NotPetya developers obtained NSA exploits weeks before their public leak – Ars Technica

Category: NSA

Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers.

The people behind Tuesday's massive malware outbreak had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according to evidence unearthed by researchers from antivirus F-Secure.

On Thursday, F-Secure researchers said they have evidence that the still-unknown developers of Tuesday's NotPetya malware had access to EternalBlue and EternalRomance as early as February, when they finished work on the malware component that used the stolen NSA exploits. The timeline is all the more significant considering the quality of the component, which proved surprisingly adept in spreading the malware from computer to computer inside infected networks. The elegance lay in the way the component combined the NSA exploits with three off-the-shelf tools including Mimikatz, PSExec, and WMIC. The result: NotPetya could infect both patched and unpatched computers quickly. Code that complex and effective likely required weeks of development and testing prior to completion.

"February is many weeks before the exploits EternalBlue and EternalRomance (both of which this module utilizes) were released to the public (in April) by the Shadow Brokers," F-Secure researcher Andy Patel wrote in a blog post. "And those exploits fit this component like a glove."

Whereas the two other main components of NotPetyaan encryption component and a component for attacking a computer's master boot recordwere "pretty shoddy and seem kinda cobbled together," Patel said the spreading component seems "very sophisticated and well-tested." For developers to finish work on the spreader by February, they clearly had the NSA exploits in hand by then. By contrast, Patel added:

WannaCry clearly picked [the NSA] exploits up after the Shadow Brokers dumped them into the public domain in April. Also WannaCry didn't do the best job at implementing these exploits correctly.

By comparison, this "Petya" looks well-implemented, and seems to have seen plenty of testing. It's fully-baked.

The weeks leading up to February's completion of the NotPetya spreader was a particularly critical time for computer security. A month earlier, the Shadow Brokers advertised an auction that revealed some of the names of the exploits they had, including EternalBlue. NSA officials responded by warning Microsoft of the theft so that the company could patch the underlying vulnerabilities. In February, Microsoft abruptly canceled that month's Patch Tuesday. The unprecedented move was all the more odd because exploit code for an unpatched Windows 10 flaw was already in the wild and Microsoft gave no explanation for the cancellation.

"Meanwhile, 'friends of the Shadow Brokers' were busy finishing up development of a rather nifty network propagation component, utilizing these exploits," Patel wrote.

When Patch Tuesday resumed in March, Microsoft released a critical security update that fixed EternalBlue. As the WCry outbreak would later demonstrate, large numbers of computersmainly running Windows 7failed to install the updates, allowing the worm to spread widely.

If the timeline is correct, it would mean the NotPetya developers had some sort of tie to the Shadow Brokers, possibly as customers, colleagues, acquaintances, or friends. It would also make NotPetya the first piece of in-the-wild malware that had known early access to the NSA exploits. Patel didn't say how the NotPetya developers got hold of EternalBlue and EternalRomance prior to their public release in April.

Early speculation was that Shadow Brokers members acquired a small number of hacking tools that NSA personnel stored on one or more staging servers used to carry out operations. The volume and sensitivity of the exploits and documents released over the next several months slowly painted a much grimmer picture. It's now clear that the group has capitalized on what is likely the worst breach in NSA history. There's no indication the agency has identified how it lost control of such a large collection of advanced tools or that it knows much at all about the Shadow Brokers' membership. The group, meanwhile, continues to publish blog posts written in deliberately broken English, with the most recent one on Wednesday.

The F-Secure evidence adds a new unsettling entry on the Shadow Brokers' resume. The world already knew the group presided over a breach of unprecedented scope and leaked exploits to the world. Now, we know it also provided crucial private assistance in developing one of the most virulent worms in recent memory.

