5/18/2017

The Shadow Brokers





The Equation Group (the group's name comes from the predilection for strong encryption methods in their operations) is a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA Ant Catalog). Kaspersky Labs describes them as one of the most sophisticated cyber-attack groups in the world and "the most advanced ... we have seen". Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.  


With over 500 documented malware infections by the group in at least 42 countries, while many believe that it is an elite hacking squad, it has also been said that the Equation Group is not really a group but rather a collection of tools used for hacking (GrayFish, TripleFantasy, Equestre, Stuxnet, Flame, Gauss, Grok, Fanny & Regin).


Even with all these sophisticated pieces of malware, the single greatest achievement of Equation Group was its ability to infect a hard drive's firmware. The team were able to infect hard drives from companies such as Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate… compromising the vast majority of PC in the world. Equation Group rewrites the firmware creating a secret section within the drives which are resistant to even military grade wiping and reformatting.
While Windows is the operating system of choice, there is evidence that a large number of infected users in China are using Mac OS X, suggesting that a Mac OS X version of DoubleFantasy also exists… the same goes for the iPhone.
In August 2016, a hacking group calling itself "The Shadow Brokers" announced that it had stolen malware code from the Equation Group (RC6 encryption algorithm). They published several leaks containing hacking tools from the National Security Agency (NSA), including several zero-day exploits (“Lost in Translation” this data dump contains almost 300 MB of hacking tools and data. It targets a range of Windows client and server operating systems such as Windows 10, Server 2016, and Linux systems; applications including the Swift banking system; client-side tools that target Lotus Domino, Outlook rules, etc. There is even a management framework for exploit delivery and C2 similar to Metasploit called FuzzBunch). Specifically, these exploits and vulnerabilities targeted enterprise firewalls, anti-virus products, and Microsoft products.
EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)
ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users
EPICHERO 0-day exploit (RCE) for Avaya Call Server
ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)
ETERNALBLUE* is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors
EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release
PASSFREELY utility which "Bypasses authentication for Oracle servers"


*ETERNALBLUE The major WannaCry ransomware attack used the ETERNALBLUE attack on Server Message Block (SMB) to spread itself.
 
It all started with an auction in GitHub...







Equation Group Cyber Weapons Auction - Invitation
- ------------------------------------------------
!!! Attention government sponsors of cyber warfare and those who profit from it !!!!
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files. .
- --------------------
We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.

Russia?
Edward Snowden stated on August 16, 2016 that "circumstantial evidence and conventional wisdom indicates Russian responsibility" and that the leak "is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server" summarizing that it looks like "somebody sending a message that an escalation in the attribution game could get messy fast".

The real problem.
The problem is that we, the laymen are intentionally being kept illiterate. Schools will teach us how to use Microsoft Word & Office, as if there were no other options out there (Free Office, Libre Office, WPS Office), but they will not even dare to teach the basics of how a computer works, let’s not even talk about basic coding skills. Mostly because the teachers themselves are completely illiterate… and that comes from the corporate world. We are just here to consume and to wait until the piece of hardware we have bought is obsolete, then we buy again, without even knowing how it works. Without even knowing its true potential. Yes, it is also a sad reflection of ourselves as individuals.  
www.feexit.mx
rp@feexit.mx
@feexitmx