Shadow Brokers Release New Batch of Files Containing Windows and SWIFT Exploits

boredog · Apr 15, 2017

itman said: ↑

My gut is telling me that there is more to this latest Shadow Brokers incident which amounted to a "dog and pony" show that gathered a lot of attention but amounted to zip substance-wise.

If you can keep the "dog occupied chasing his tail", he won't see the Bear sneaking up to eat him. Would not be surprised in the least if the "really good stuff" exploit-wise is being presently distributed on the Dark Web via secure channels.
Click to expand...

+1

Good observation.

boredog · Apr 15, 2017

hawki said: ↑

Jeez Louize - Talk about Much Ado About Nothing

Yesterday the security world woke up in a tizzy about a "Microsoft Apocolypse", the apparent severity of which lessened somewhat throughout the day - and now this Microsoft reveal, and the coordinated China/US "Good Cop-Bad Cop" approach apparently dissuaded North Korea from starting WW III (at least for the time being).

Be Thankful
Click to expand...

Maybe China slapped their War happy fingers?

Minimalist · Apr 15, 2017

I don't know how some researchers did their tests - saying exploits are good? They conducted tests on unpatched systems?

Since vulnerabilities were patched in March updates, we can assume that somebody shared them with MS before they got released.

hawki · Apr 15, 2017

Minimalist said: ↑

I don't know how some researchers did their tests - saying exploits are good? They conducted tests on unpatched systems?

Since vulnerabilities were patched in March updates, we can assume that somebody shared them with MS before they got released.
Click to expand...

"...Those fears appear to have been prompted by experts using even slightly out-of-date versions of Windows in their labs. One of Microsoft's fixes, also called a patch, was only released last month .

'I missed the patch," said British security architect Kevin Beaumont, jokingly adding, "I'm thinking about going to live in the woods now...'

Beaumont wasn't alone. Matthew Hickey, of cybersecurity firm Hacker House, also ran the code against earlier versions of Windows on Friday. But he noted that many organizations put patches off, meaning 'many servers will still be affected by these flaws... ' "

https://phys.org/news/2017-04-microsoft-users-alleged-nsa-malware.html

If you look through the initial reports in the posts above you will see that Beaumont and Hickey were at the forefront of scaring Windows users. Hickey even got Snowden fooled.

Confucius say: Man who eat breakfast upside down end up with egg on face!

ronjor · Apr 15, 2017

Protecting customers and evaluating risk

MSRC TeamApril 14, 20170

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.
Click to expand...

emmjay · Apr 15, 2017

Maybe this is what kept Microsoft busy in February - there were no patches for any version of Windows and they refused to give an explanation. The exploits were addressed in the March patches. Feasible?

ronjor · Apr 15, 2017

emmjay said: ↑

Feasible?
Click to expand...

Very feasible.

Minimalist · Apr 15, 2017

emmjay said: ↑

Maybe this is what kept Microsoft busy in February - there were no patches for any version of Windows and they refused to give an explanation. The exploits were addressed in the March patches. Feasible?
Click to expand...

Maybe. As I remember it was something they found last minute that kept them from releasing updates in February. But why wouldn't they release other updates in February and then updates for exploits in March?

itman · Apr 15, 2017

0-day exploits sell for $10,000+: http://cybersec.buzz/darknet-deep-web-zero-day-exploits/ . With that kid of money involved, you would have to be an complete idiot to give one away for free.

I believe the Shadow Broker folks might be studying "chaos theory" these days ...............

hawki · Apr 15, 2017

itman said: ↑

0-day exploits sell for $10,000+: http://cybersec.buzz/darknet-deep-web-zero-day-exploits/ . With that kid of money involved, you would have to be an complete idiot to give one away for free.

I believe the Shadow Broker folks might be studying "chaos theory" these days ...............
Click to expand...

The "Shadow Broker" is a character type in the PC game "Mass Effect." I suspect it is this character that inspired The Shadow Brokers' name. The questions about it's suitability are obvious:

"The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business...

...The Shadow Broker's identity is unknown to the general public in 2183; the Broker always operates through an agent. Barla Von refers to the Broker as "he" for convenience's sake, but tells Commander Shepard that he believes the Shadow Broker is a group of individuals: it does not seem possible for a single individual to monitor all of the available information and have such a wide sphere of influence...

