Who Are the Shadow Brokers?

What is—and isn’t—known about the mysterious hackers leaking National Security Agency secrets

In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they’ve been dumping these secrets on the internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of thousands of computer worldwide this month.

After the WannaCry outbreak, the Shadow Brokers threatened to release more NSA secrets every month, giving cybercriminals and other governments worldwide even more exploits and hacking tools.

Who are these guys? And how did they steal this information? The short answer is: We don’t know. But we can make some educated guesses based on the material they’ve published.

…continue reading

“ShadowBrokers” Hacking Group Launches Subscription Service Selling Nuclear Secrets

The hacking group known as ‘The Shadow Brokers’ is pushing a monthly subscription service offering members top secret information including “compromised network data” from the nuclear and ballistic missile programs of Russia, China, North Korea and Iran.

https://www.rt.com/viral/388717-shadow-brokers-monthly-subscription/video/

As a reminder, we have noted in the past, many security experts believe the Equation Group is the National Security Agency, and that the Shadow Brokers may be part of a psychological operations campaign run by Russian intelligence.

Shadow Brokers first emerged last August, offering to auction hacking exploits it said were used by the NSA’s elite hacking team known as Equation Group (officially named Tailored Access Operations). NSA whistleblower Edward Snowden and others confirmed the leak was authentic.

In December, Shadow Brokers cancelled its auction and offered to sell the exploits.

In April, the group released passwords to the rest of the hacking exploits in a move described as a protest against President Donald Trump for abandoning his base.

The release included a Windows SMB [Server Message Block] exploit, EternalBlue, which was leveraged in the recent WannaCry global ransomware attack.

In its Tuesday blog post, the group expressed its surprise that governments or tech companies didn’t bid in its past auctions.

It said is has always been about “the shadowbrokers vs theequation group,” and implied the NSA is a cohort of tech companies like Microsoft….continue reading

 

Another Large-Scale Cyberattack Underway: Experts

A global cybersecurity firm has warned that another large-scale, stealthy cyberattack is underway on a scale that could dwarf last week’s assault on computers worldwide.

 

Another large-scale, stealthy cyberattack is underway on a scale that could dwarf last week’s assault on computers worldwide, a global cybersecurity firm told AFP on Wednesday.

The new attack targets the same vulnerabilities the WannaCry ransomware worm exploited but, rather than freeze files, uses the hundreds of thousands of computers believed to have been infected to mine virtual currency.

Following the detection of the WannaCry attack on Friday, researchers at Proofpoint discovered a new attack linked to WannaCry called Adylkuzz, said Nicolas Godier, a researcher at the computer security firm.

“It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose,” he said.

Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to “mine” in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus….continue reading

Experts Find Cyber Attack Using Adylkuzz, Another NSA Hacking Tool

The world faced a massive ransomware attack using WannaCry, an NSA hacking tool last week, which affected 150 countries.

While investigating the WannaCry attack, experts found another ongoing cyber attack. The cybersecurity firm Proofpoint said the newly discovered attack, using Adylkuzz, is a lot quieter than WannaCry, but “has likely generated millions of dollars in cryptocurrency for the unknown attackers.” ABC News continued:

According to Ryan Kalember, the senior vice president for cybersecurity at Proofpoint, the attack employed the same hacking tools developed by the U.S. National Security Agency (NSA) and leaked to the public by the hacker group Shadow Brokers in April to exploit vulnerabilities in the Microsoft Windows operating system.

“I would say the real-world impact of this attack is going to be more substantial than WannaCry,” Kalember told ABC News. “Ransomware is painful, but you can restore operations relatively quickly. Here, you have a huge amount of money landing in some bad people’s hands. That has geopolitical consequences.”

The firm reported it found attacks from Adylkuzz “dating back to May 2, which would predate the WannaCry attacks, making Adylkuss the first known widespread use of the leaked NSA hacking tools.” Again, no one noticed this attack “because its impact on users is far less noticeable than ransomware.” ABC News continued:

“It takes over your computer, but you probably don’t notice anything other than that the system runs really slow,” Kalember said. “Your computer might be mining cryptocurrency for some very bad people.”

Proofpoint described why the attackers used Adylkuzz:

In this attack, Adylkuzz is being used to mine Monero cryptocurrency. Similar to Bitcoin but with enhanced anonymity capabilities, Monero recently saw a surge in activity after it was adopted by the AlphaBay darknet market, described by law enforcement authorities as “a major underground website known to sell drugs, stolen credit cards and counterfeit items.” Like other cryptocurrencies, Monero increases market capitalization through the process of mining. This process is computationally intensive but rewards miners with funds in the mined currency, currently 7.58 Moneros or roughly $205 at current exchange rates.

Figure 3 shows Adylkuzz mining Monero cryptocurrency, a process that can be more easily distributed across a botnet like that created here than in the case of Bitcoin, which now generally requires dedicated, high-performance machines.

No one knows the attackers behind this attack, but Kalember stated that the “North Korean-backed Lazarus Group – the same hacker group linked to the WannaCry attacks – launched a similar cryptocurrency mining attack in late 2016.”

Microsoft produced patches for PCs “to address the vulnerability exploited by both WannaCry and Adylkuzz.” Proofpoint warned people that if the attacks poisoned their PCs, it can still remain compromised even after installing the patches. The firm encouraged everyone, though, to download the patches.

Source: Experts Find Cyber Attack Using Adylkuzz, Another NSA Hacking Tool

Stop Blaming the NSA for the Ransomware Attack 

An inside look at how the intelligence community deals with the exploitable software bugs it finds

Friday’s global ransomware attack has reignited the debateabout how the U.S. intelligence community conceals or reveals knowledge about critical software bugs. As confirmed by a former NSA official, WannaCry exploited a vulnerability stockpiled by the agency and exposed in last year’s Shadow Brokers dump. But how much blame should the NSA bear for WannaCry’s rampage across 200,000-plus computers in 130 countries?

On the one hand, the intelligence community really does keep a trove of zero-day bugs. Spies need them to intercept communications — and much more, according to Michael Daniel, an Obama-era White House cybersecurity coordinator.

“Disclosing a vulnerability can mean that the U.S. forgoes an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks. So automatic disclosure is not always the right policy choice,” said Daniel in an email to Defense One….continue reading

Hackers Trading In NSA Spy Tools May Include Insider, Experts Say

Cybersecurity experts believe the hacker who leaked the potent software tool that powered last week’s global ransomware attacks is an American – perhaps a disgruntled insider in the U.S. intelligence community.

Such a finding would raise the stakes for halting The Shadow Brokers group, which has bedeviled the National Security Agency with releases of its hacked weaponized cyber exploits for months.

One of those leaked NSA tools allowed extortionists to spark havoc last Friday by encrypting the hard drives of more than 200,000 computers in 150 countries, the largest such cyberattack ever to hit the globe. The attackers demanded $300 or more to unlock each computer.

The NSA did not respond to a request for comment.

The Shadow Brokers group first surfaced last August, claiming to have breached the NSA and stolen sophisticated cyber tools. It sought to auction off the NSA exploits but failed to find many buyers, releasing some for free. It periodically has resurfaced with statements.

The latest statement came at 2:16 a.m. Tuesday, a long, rambling screed that used broken syntax to make it seem as if it were written by a foreigner with poor English. But the message was filled with U.S. cultural references that experts said were likely to have come only from someone with a native’s familiarity….continue reading

Top 15 Things to Know About the ‘WannaCry’ Global Ransomware Hacker Attack

Over the weekend, a virus infected thousands of computers around the world, locking up their data until a ransom was paid. Experts believe the virus uses tools stolen from the NSA to infect computers running the Microsoft Windows operating system.

The impact of the attack, using a virus known as ‘WannaCry’, appears limited in the United States so far, although security analysts fear that could change in the coming days. The virus has been running wild across Europe and Asia, inflicting an untold amount of financial damage and putting lives in danger, since one of the biggest targets was Britain’s National Health System.

Following are 15 important facts about WannaCry, including tips on how to protect vulnerable systems…. continue reading

%d bloggers like this: