The Security Ledger

Chinese and Russian Hackers Mining Shadow Brokers Release

In-brief: Chinese and Russian hacking crews are making short work of a clutch of new hacking tools released by the group Shadow Brokers and purportedly stolen from the NSA. Attacks using the tools may already be taking place. 

Chinese and Russian hacking crews are making short work of a clutch of new hacking tools released by the group Shadow Brokers and purportedly stolen from the U.S. National Security Agency, the company Recorded Future said on Tuesday.

The release of a slew of powerful tools is part of an ongoing plague of leaks of sensitive and classified information, including documents published on Wikileaks that detail NSA and CIA cyber capabilities. Reports by CBS and other news outlets say the NSA and FBI are pursuing the theory that a current or former military contractor is the source of the leaks. 

A graph shows mentions of the leaked hacking tool EternalBlue in underground hacking forums. Image courtesy of Recorded Future.

In the meantime, however, the leaked tools have provided a bounty to cyber criminal groups operating out of China and Russia, who have downloaded, analyzed and are beginning to deploy the cyber weapons, which have names like ETERNALBLUE, ETERNALROMANCE and DOUBLEPULSAR.

From Recorded Future’s blog:

As of April 15, the Chinese cyber community had begun to investigate the most recent release of malware from the Shadow Brokers group. Security researchers and cyber actors reversed several of the tools and were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE), and the privilege escalation tool (ETERNALROMANCE).Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.

Recorded Future said chatter about the hacking tools, which began on April 15, peaked on April 17. The company has observed participants in Russian language hacking forum recommending the recently released ETERNALBLUE exploit and admiring its usefulness.

Other observed conversations included speculation that vendor patches for previously unknown vulnerabilities in Microsoft Windows may not fully protect those systems. A new wave of attacks exploiting the underlying hole are possible. Recorded Future notes that Chinese hacking crews, especially, are adept at “weaponizing” zero day vulnerabilities – often within days of obtaining them.

Source: Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release

Spread the word!