Some of the Broker's resources are scattered across the galaxy, awaiting discovery."

http://masseffect.wikia.com/wiki/Shadow_Broker

BoerenkoolMetWorst · Apr 15, 2017

hawki said: ↑

"...Those fears appear to have been prompted by experts using even slightly out-of-date versions of Windows in their labs. One of Microsoft's fixes, also called a patch, was only released last month .

'I missed the patch," said British security architect Kevin Beaumont, jokingly adding, "I'm thinking about going to live in the woods now...'

Beaumont wasn't alone. Matthew Hickey, of cybersecurity firm Hacker House, also ran the code against earlier versions of Windows on Friday. But he noted that many organizations put patches off, meaning 'many servers will still be affected by these flaws... ' "

https://phys.org/news/2017-04-microsoft-users-alleged-nsa-malware.html

If you look through the initial reports in the posts above you will see that Beaumont and Hickey were at the forefront of scaring Windows users. Hickey even got Snowden fooled.

Confucius say: Man who eat breakfast upside down end up with egg on face!
Click to expand...

Hmm, MS says it was already patched but then there's reports telling explicitly with this months updates some Windows versions are still vulnerable:

hawki said: ↑

There are exploits that work 100 percent against Windows 7 with the April Service Pack.

There are exploits that work 100 percent against Windows Server 2012 R2 with the latest updates as of April 14, 2017.
Click to expand...

hawki · Apr 15, 2017

BoerenkoolMetWorst said: ↑

Hmm, MS says it was already patched but then there's reports telling explicitly with this months updates some Windows versions are still vulnerable:
Click to expand...

Windows Central, the source for the quote cited has this to say today:

"...We're unsure why we (and plenty of others) were still able to exploit up to date versions of Windows 7 and Server 2012.

However, our advice still stands: Use the latest software, install updates when they become available, and be mindful of your internet activities and what software you install. The original text of our article follows..."

http://www.windowscentral.com/everything-you-need-know-about-latest-shadowbrokers-dump?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wmexperts+(Windows+Central)

itman · Apr 18, 2017

SWIFT denies any hack coming from NSA or otherwise
Apr 18, 2017 14:05 GMT · By Gabriela Vatu ·
Share:
The Shadow Brokers hacker group dumped another pile of NSA files on the Internet, some concerning the agency's ways of breaking into Windows systems, and some regarding its targets, namely the SWIFT Service Bureaus.

The fact that the NSA had possibly targeted SWIFT had been known for years, since Edward Snowden's original NSA file leaks. Now, however, this comes into focus once more as there is evidence of exploits targeting two of Swift's Service Bureaus looking for banking data for a number of financial institutions in the Middle East. It is believed that the agency was monitoring funds for terrorist operations.

"In this case, if Shadow Brokers claims are indeed verified, it seems that the NSA sought to totally capture the backbone of the international financial system to have a God's eye into a SWIFT Service Bureau - and potentially the entire SWIFT network. this would fit within standard procedure as a covert entity entrusted with covert actions that may or may not be legal in a technical way," wrote researcher Matt Suiche in a blog post.

Despite the data coming from the Shadow Brokers, SWIFT claims its infrastructure or data has not been compromised. "There is no impact on SWIFT's infrastructure or data, however, these we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties," a representative of SWIFT told Threatpost.
Click to expand...

http://news.softpedia.com/news/shadow-brokers-dump-nsa-files-showing-swift-infiltration-514938.shtml

itman · Apr 18, 2017

The new shadow brokers leak connects the NSA to the stuxnet cyber weapon used on Iran

Researchers have found an hidden gem inside the treasure trove of the new alleged NSA hacking tools dumped by the Shadow Brokers.
(Article by Lorenzo Franceshi-Bicchierai from motherboard.vice.com)

The mysterious hacking group known as Shadow Brokers came back on Friday to drop its most explosive—and damaging—dump yet, a collection of alleged hacking tools for Microsoft Windows computers.

