive trove of documents on a near daily basis since Fridays release.
We have only begun to scratch the surface on these tools and now that they are out there its important we can analyze them to determine servers that are impacted as well as what steps can be taken to protect against them, Hickey wrote in a blog post, Wednesday.
The tools are released in binary format and as reverse engineering efforts are underway. We will likely discover more interesting features about the attacks, wrote Hickey. We are under no illusion that such a huge data trove will not be completely analyzed in its first few days of discovery and neither should you.
The rest is here:
Leaked NSA hacking tools are a hit on the dark web - CyberScoop
- CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - HSToday - December 5th, 2024 [December 5th, 2024]
- Where Will The Top Amateurs at NSA Yamaha Land After the Team Closes? - Vurbmoto - December 5th, 2024 [December 5th, 2024]
- CISA, NSA, FBI and International Partners Publish Guide for Protecting Communications Infrastructure - HSToday - December 5th, 2024 [December 5th, 2024]
- Main players backing Syrian government have been weakened by other conflicts, NSA Sullivan says - NBC News - December 5th, 2024 [December 5th, 2024]
- Trump's incoming NSA Mike Waltz wants US to dance cheek-to-check with India - The Times of India - November 14th, 2024 [November 14th, 2024]
- What Trump's NSA Nominee Said On India's Pivotal Role In The 21st Century - NDTV - November 14th, 2024 [November 14th, 2024]
- Exclusive: Nakasone on exploding pagers, life after the NSA and another possible government job - The Record from Recorded Future News - November 14th, 2024 [November 14th, 2024]
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 - BleepingComputer - November 14th, 2024 [November 14th, 2024]
- CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - National Security Agency - November 14th, 2024 [November 14th, 2024]
- 6 Principles of Operational Technology Cybersecurity released by joint NSA initiative - Security Intelligence - November 14th, 2024 [November 14th, 2024]
- It's official FBI, CISA, and NSA reveal the most exploited vulnerabilities of 2023 - TechRadar - November 14th, 2024 [November 14th, 2024]
- Donald Trump picks Mike Waltz as US NSA: What it means for China and India - The Times of India - November 14th, 2024 [November 14th, 2024]
- Who is Mike Waltz, Donald Trump's new NSA pick? What are his ties to India Caucus? - Firstpost - November 14th, 2024 [November 14th, 2024]
- NSA should not oversee the management of national facilities RexDanquah - Citi Sports Online - November 14th, 2024 [November 14th, 2024]
- Trudeaus NSA admits to leaking secret intel alleging Indias interference to Washington Post - Firstpost - October 31st, 2024 [October 31st, 2024]
- White House dials NSA Ajit Doval: Here's what happened in the call - The Economic Times - October 31st, 2024 [October 31st, 2024]
- NSA Doval Stresses Need For Stable Indo-Pacific In Phone Call With US Counterpart Sullivan - News18 - October 31st, 2024 [October 31st, 2024]
- Director-General of NSA calls for continued support from government - GhanaWeb - October 21st, 2024 [October 21st, 2024]
- 5G Non Standalone Nsa Architecture Market to Reach USD 240.0 - openPR - October 21st, 2024 [October 21st, 2024]
- NSA meets with Minister Muir and DAERA to discuss industry concerns - Meat Management - October 21st, 2024 [October 21st, 2024]
- NSA cyber chief: Espionage is now Russias focus for cyberattacks on Ukraine - The Record from Recorded Future News - October 11th, 2024 [October 11th, 2024]
- NSA Investigating If Chinese Hackers Breached US Telecoms - Yahoo Finance - October 11th, 2024 [October 11th, 2024]
