1 May 2017

Russian and Chinese Hackers Are Exchanging Information on NSA Hack Tools on the Darknet


Russian and Chinese “cyber-communities” have been actively researching and sharing information on the recent Shadow Brokers leak of alleged NSA attack tools, suggesting cyber-criminals and state hackers could be looking to capitalize on unpatched systems around the world, according to new data.

Recorded Future has been monitoring the darknet for mention of specific keywords associated with the new trove, which came to light a fortnight ago.

It features codenames such as EternalBlue; EmeraldThread and EternalChampion, referring to exploits developed mainly to target Microsoft systems.

Although Redmond claimed in a speedy response that none of the tools work against supported products, there’s still danger for organizations running either unsupported systems like XP or those who aren’t up-to-date with their patches.

That danger was highlighted by intelligence from Recorded Future this week which revealed a lot of chatter in Russian and Chinese forums about the data dump.

Several tools have already been reverse engineered, with exploit framework FuzzBunch, SMB malware EternalBlue and privilege escalation tool EternalRomance stoking particular interest, the firm claimed in a blog post.

“Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses”, it added.

Given that Chinese APT groups have historically been able to weaponize zero day threats just days after their public release, there’s an increased risk that “malicious Chinese actors may reuse or repurpose this malware”, the firm said.

Meanwhile, in Russia, Recorded Future spotted a noted cyber-criminal providing detailed tutorials on how to weaponize EternalBlue, along with the DoublePulsar kernel payload.

Others apparently recommended EternalBlue to a hacker looking for help on exploiting a vulnerable Server Message Block version 1 (SMBv1) system.

The “cyber community” in this instance could refer to cyber-criminals and state-sponsored hackers, as well as professional researchers and curious amateurs, a Recorded Future spokesperson confirmed to Infosecurity Magazine.

Shadow Brokers itself is most likely a Russian state-linked group, NSA whistleblower Edward Snowden claimed last year.

No comments: