430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

ShadowBrokers offers for sale the stolen NSA Windows Hacking Tools

The ShadowBrokers is the hacker crew stolen the arsenal of the NSA-Linked Equation Group is offering for sale the stolen NSA Windows Hacking Tools. The ShadowBrokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a precious archive containing hacking tools and exploits. At the end of October,  the hackers leaked a fresh […]

Microsoft YellowKey

The ShadowBrokers is the hacker crew stolen the arsenal of the NSA-Linked Equation Group is offering for sale the stolen NSA Windows Hacking Tools.

The ShadowBrokers is the hacker crew that leaked a portion of the arsenal of the NSA-Linked Equation Group, a precious archive containing hacking tools and exploits.

At the end of October,  the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

Earlier December 2016, the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

We met Shadow Brokers last time in December 2016, when they changed the model of sale offering the NSA’s hacking arsenal for direct sale on an underground website.

The hacking group is back and now it is selling another package of hacking tools, “Equation Group Windows Warez.” The new archive includes a collection of Windows exploits and tools to evade detection of antivirus solutions.

ShadowBrokers

The first malware, the Remote Administration Tool (RAT) “DanderSpritz,” was included in the collection of documents leaked by Edward Snowden.

The group posted a message on their website on the ZeroNet, announcing the sale of the entire “Windows Warez” archive for 750 Bitcoin (around US$678,630).

The data dump offered for sale contains several hacking tools grouped in the following categories:

  • Fuzzing tools (used to discover errors and security loopholes)
  • Exploit Framework
  • Network Implants
  • Remote Administration Tools (RAT)
  • Remote Code Execution Exploits for IIS, RDP, RPC, SMB Protocols (Some Zero-Days)
  • SMB BackDoor (Implant)

The malware researcher Jacob Williams published an analysis of the archive of “screenshots and output of the find command across the dump” provided by the ShadowBrokers.Williams started searching for info on the term “Psp_Avoidance” reported in one of the screenshots published by the group.

Making some Google Queries with the term “psp computer network operations” the researcher get back as the fifth result a page from ManTech.  The page details the ACTP CNO Programmer Course and the course documentation indicates that PSP is an acronym for “Personal Security Product.”

“So, circling back around, what is Psp_Avoidance?  Obviously, we don’t know – but if the acronym is correct, it would seem to be software built to evade personal security products, which directory listings suggest (as does ManTech) are antivirus programs.” wrote the expert.

“Should you run antivirus products? Sure. At Rendition Infosec we tell customers that operating without AV is like driving a car with no airbags. But this dump suggests that advanced attackers have mitigations for antivirus products – a sobering reality for organizations without defense in depth. “

The unique certainly at this moment is the availability for sale of a powerful arsenal also composed of hacking tools that could be exploited by a threat actor in the wild for large-scale espionage campaigns

But since this time the group has made Windows hacking tools up for sale, the chances are that hackers and espionage groups would be interested in buying these hacking tools.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  The Equation Group, ATP)