Shadow Brokers’ latest leak could have come from beyond NSA staging servers

Cyberscoop | 1/10/2017 | Staff
TitanSwimr (Posted by) Level 3
Click For Photo: https://s3-us-west-2.amazonaws.com/cyberscoop-media/wp-content/uploads/2016/10/05210047/macbookdark.jpeg

A mysterious group that claims to have stolen tools once used by the NSA published material Sunday to show it is in possession of Microsoft Windows software exploits.

Screenshots of the alleged exploits in use, along with a comprehensive list of filenames and directories were all shared by the enigmatic group the “Shadow Brokers,” in a new blog post. Beyond the supplementary evidence is a set of encrypted folders, each protected by a PGP key. The encrypted folders presumably hold the actual, functioning exploits Rendition Infosec founder Jake Williams told CyberScoop.

Inspection - Filenames - Directories - Clues - Hacking

A meticulous inspection of the aforementioned filenames and directories provides some clues about where the hacking tools came from and when they were developed.

Cybersecurity experts tell CyberScoop the viewable evidence suggests the existence of advanced hacking tools, which could be used to exfiltrate data, destroy digital forensic evidence, attribute old cyberattacks and compromise numerous systems running older versions of Windows. The Shadow Brokers are supposedly selling the exploits for roughly $850,000 worth of bitcoin in total.

Filenames - Directories - Shadow - Brokers - Behavior

“These filenames and directories look familiar to me … Based on their [Shadow Brokers] past behavior, other things they’ve posted, I have no reason to be believe they don’t have them,” a former U.S. intelligence official told CyberScoop on the condition of anonymity.

Microsoft security teams are aware of the leaked exploits and have begun investigating the incident.

Microsoft - Files - Williams - Vulnerability - Analyst

“[But] there’s not much for Microsoft to do until the files themselves are made public,” said Williams, a former vulnerability analyst with the Defense Department.

“Microsoft has telemetry where they get crash reports that include data about what caused a crash. Given that the Shadow Brokers’ are indicating they have zero days for IIS [Internet Information Services for Windows Servers], RDP [Microsoft Remote Desktop] and SMB [Microsoft Server Message Block], teams are likely taking a hard look at crash reports...
(Excerpt) Read more at: Cyberscoop
0 other people are viewing this story
Wake Up To Breaking News!
Sign In or Register to comment.