Go here to read the rest:
NotPetya developers obtained NSA exploits weeks before their public leak - Ars Technica

NSA warned of vulnerabilities in Signal app a month before Houthi strike chat - CBS News - March 26th, 2025 [March 26th, 2025]
Trump said poised to fire NSA Mike Waltz for including journalist in top secret war chat - The Times of Israel - March 26th, 2025 [March 26th, 2025]
Not the last Waltz: Trump defends NSA after security breach - The Times of India - March 26th, 2025 [March 26th, 2025]
NSA warned about vulnerabilities in Signal prior to White House group chat fiasco - SiliconANGLE News - March 26th, 2025 [March 26th, 2025]
NSA warned the Signal app was vulnerable last month - WTIC - March 26th, 2025 [March 26th, 2025]
Codebreakers and Covert Agents: The Women Behind the NSA and CIA heads to Illinois State Museum - WAND - March 26th, 2025 [March 26th, 2025]
NSA warned about using Signal a month before leak of Houthi strike chat - CBS News - March 26th, 2025 [March 26th, 2025]
'Putin is giddy': NSA knew Signal was vulnerable to Russian hackers before security breach - AlterNet - March 26th, 2025 [March 26th, 2025]
RAW: NSA MIKE WALTZ EXPECTED TO VISIT GREENLAND - Local 3 News - March 26th, 2025 [March 26th, 2025]
US NSA likely to visit India in third week of April - Hindustan Times - March 26th, 2025 [March 26th, 2025]
Statement from Secretary Rubio and NSA Waltz on Call with Zelenskyy - Department of State - March 22nd, 2025 [March 22nd, 2025]
Europe must invest more in defence amid global shifts: Greeces NSA Ntokos - Firstpost - March 22nd, 2025 [March 22nd, 2025]
NSA Bahrain, NAVCENT Hold First-of-its-Kind Exercise Vigilant Resolve - navy.mil - March 22nd, 2025 [March 22nd, 2025]
Former NSA boss Osei Assibey Antwi picked up by NIB - GhanaWeb - March 22nd, 2025 [March 22nd, 2025]
WHAT THE TECH? NSA recommending weekly smartphone restarts & how it improves performance - Local 3 News - March 9th, 2025 [March 9th, 2025]
Ex-NSA cyber chief warns of devastating impact of potential DOGE-inspired firings - Breaking Defense - March 9th, 2025 [March 9th, 2025]
Former top NSA cyber official: Probationary firings devastating to cyber, national security - CyberScoop - March 9th, 2025 [March 9th, 2025]
Prime Targets Martha Plimpton On Her NSA Character & Why This Political Thriller Works: Never Trust People In Charge - Deadline - March 9th, 2025 [March 9th, 2025]
Former NSA Dep. Director, Gifty Oware-Mensah will see NIB over 80k ghost names allegations - GhanaWeb - March 5th, 2025 [March 5th, 2025]
Zelensky is not ready for peace talks, US NSA says - Mehr News Agency - English Version - March 3rd, 2025 [March 3rd, 2025]
More Than 100 Intelligence Staffers Will Be Fired Over Sexually Explicit Texts In NSA Chatrooms, Gabbard Says - Forbes - March 1st, 2025 [March 1st, 2025]
NSA says it is investigating potential misuse of chat platform - The Record from Recorded Future News - March 1st, 2025 [March 1st, 2025]
100-plus spies fired after NSA internal chat board used for kinky sex talk - The Register - March 1st, 2025 [March 1st, 2025]
Tulsi Gabbard says more than 100 intelligence officers will be fired for sexually explicit NSA chat messages - CNN - March 1st, 2025 [March 1st, 2025]
Elon Asked What Government Workers Did. The NSA Overshared - Schiff Sovereign - March 1st, 2025 [March 1st, 2025]
Tulsi Gabbard Fires 100 Intelligence Officers for Sex Chats on NSA-Hosted Tool - The Daily Beast - March 1st, 2025 [March 1st, 2025]
Elon Musk reacts to leaked chat alleging NSA, CIA officials discussed raising intersex babies as non-bina - The Times of India - March 1st, 2025 [March 1st, 2025]