- NSA Issues Updated Guidance on Russian SVR Cyber Operations - National Security Agency - October 11th, 2024 [October 11th, 2024]
- News - Honoring the Stars and Stripes: NSA Philadelphia Hosts Dignified Flag Disposal Ceremony - DVIDS - October 11th, 2024 [October 11th, 2024]
- NSA's Program for Nursing Mothers in the Workplace Considered a Model for USG - National Security Agency - October 11th, 2024 [October 11th, 2024]
- NSA investigating hack of three major telecommunications companies - Baltimore Sun - October 11th, 2024 [October 11th, 2024]
- Honoring the Stars and Stripes: NSA Philadelphia Hosts Dignified Flag Disposal Ceremony [Image 8 of 8] - DVIDS - October 11th, 2024 [October 11th, 2024]
- NSA Hiring Over a Thousand in the Next Year - ClearanceJobs - October 4th, 2024 [October 4th, 2024]
- What Its Really Like to Work at NSA - National Security Agency - October 4th, 2024 [October 4th, 2024]
- US Elections: Former NSA John Bolton Claims Both Harris And Trump Do Not Qualify To Be President | NewsX Exclusive - NewsX - October 4th, 2024 [October 4th, 2024]
- Honoring the fallen: Bells toll for Americas heroes at NSA Mechanicsburg - American Military News - October 4th, 2024 [October 4th, 2024]
- How often should you turn off your phone? Heres what the NSA says - PCWorld - October 4th, 2024 [October 4th, 2024]
- NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations - HSToday - September 28th, 2024 [September 28th, 2024]
- NSA warns that Active Directory is an "exceptionally large and difficult to defend" attack surface - The Stack - September 28th, 2024 [September 28th, 2024]
- News - Honoring the Fallen: Bells Toll for Americas Heroes at NSA Mechanicsburg - DVIDS - September 28th, 2024 [September 28th, 2024]
- National Storage Affiliates Trust (NYSE:NSA) Given Average Recommendation of "Reduce" by Brokerages - MarketBeat - September 28th, 2024 [September 28th, 2024]
- Lack of Standard Stadiums: NSA boss sacked, facilities closed - What has been said and done so far - GhanaWeb - September 21st, 2024 [September 21st, 2024]
- NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations - National Security Agency - September 21st, 2024 [September 21st, 2024]
- UTEP Establishes Collaboration with DoD, NSA to Help Enhance U.S. Semiconductor Workforce - The University of Texas at El Paso - September 21st, 2024 [September 21st, 2024]
- The NSA advises you to turn off your phone once a week - here's why - ZDNet - September 21st, 2024 [September 21st, 2024]
- NSA Publishes Cyber Advisory on China-Linked Threat Actors - Executive Gov - September 21st, 2024 [September 21st, 2024]
- Former NSA Director Nakasone opens new institute at Vanderbilt to train right type of leader - Washington Times - September 21st, 2024 [September 21st, 2024]
- ACR lauds legislation that would fine insurers for delayed NSA payments - AuntMinnie - September 16th, 2024 [September 16th, 2024]
- NSA threatens lawsuit over election rigging allegation, demands apology - Pulse Nigeria - September 16th, 2024 [September 16th, 2024]
- NSA explains its work with private sector on election security and fighting foreign cyber threats - Washington Times - September 16th, 2024 [September 16th, 2024]
- NSA to debut podcast to boost public awareness of classified missions - Nextgov/FCW - August 31st, 2024 [August 31st, 2024]
- In Beijing, Bidens NSA Calls Out Chinas Destablising Actions, Openly Supports Philippines - Hindustan Times - August 31st, 2024 [August 31st, 2024]
- Why the NSA advises you to turn off your phone once a week - ZDNet - August 31st, 2024 [August 31st, 2024]
- Getting into rhythm: NSA places high expectations on themselves for 2024 - Suffolk News-Herald - August 31st, 2024 [August 31st, 2024]
- NSA readying podcast to share untold stories of codebreakers missions - Washington Times - August 31st, 2024 [August 31st, 2024]