Buried among this new treasure trove, there are several mentions of previously disclosed NSA top secret programs and software such as “STRAITBIZARRE,” used to control implants remotely, and “JEEPFLEA,” a project to hack the money transferring system SWIFT. These provide yet another hint that these are indeed tools stolen from the NSA’s elite hacking team.

Perhaps more surprisingly, the dump also included one tool that was used in the famous Stuxnet worm, arguably the world’s first digital weapon, used to hit an Iranian nuclear power facility and damage its centrifuges to slow down the country’s nuclear weapons program.
Click to expand...

http://treason.news/2017-04-17-the-...to-the-stuxnet-cyber-weapon-used-on-iran.html

hawki · Apr 18, 2017

emmjay said: ↑

Maybe this is what kept Microsoft busy in February - there were no patches for any version of Windows and they refused to give an explanation. The exploits were addressed in the March patches. Feasible?
Click to expand...

"Experts contend Microsoft canceled Feb. updates to patch NSA exploits..."

http://www.computerworld.com/articl...nceled-feb-updates-to-patch-nsa-exploits.html

itman · Apr 21, 2017

AES-NI Ransomware Dev Claims He's Using Shadow Brokers Exploits

The developer of the AES-NI ransomware claims that the recent "success" he's been enjoying is due to the NSA exploits leaked last week by the Shadow Brokers group.

In a series of tweets he posted online, the AES-NI author alleges he successfully used ETERNALBLUE, an exploit targeting the SMBv2 protocol, to infect Windows servers across the globe and then install his home-made ransomware.

The only evidence the AES-NI author provided was a screenshot that showed the ransomware dev scanning a server for three NSA exploits.
Click to expand...

https://www.bleepingcomputer.com/ne...dev-claims-hes-using-shadow-brokers-exploits/

itman · Apr 21, 2017

Script kiddies pwn 1000s of Windows boxes using leaked NSA hack tools

Vulnerable unpatched systems expose exploitable SMB networking to world+dog

The NSA's Equation Group hacking tools, leaked last Friday by the Shadow Brokers, have now been used to infect thousands of Windows machines worldwide, we're told.

On Thursday, Dan Tentler, founder of security shop Phobos Group, told The Register he's seen rising numbers of boxes on the public internet showing signs they have DOUBLEPULSAR installed on them. These hijacked machines can be used to sling malware, spam netizens, launch further attacks on other victims, and so on.

DOUBLEPULSAR is a backdoor used to inject and run malicious code on an infected system, and is installed using the ETERNALBLUE exploit that attacks SMB file-sharing services on Windows XP to Server 2008 R2. That means to compromise a computer, it must be running a vulnerable version of Windows and expose an SMB service to the attacker. Both DOUBLEPULSAR and ETERNALBLUE are leaked Equation Group tools, now available for any script kiddie or hardened crim to download and wield against vulnerable systems.

Tentler said that a preliminary scan of the public internet on Thursday using Shodan.io revealed 15,196 infections, with four-fifths of those coming from IP ranges in the US. These numbers increase with each followup scan. A DOUBLEPULSAR-riddled system can be identified by the way it responds to a special ping to port 445.

The problem may be even more serious. A larger scan by infosec researcher Robert Graham showed around 41,000 infected hosts and more scans are going to be carried out, so expect that number to rise.
Click to expand...

https://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/

itman · Apr 21, 2017

One of those implants is DOUBLEPULSAR, which is "RING-0 multi-version kernel mode payload," according to security expert Matthew Hickey, or in simpler terms a "malware downloader" used as an intermediary for downloading more potent malware executables on infected hosts.

Earlier this week, trying to assess the number of users vulnerable to the malware leaked last Friday, cyber-security firm Below0Day has performed an Internet-wide scan for Windows computers with open SMB ports (port 445).

Their scan returned a number of 5,561,708 Windows computers with port 445 exposed to external connections.
Click to expand...

https://www.bleepingcomputer.com/ne...ters-infected-with-nsas-doublepulsar-malware/

Minimalist · Apr 25, 2017

NSA backdoor detected on >55,000 Windows boxes can now be remotely removed

On Tuesday, security firm Countercept released an update to the DoublePulsar detection script it published last week. It now allows people anywhere on the Internet to remotely uninstall the implant from any infected machine.
Click to expand...

https://arstechnica.com/security/20...00-windows-boxes-can-now-be-remotely-removed/

itman · Apr 25, 2017

Minimalist said: ↑

https://arstechnica.com/security/20...00-windows-boxes-can-now-be-remotely-removed/
Click to expand...