What NSA, DIA agents said about Libs of TikTok, Ben Shapiro in leaked messages - The Times of India - March 1st, 2025 [March 1st, 2025]
NSA staff accused of lurid sex chats at work they were just discussing LGBTQ+ issues - PinkNews - March 1st, 2025 [March 1st, 2025]
Sen. Tom Cotton reacts to lewd NSA chats: 'We don't want these people anywhere near classified information' - Fox News - March 1st, 2025 [March 1st, 2025]
At least 100 NSA staffers to be fired for explicit chats during work hours - WDRB - March 1st, 2025 [March 1st, 2025]
Gifty Oware-Mensah on the run as NIB investigates NSA scandal - GhanaWeb - February 25th, 2025 [February 25th, 2025]
Former NSA, Cyber Command chief Paul Nakasone says U.S. falling behind its enemies in cyberspace - CyberScoop - February 25th, 2025 [February 25th, 2025]
NSA emphasizes strong defensive posture as it responds to report it hacked China - Washington Times - February 25th, 2025 [February 25th, 2025]
How the NSA Head of Accounts was undermined by his deputy for eight months after appointment - GhanaWeb - February 25th, 2025 [February 25th, 2025]
What Is Proteus in Zero Day? How the NSA Weapon Changes Everything - Collider - February 25th, 2025 [February 25th, 2025]
'Zelenskyy will sign the minerals deal, no matter': US NSA Mike Waltz on Trump's Ukraine plan - The Economic Times - February 25th, 2025 [February 25th, 2025]
EXCLUSIVE: Clearcover launches Illinois-based reciprocal exchange to jumpstart entry into NSA - Re-Insurance.com - February 12th, 2025 [February 12th, 2025]
Chief of Naval Operations Visits NSA Crane, Purdue University [Image 18 of 25] - DVIDS - February 12th, 2025 [February 12th, 2025]
Liminal Health Launches NSA ClearPath: Revolutionizing Reimbursement for Out-of-Network Providers - PR Newswire - February 12th, 2025 [February 12th, 2025]
Elon Musks D.O.G.E is giving the CIA and NSA nightmares now - MSN - February 12th, 2025 [February 12th, 2025]
NSA Ajit Doval likely to visit US along with PM Modi - The Economic Times - February 12th, 2025 [February 12th, 2025]
The NSA says do these 5 things with your phone right now - Fox News - January 30th, 2025 [January 30th, 2025]
NSA: Iraqi territory will not be used to attack neighboring countries Iraqi News Agency - ina.iq - January 30th, 2025 [January 30th, 2025]
NDC is not here to witch-hunt - Opare Addo to NSA staff - GhanaWeb - January 30th, 2025 [January 30th, 2025]
NSA Warns iPhone And Android UsersDisable Location Tracking - Forbes - January 19th, 2025 [January 19th, 2025]
Trumps incoming NSA: Hamas must have no role in governing Gaza - JNS.org - January 19th, 2025 [January 19th, 2025]
Trump NSA Disputes Report That Neocons Are Influencing MAGA Staffing - RealClearDefense - January 19th, 2025 [January 19th, 2025]
US NSA lauds Ajit Doval for pivoting ties to advanced future tech - The Times of India - January 9th, 2025 [January 9th, 2025]
Auto insurtech Clearcover expands into Texas NSA market with CGA launch - Re-Insurance.com - January 9th, 2025 [January 9th, 2025]
"Cannot Think Of A Better Way To End My Tenure": US NSA On His India Visit - NDTV - January 9th, 2025 [January 9th, 2025]
Heightened Security At U.S. Naval Academy And NSA Annapolis: Public Access Suspended Amid Increased Force Protection Measures - Bay Net - January 9th, 2025 [January 9th, 2025]
From The Seabed To The Stars: 10 Takeaways From U.S. NSA Sullivans Visit - Strategic News Global - January 9th, 2025 [January 9th, 2025]
NSA Sullivan to visit India to finalise important ongoing initiatives: White House - The Hindu - January 9th, 2025 [January 9th, 2025]
What NSA Jake Sullivans India Visit Signals For Nuclear And Tech Ties As US Lifts Curbs On Indian Entities - Swarajya - January 9th, 2025 [January 9th, 2025]