- Trump govt stopped aid to Pakistan over ISI's 'undeniable complicity' with terrorists: Ex-US NSA - Hindustan Times - August 31st, 2024 [August 31st, 2024]
- Top NSA researcher tapped to lead Pentagons UAP investigation hub - DefenseScoop - August 27th, 2024 [August 27th, 2024]
- NSA Releases Guide to Combat Living Off the Land Attacks - Infosecurity Magazine - August 27th, 2024 [August 27th, 2024]
- With a little help from the National Archives, NSA finally releases Grace Hopper lecture. Watch it here. - MuckRock - August 27th, 2024 [August 27th, 2024]
- Trump administration NSA H.R. McMaster says there was "inconsistency" in foreign policy - CBS News - August 25th, 2024 [August 25th, 2024]
- 'Putin exploited Trump's ego and insecurities': Former NSA in new book - The Times of India - August 25th, 2024 [August 25th, 2024]
- NSA calls for urgent Government action on illegal sheep imports - Meat Management - August 14th, 2024 [August 14th, 2024]
- Sheikh Hasina Resignation LIVE Updates: Ex Bangladesh PM Sheikh Hasina Meets NSA Ajit Doval At Hindon Airbase - NDTV - August 5th, 2024 [August 5th, 2024]
- NSA Claims It Cant Watch an Important Tape It Recorded in the 1980s - Gizmodo - July 17th, 2024 [July 17th, 2024]
- Letter to NSA Sullivan Requesting Assessment of Information Russia Has Shared with the PRC on U.S. Weapons Capabilities in Ukraine - Select Committee... - July 17th, 2024 [July 17th, 2024]
- The NSA Is Defeated By A 1950s Tape Recorder. Can You Help Them? - Hackaday - July 17th, 2024 [July 17th, 2024]
- Letter to NSA on Microsoft's Billion Dollar Partnership with UAE Firm G42 - Select Committee on the CCP | - July 17th, 2024 [July 17th, 2024]
- NSA Fast Pitch World Series kicks off with Skills Competition & Heavy Hitters Camp, featuring College World Series Champions from the University... - July 17th, 2024 [July 17th, 2024]
- NSA contractor bilked government for hundreds of hours she never worked - Washington Times - July 6th, 2024 [July 6th, 2024]
- Signals intelligence has become a cyber-activity - The Economist - July 6th, 2024 [July 6th, 2024]
- OpenAI adds former NSA chief to its board - CNBC - June 15th, 2024 [June 15th, 2024]
- Former head of NSA joins OpenAI board - The Verge - June 15th, 2024 [June 15th, 2024]
- Former NSA Head Joins OpenAI Board and Safety Committee - RetailWire - June 15th, 2024 [June 15th, 2024]
- Former NSA head joins OpenAI board and safety committee - TechCrunch - June 15th, 2024 [June 15th, 2024]
- OpenAI Appoints Cybersecurity Expert And Retired US Army Genera With NSA Pedigree To Board, Enhancing AI ... - Benzinga - June 15th, 2024 [June 15th, 2024]
- Former NSA head Paul Nakasone to helm national security institute at Vanderbilt - The Record from Recorded Future News - May 15th, 2024 [May 15th, 2024]
- US is still chasing down pieces of Chinese hacking operation, NSA official says - The Record from Recorded Future News - March 18th, 2024 [March 18th, 2024]
- 6 CISO Takeaways from the NSA's Zero-Trust Guidance - Dark Reading - March 18th, 2024 [March 18th, 2024]
- St. John's M.S. in Cyber and Information Security Earns Key NSA Validation - St John's University News - March 18th, 2024 [March 18th, 2024]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - United States Cyber Command - December 23rd, 2023 [December 23rd, 2023]
- NSA Highlights AI, Partnerships in 2023 Cyber Review - MeriTalk - December 23rd, 2023 [December 23rd, 2023]
- NSA Publishes 2023 Cybersecurity Year in Review - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- NSA Reiterates Achievements in AI & Defense Against Russia, China in 2023 Cybersecurity Review - Executive Gov - December 23rd, 2023 [December 23rd, 2023]
- NSA appoints new Cyber Command head | SC Media - SC Media - December 23rd, 2023 [December 23rd, 2023]