Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Shadow Brokers Release More NSA Exploits

The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.

The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.

Over the weekend, the group published the password to a previously released password-protected archive. An analysis of the files revealed the existence of various exploits and lists of organizations apparently targeted by the Equation Group.

Google Project Zero researcher Tavis Ormandy said one of the leaked exploits, dubbed EXACTCHANGE, relies on a Linux kernel vulnerability that can be exploited for local privilege escalation. Ormandy believes the Equation Group had the exploit “for years” before it was discovered by Google researchers in 2009.

An analysis conducted by Maksym Zaitsev showed that the leaked files include what appear to be Solaris exploits, a cross-platform RAT, Linux keyloggers, exploits targeting Cisco firewalls, system fingerprinting tools, an IP.Board exploit, and Apache and Samba zero-days affecting several Linux distributions.

A researcher who uses the online moniker “x0rz” also analyzed the latest dump and identified a tool that can clean logs (TOAST), a fake Chinese browser (ELECTRICSLIDE), and several GSM-related tools (CURSEHAPPY, EDITIONHAZE, LIQUIDSTEEL, SHAKENGIRAFFE, WHOLEBLUE). He also found evidence that the Equation Group had been looking for clues of attacks by other threat actors on compromised systems.

Experts also found lists of IP addresses and domain names that may belong to organizations targeted by the Equation Group, and they pointed out that victims include U.S. allies.

The Shadow Brokers had initially attempted to sell the exploits they obtained, but none of their strategies, including auctions and direct sale offers, was successful. While the group has now made available another batch of files for free, Zaitsev and others, including Edward Snowden, believe there are still some files that have not been released.

In a message they posted on Medium, the Shadow Brokers told President Trump that they are disappointed by his actions.

“TheShadowBrokers voted for you,” the hackers said. “TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”

The group has once again claimed that it is not connected to Russia, but they did say that Russia and Putin are the United States’ “best allies until the common enemies are defeated and America is great again.”

However, some people have pointed out that the timing of the leak is suspicious – it comes shortly after the U.S. decided to bomb Syria, which is an ally of Russia. Some experts had previously suggested that the Shadow Brokers is actually an English-speaking group.

While many of the exploits leaked previously by Shadow Brokers turned out to rely on old vulnerabilities, some companies, including Cisco, did identify some zero-days. It remains to be seen if tech companies confirm any unpatched flaws in the latest leaks.

Related: Industry Reactions to Shadow Brokers Leak

Related: Shadow Brokers “Retire” Awaiting Offer of 10,000 Bitcoins for Cache of Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...