NSA's Leaked Malware is Being Weaponized by Criminals

What’s worse than a government agency (CIA) committed to violating privacy rights through weaponized malware? A bumbling one that hands your computer over to more common criminals who want banking information, tax refunds and anything else from which they can profit. What’s worse than an agency with weaponized malware blowing in the wind? Two agencies (NSA).

The CIA Fiasco Was Bad Enough

A May 5th headline on Zero Hedge reads “WikiLeaks Reveals “Archimedes”: Malware Used To Hack Local Area Networks.” The article explains, “In its seventh CIA leak since March 23rd, WikiLeaks has just revealed the user manual of a CIA hacking tool known as ‘Archimedes’ which is purportedly used to attack computers inside a Local Area Network (LAN). The CIA tool works by redirecting a target’s webpage search to a CIA server which serves up a webpage that looks exactly like the original page they were expecting to be served, but which contains malware. It’s only possible to detect the attack by examining the page source.”

The latest release follows Wikileaks’ March-April revelation that CIA malware is running wild; the series of releases are collectively labeled known as Vault 7. (See “Your Bitcoins Open to CIA and Criminals, Heed Wikileaks’ Warning” for more information.) Fortunately, Wikileaks seems to be acting responsibly by ‘disarming’ the CIA tools before going public with them. Of course, users shouldn’t lower their guards too far.

The NSA Fiasco Is Even Worse

The hacker group The Shadow Brokers was behind last year’s release of hacking exploits used by the NSA. It appears to be taking a different tack than Wikileaks.

On April 8, the group published a sample of “exploits” many of which “appear to be used for attacking older or little-used systems.” In short, the publication was not of great value and may have been intended to establish the veracity of unpublished malware. If so, The Shadow Brokers achieved its goal. Edward Snowden, among others, seem to credit them.

Veracity is key to making sales. But the exploits are far more valuable if they are not disarmed.

Months ago, The Shadow Brokers reportedly tried to auction off the tools but with little to no success. According to the Hacker News (December 14, 2016), the failed auction was followed up by an attempt at private sales. The article explains, “The Shadow Brokers has now appeared to have put up the NSA’s hacking tools and exploits for direct sale on an underground website….Each of the items (NSA hacking tools) on the site is categorized into a type — like “exploits,” “Trojans,” and “implant” — each of which is ranged from 1 to 100 Bitcoins (from $780 to $78,000). Anyone, including state-sponsored hackers with nation’s funding, could buy all the exploits for around $780,000.”

Whether sales were brisk or fell flat is unknown and, perhaps, unknowable.

Four months after the private sale, the hacker group Shadow Brokers released a treasure trove of documents and executables that disclosed some NSA surveillance tools, strategies and targets. One example: several major banks and the SWIFT banking network were clandestinely surveilled through tools that hacked Windows’ vulnerabilities. Windows is overwhelmingly the most common software used on personal and business computers around the world.

NSA tools are out of control and running wild. Security firms report that criminals on the deep web are weaponizing them, and quickly so before large-scale global patching can occur.

The International Business Times (April 28) states, “Researchers at [the computer security firm] Recorded Future (RF) said that just three days after Shadow Brokers dumped the latest trove of data, a renowned cybercriminal belonging to a ‘top-tier’ dark web community started offering detailed tutorials on how to weaponise the alleged NSA malware strains such as DoublePulsar and ExternalBlue.” Andrei Barysevich, the company’s director of advanced collection, and Levi Gundert, VP of intelligence and strategy, are quoted elsewhere on this topic. (Click here for the RF report.)

The deep web watchdog Darknetmarkets (April 27) states, “Tutorials on how to make good use of some of the tools began emerging that same day the NSA documents were published originally, and this is according to researchers at Israel-based dark web intelligence firm SenseCy.Forum.”

Microsoft claims to have patched all the vulnerabilities on supported versions of Windows. This means those “running Windows 7 or above” should be safe as long as the computers have been updated. But some gotchas remain.

The tech site the Verge explains (April 15) that the patches are “available for all currently supported versions of Windows….[O]lder Windows XP or Windows Vista systems could still be vulnerable to three of the exploits released, but it’s unlikely that Microsoft will supply patches for these older versions of Windows as they’re already unsupported.” Other sites flatly state “it will not happen.”

Even supported machines could be vulnerable if they have not been thoroughly updated. Ars Technica supplies a valuable list and brief summary of the NSA tools that may be weaponized. In a separate article, the tech news source provides link to Microsoft Security Bulletins (patches) for specific tools.

Older machines remain open to at least three of NSA’s tools.

“Of the three remaining exploits, EnglishmanDentist, EsteemAudit, and ExplodingCan, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk,” Phillip Misner, security manager at Microsoft’s Security Response Center, blogged. “Customers still running prior versions of these products are encouraged to upgrade to a supported offering.”

Even the computers of those who update regularly may not be secure. There are at least three reasons:

1. Some of the patches may not work. The RF report observes, “Chinese-speaking actors additionally…claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses….Chinese users are particularly interested in the unique malware triggers and many feel the underlying vulnerability exploited by these toolsets has not been completely mitigated by the patches.”

2. Some of the patches are so recent that customers may not have installed them.

3. Some computers may have been infected with vulnerabilities before the patches were available. The Register (April 14) reports, “The leaked archive also contains the NSA’s equivalent of the Metasploit hacking toolkit: FUZZBUNCH. Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.”

Common criminals have a huge opportunity to attack the computers of a vast number of users. It makes a mockery of NSA’s name – the National Security Agency.

What do you think about this new weaponized malware, the NSA and the way it handles its software? Let us know in the comments below.

Images courtesy of Shutterstock.

Need to calculate your bitcoin holdings? Check our tools section.