One of the key events in computer security occurred in April 2017, when an unidentified group called the Shadow Brokers published a collection of the National Security Agency's most sought-after hacking tools. The leak and subsequent rededication of the exploits in the WannaCry and NotPetata worms, which shut down computers worldwide, made the theft one of the biggest NSA operational errors ever.
On Monday, security firm Symantec reported that two of these advanced hacking tools were used against a variety of targets from March 201
The realization that the powerful NSA tools have been reinstated much earlier than previously thought will certainly trigger a new round of criticism of the agency's inability to secure its arsenal.
additional criticism of the ability to protect their tools, "said Jake Williams, a former NSA hacker who now co-founded Rendition Infosec, told Ars." If they did not lose the tools due to a direct compromise intercepted the exploits on the transit route or discovered them independently. All this completely nullifies the NOBUS argument. "
" NOBUS "is short for anyone but us, a mantra that NSA officials use to justify their practice of privately escalating certain exploits instead of reporting the underlying vulnerabilities so they can be resolved.
Symantec researchers said they did not know how the hacking group – alternately referred to as Buckeye, APT3, Gothic Panda, UPS Team, and TG-0110 – received the tools. The researchers said the limited number of tools used indicated that hackers' access was not as broad as Shadow Broker access. The researchers speculated that the hackers had developed technical "artifacts" that captured them from NSA attacks on their own targets. Other less likely-looking options, according to Symantec, were that Buckeye had stolen the tools from an unsecured or poorly secured NSA server or a malicious NSA group member or an employee who handed over the tools to Buckeye.
The attack used to install Buckeye's DoublePulsar variant exploited a Windows vulnerability as indexed CVE-2017-0143. It was one of several Windows bugs exploited in Shadow Broker leaked NSA tools named Eternal Romance and Eternal Synergy. Microsoft fixed the vulnerability in March 2017 after NSA officials warned that the exploits could be released soon.
Symantec's report states that when the NSA reported the vulnerabilities to Microsoft, they had been exploited for months in the wild.
"The fact that another group (except NSA) was able to successfully exploit the Eternal series is very impressive," Williams said. "It speaks for their technical skills and resources. Even if they have stolen the vulnerabilities while they were being used on the network, this is not enough to restore reliable exploitation without much additional research.
The Story of Two Exploits
Security protections built into modern Windows versions required two separate vulnerabilities to successfully deploy DoublePulsar. Both the NSA and Buckeye used CVE-2017-0143 to damage Windows storage. From there, attackers had to exploit a separate vulnerability that would expose the storage layout of the target computer. Buckeye referred to another information disclosure vulnerability other than the NSA's Eternal attacks. The vulnerability used by Buckeye, CVE-2019-0703, received a patch in March, six months after Symantec privately reported it to Microsoft.
Symantec said Buckeye's earliest known entity using the NSA variants came in for an attack on a Hong Kong target on March 31, 2016. It was created in a custom Trojan called Bemstour that installed DoublePulsar, which runs in memory only. From there, DoublePulsar installed a secondary payload that gives attackers permanent access to the computer, even if the computer was restarted and DoublePulsar was no longer active. One hour after the attack in Hong Kong, Buckeye used Bemstour against a Belgian educational institution.
Six months later, sometime in September 2016, Buckeye released a significantly improved version of Bemstour at an educational institution in Hong Kong. An improvement: In contrast to the original Bemstour, which ran only on 32-bit hardware, the updated version ran on 64-bit systems. Another advance in the updated Bestour was the ability to run arbitrary shell commands on the infected computer. This allowed the malware to provide custom payloads on infected 64-bit computers. The attackers usually took the opportunity to create new user accounts.
Bemstour was again used in June 2017 against a target in Luxembourg. From June to September of this year, Bemstour infected targets in the Philippines and in Vietnam. The development of the Trojan continued this year. The most recent sample had a creation date of March 23, 11 days after Microsoft patched the Zeroday CVE-2019-0703.
Symantec researchers were surprised that Bemstour was actively used for so long. Previously, the researchers believed that APT3 had disbanded after three Chinese citizens were charged with hacking charges in November 2017. While the indictment did not identify the group for which the defendants allegedly worked, some of the prosecutors' instruments found implied APT3.
Montag's report states that Bemstour's use of the apparent disappearance of Buckeye remained a mystery.
"It could be suggested that Buckeye was retooled after its 2017 exposure and abandoned all of the tools that are publicly available to the group," the company wrote. "However, aside from the continued use of the tools, Symantec has found no further evidence to suggest that Buckeye has been upgraded. Another possibility is that Buckeye has passed some of his tools to a connected group. "