NSA Sullivan arrives today, seeks to strengthen AI, space, tech ties - The Tribune India - January 9th, 2025 [January 9th, 2025]
CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - HSToday - December 5th, 2024 [December 5th, 2024]
Where Will The Top Amateurs at NSA Yamaha Land After the Team Closes? - Vurbmoto - December 5th, 2024 [December 5th, 2024]
CISA, NSA, FBI and International Partners Publish Guide for Protecting Communications Infrastructure - HSToday - December 5th, 2024 [December 5th, 2024]
Main players backing Syrian government have been weakened by other conflicts, NSA Sullivan says - NBC News - December 5th, 2024 [December 5th, 2024]
Trump's incoming NSA Mike Waltz wants US to dance cheek-to-check with India - The Times of India - November 14th, 2024 [November 14th, 2024]
What Trump's NSA Nominee Said On India's Pivotal Role In The 21st Century - NDTV - November 14th, 2024 [November 14th, 2024]
Exclusive: Nakasone on exploding pagers, life after the NSA and another possible government job - The Record from Recorded Future News - November 14th, 2024 [November 14th, 2024]
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 - BleepingComputer - November 14th, 2024 [November 14th, 2024]
CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - National Security Agency - November 14th, 2024 [November 14th, 2024]
6 Principles of Operational Technology Cybersecurity released by joint NSA initiative - Security Intelligence - November 14th, 2024 [November 14th, 2024]
It's official FBI, CISA, and NSA reveal the most exploited vulnerabilities of 2023 - TechRadar - November 14th, 2024 [November 14th, 2024]
Donald Trump picks Mike Waltz as US NSA: What it means for China and India - The Times of India - November 14th, 2024 [November 14th, 2024]
Who is Mike Waltz, Donald Trump's new NSA pick? What are his ties to India Caucus? - Firstpost - November 14th, 2024 [November 14th, 2024]
NSA should not oversee the management of national facilities RexDanquah - Citi Sports Online - November 14th, 2024 [November 14th, 2024]
Trudeaus NSA admits to leaking secret intel alleging Indias interference to Washington Post - Firstpost - October 31st, 2024 [October 31st, 2024]
White House dials NSA Ajit Doval: Here's what happened in the call - The Economic Times - October 31st, 2024 [October 31st, 2024]
NSA Doval Stresses Need For Stable Indo-Pacific In Phone Call With US Counterpart Sullivan - News18 - October 31st, 2024 [October 31st, 2024]
Director-General of NSA calls for continued support from government - GhanaWeb - October 21st, 2024 [October 21st, 2024]
5G Non Standalone Nsa Architecture Market to Reach USD 240.0 - openPR - October 21st, 2024 [October 21st, 2024]
NSA meets with Minister Muir and DAERA to discuss industry concerns - Meat Management - October 21st, 2024 [October 21st, 2024]
NSA cyber chief: Espionage is now Russias focus for cyberattacks on Ukraine - The Record from Recorded Future News - October 11th, 2024 [October 11th, 2024]
NSA Investigating If Chinese Hackers Breached US Telecoms - Yahoo Finance - October 11th, 2024 [October 11th, 2024]
NSA Issues Updated Guidance on Russian SVR Cyber Operations - National Security Agency - October 11th, 2024 [October 11th, 2024]
News - Honoring the Stars and Stripes: NSA Philadelphia Hosts Dignified Flag Disposal Ceremony - DVIDS - October 11th, 2024 [October 11th, 2024]

June 30th, 2017

No comments yet

Comments are closed.

Mediaboss Marketing

NotPetya developers obtained NSA exploits weeks before their public leak – Ars Technica

About

Pages

Categories

Media Sites

Recommended Sites

Archives