Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

NSA Cyber Weapons installed in High Profile Targets in Greece

The installation of monitoring software has been conducted either by NSA highly sophisticated hacking team or by hackers who leveraged the tools leaked by the Shadow Brokers. Last week, a collection of spy tools allegedly used by the National Security Agency for operations against global targets of interest was leaked online by the underground hacking group, […]

The installation of monitoring software has been conducted either by NSA highly sophisticated hacking team or by hackers who leveraged the tools leaked by the Shadow Brokers.

Last week, a collection of spy tools allegedly used by the National Security Agency for operations against global targets of interest was leaked online by the underground hacking group, Shadow Brokers.

The tools were released online in the following form and were accessible to anyone:

NSA Cyber Weapons
NSA’s cyber-weapons include many exploits for Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS, Solaris systems and Microsoft Exchange, as well as additional Python-based tools.

NSA Cyber Weapons

These tools (Fuzzbunch, Eternalblue, Doublepulsar, Danderspritz) are part of the powerful NSA hacking toolset (also known as NSA Metasploit) exploited by the intelligence organization for hacking operations against governments, companies, and organizations.

NSA Cyber Weapons

THE RESEARCH

SecNews researchers conducted a thorough study of the Shadow Brokers leak, mainly focusing on its effects. As it has been known, the NSA backdoor has already been installed on thousands of computers and servers around the world. A map of the affected countries is presented below:

NSA Cyber Weapons

The purpose of SecNews research, considering the importance of the leaked data, was to identify companies or networks exclusively from the Greek Territory that have been targeted by malicious activities related to NSA’s cyber weapons.

After analyzing the leaked NSA toolkit and taking into consideration its particular digital features, we conducted an investigation as to detect which IP addresses in Greece are affected by the NSA cyber weapons!

The assessment procedure was carried out in the following steps:

  • Firstly, we scanned the Greek Internet for publicly exposed SMB (Port 445) & Remote Desktop (RDP Port 3389) services.
  • We detected 1086 IP addresses with SMB enabled online
  • We detected 4263 IP addresses with Remote Desktop enabled online
  • Then, using properly parameterized scripts like Mass-scan, detect_doublepulsar_rdp & smb (Python) and in conjuction with the NSA-leaked files, we detected where the cyber weapon is installed.

The final findings/results are shown in the table below. For security reasons, the IP addresses are hidden, as to protect the targeted companies/organizations. Thus, it is not possible for a malicious user to use the mentioned cyber-weapon for his own benefit.

NSA Cyber Weapons

CONCLUSIONS

According to the findings, the NSA remote access software was installed:

  • Within the network (AIA-Cust3-Infr) of Athens International Airport “Eleftherios Venizelos”. We are not in a position to know whether the network is related to the airport’s infrastructure or to a third party company in which the airport provides backbone access.
  • On a web server (accessible via the internet) belonging to SKAI TV, one of the largest media groups in Greece.
  • On a server belonging to Vodafone (or an affiliated company).
  • On a server / part of the Internal Network Management system of Interworks Cloud (interworks.biz, webserve.gr). It is worth mentioning that the Business marketplace of the telecommunications company Wind (windbusiness.com.gr) is located in the same IP class.
  • On a PC with DSL / VDSL connection (OTE/Cosmote) but it’s not known whether it is a corporate customer or a home user. In every case, it does not seem to have any correlation with OTE / Cosmote ‘s critical infrastructure.
  • Within a server of SYKARIS (possibly a graphic arts company).
  • Within a server of MELKA (possibly a construction company).
  • On a terminal / server of the Civil Engineering Department of The Aristotle University of Thessaloniki.
  • On a terminal / server of the Technological Educational Institute of Epirus, in the VLAN management system.
  • On a terminal at the University of Thessaly (possibly a remote DSL connection).

According to our research, all of the aforementioned systems were infected with the “Doublepulsar”  exploit. Doublepulsar allows an attacker to install malicious software of choice, that can not be tracked as a DLL.

“It must be mentioned that we can not know whether the installation of the cyber weapons was conducted by the NSA or third-party hackers who leveraged the tools leaked by the ShadowBrokers. One think is sure, however, that the affected companies/organizations should immediately test and evaluate their systems security (and especially if the affected systems are related to internal networks).”

The same procedure that we’ve applied during our research to the Greek Public Internet, can be also implemented on internal servers, in order to check if the cyber-monitoring software is installed. The aforementioned targets are ought to conduct digital analysis and security audits as to get an objective analysis of the affected servers.

SecNews researchers are at the disposal of administrators or legal representatives of the affected companies, organizations, and entities, as to provide them with any additional information needed. Details on the assessment procedure or οn how security audits can be performed on an internal network can be also provided, after the detection of a related infection by the administrators and the identification of its extent.

About the author: Konstantinos Vavousis
Editor in Chief, SecNews

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Shadow Brokers, NSA)

[adrotate banner=”13″]