After Microsoft officials dismissed evidence that more than 10,000 Windows machines on the Internet were infected by a highly advanced National Security Agency backdoor, private researchers are stepping in to fill the void.

Minimalist · Apr 25, 2017

Yes, also this:

On late Friday afternoon, Microsoft officials issued a one-sentence statement saying that they doubted the accuracy of multiple Internet-wide scans that found anywhere from 30,000 to slightly more than 100,000 infected machines. The statement didn't provide any factual basis for the doubt, and officials have yet to respond on the record to requests on Tuesday for an update.
Click to expand...

itman · Apr 27, 2017

Shadow Brokers Attack Tools Light Up Chinese and Russian Darknet

That danger was highlighted by intelligence from Recorded Future this week which revealed a lot of chatter in Russian and Chinese forums about the data dump.

Several tools have already been reverse engineered, with exploit framework FuzzBunch, SMB malware EternalBlue and privilege escalation tool EternalRomance stoking particular interest, the firm claimed in a blog post.

“Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses”, it added.

Given that Chinese APT groups have historically been able to weaponize zero day threats just days after their public release, there’s an increased risk that “malicious Chinese actors may reuse or repurpose this malware”, the firm said.
Click to expand...

https://www.infosecurity-magazine.com/news/shadow-brokers-attack-tools-china/

hawki · Aug 16, 2017

"Shadow Broker exploit dumps five million cyber attacks

More than five million cyber attacks originated from a series of exploit archives dumped onto the internet between April and June this year, according to Kaspersky Lab..."

http://www.itpro.co.uk/security/29234/shadow-broker-exploit-dumps-five-million-cyber-attacks

guest · Nov 5, 2019

Kaspersky identifies mysterious APT mentioned in 2017 Shadow Brokers leak
November 5, 2019
https://www.zdnet.com/article/kaspe...us-apt-mentioned-in-2017-shadow-brokers-leak/

In 2017, a mysterious group of hackers known as the Shadow Brokers published online a data dump called "Lost in Translation."

However, one of the nuggets in the release was a file named sigs.py, a veritable treasure trove of signals intelligence data.
But in a report last month, GReAT, Kaspersky's elite hacker hunting unit, said they've finally managed to identify one of those mysterious APTs -- namely the group tracked through the sigs.py signature #27.
Kaspersky says signature #27 can identify files that are part of "DarkUniverse," a malware framework, and a name they are now also using to track the APT and its activities.

Researchers say the DarkUniverse group has been active from 2009 to 2017, appearing to go silent after the ShadowBrokers leak.
Below are the capabilities of the DarkUniverse malware framework, a typical remote access trojan, and a pretty advanced one, according to Kaspersky's assessment.
Click to expand...

Kaspersky: DarkUniverse – the mysterious APT framework #27

Log in or Sign up

Shadow Brokers Release New Batch of Files Containing Windows and SWIFT Exploits

boredog Registered Member

boredog Registered Member

Minimalist Registered Member

hawki Registered Member

ronjor Global Moderator

emmjay Registered Member

ronjor Global Moderator

Minimalist Registered Member

itman Registered Member

hawki Registered Member

BoerenkoolMetWorst Registered Member

hawki Registered Member

itman Registered Member

itman Registered Member

hawki Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

itman Registered Member

hawki Registered Member

guest Guest

Log in or Sign up

Shadow Brokers Release New Batch of Files Containing Windows and SWIFT Exploits

boredog Registered Member

boredog Registered Member

Minimalist Registered Member

hawki Registered Member

ronjor Global Moderator

emmjay Registered Member

ronjor Global Moderator

Minimalist Registered Member

itman Registered Member

hawki Registered Member

BoerenkoolMetWorst Registered Member

hawki Registered Member

itman Registered Member

itman Registered Member

hawki Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

itman Registered Member

hawki Registered Member

guest Guest

Useful Searches