New: NSA's arsenal of Windows hacking tools have leaked. https://t.co/Al2XEZsT4L pic.twitter.com/4hEWnWo5bF— Zack Whittaker (@zackwhittaker) April 14, 2017
I have been updating my WikiLeaks Vault 7 post (new dump on 14 April 2017: HIVE) as Assange and his team release more leaks on the CIA. Those addenda overlap with Good Friday's separate discussion of the Shadow Brokers' NSA hack, which I originally discussed in my post, Visits from the Dark-Haired Girl.
On 14 April 2017, the Shadow Brokers released some of their hacked NSA material onto the Internet and announced it on their Steemit blog with their usual meta-English pidgin rambling:
"KEK...last week theshadowbrokers be trying to help peoples. This week theshadowbrokers be thinking fuck peoples. Any other peoples be having same problem? So this week is being about money. TheShadowBrokers showing you cards theshadowbrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.Password = Reeeeeeeeeeeeeeetheshadowbrokers not wanting going there. Is being too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away. TheShadowBrokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all suviving WWIII theshadowbrokers be seeing you next week. Who knows what we having next time?"
Zero Hedge summarized the Good Friday release:
"[T]hey've already been unzipped and hosted on GitHub by security researchers. A list of all the files contained in the dump is available here, and it reveals the presence of 23 new hacking tools named such as ODDJOB, JEEPFLEA, EASYBEE, EDUCATEDSCHOLAR, ENGLISHMANSDENTIST, ESKIMOROLL, ECLIPSEDWING, EMPHASISMINE, EMERALDTHREAD, ETERNALROMANCE, ETERNALSYNERGY, ETERNALBLUE , EWOKFRENZY, EXPLODINGCAN, ERRATICGOPHER, ESTEEMAUDIT, DOUBLEPULSAR, MOFCONFIG, FUZZBUNCH, and others."
Make no mistake, this is a huge deal. Until Microsoft fixes these flaws, this might be the most dangerous time in cyberspace—possibly ever.— Zack Whittaker (@zackwhittaker) April 14, 2017
The Mother Of All Exploits escaped from an NSA laboratory and is wrecking the internet. https://t.co/K1RqJeYIW5— Edward Snowden (@Snowden) April 14, 2017
If you are just tuning in, TLDR; Windows NT, 2000, 2003, XP, Vista, 7, 2008, 8 and 2012 are vulnerable to RCE 0day public exploits/malware.— Hacker Fantastic (@hackerfantastic) April 15, 2017
"This is fine." 😅 pic.twitter.com/DtStnypoVm— Zack Whittaker (@zackwhittaker) April 14, 2017
Wow: Microsoft just told me NO ONE from NSA (or anywhere in the government) has contacted them yet re: ShadowBrokers https://t.co/fBfGiDiPAu— Sam Biddle (@samfbiddle) April 14, 2017
A light has been shone into the shadows of the surveillance state, exposing key tools & attacks used for espionage and cyber-based conflicts— Hacker Fantastic (@hackerfantastic) April 15, 2017
An intelligence asset may have been lost however public safety was put at risk by stockpiling 0day exploits and abused by multiple parties.— Hacker Fantastic (@hackerfantastic) April 14, 2017
The Shadow Brokers hacked and released the NSA-built exploits to control Windows machines. Windows Central is qualifying that here today, with uninspiring language:
The NSA knew about this hack, but neglected to inform Microsoft, meaning that Microsoft evidently discovered the vulnerability when everyone else did - Good Friday. You can see an amateur, but amusing, Youtube rumination on the nightmare situation, here."You'll see headlines all over the internet warning you to shut down your Windows PC or disconnect from the internet right now. But don't panic. Make no mistake, this is a really serious issue that Microsoft has to address. We don't want you to think you can just ignore it, because as you can see a good many PCs are vulnerable. The biggest thing to know is that if you're using Windows 10 and have installed the latest updates as of Tuesday, April 11, you won't be affected by these specific hacks. Other exploits may exist that can do some nasty things, so you should use common sense when using the internet or are installing software. But you know that, or should."
Live streaming inside the Microsoft HQ right now #EquationGroup #ShadowBrokers #0day cc @msftsecresponse pic.twitter.com/f7JiCV9bFM— x0rz (@x0rz) April 14, 2017
Oh, and the NSA also developed the ability hack the world's financial system's bank transfers network, SWIFT. The fact that the US government decided to do this is as alarming as the fact that the nefarious tool is now available to all. Thanks to the NSA and the Shadow Brokers' hacks of the NSA, these anti-Windows and anti-SWIFT tools are now released into the wild for anyone to use. From Matt Suiche:
"ShadowBrokers: The NSA compromised the SWIFT Network
This is by far, the most interesting release from Shadow Brokers as it does not only contain tools.The last time a nation-state used multiple [zero]days to target another country’s critical infrastructure was when Stuxnet was launched targeting Iran’s nuclear enrichment program. NSAs modus operandi is to gain total access and hack, using multiple [zero]days, an entire infrastructure of the intended target. In this case, if Shadow Brokers claims are indeed verified, it seems that the NSA sought to totally capture the backbone of international financial system to have a God’s eye into a SWIFT Service Bureau — and potentially the entire SWIFT network. This would fit within standard procedure as a covert entity entrusted with covert actions that may or may not be legal in a technical sense. If the US had a specific target in the region’s financial system, NSA penetration offers redundancy and other options than merely relying upon good faith compliance procedures, standard diplomatic requests, or collaborating with SWIFT Service Bureau.First, here are few points to re-explain what SWIFT and SWIFT Service Bureau are.What is the SWIFT ?The SWIFT organisation hardhearted in Belgium which provides a network that allows financial institutions in 200+ countries to send and receive information about financial transactions to each other. Most of SWIFT members are banks, and trading institutions.The SWIFT network does not actually transfer funds, but instead it sends payment orders between institutions’ accounts, using SWIFT codes. SWIFT Code also known as Bank Identifier Code (BIC), are used by the SWIFT Network for those transaction and look like XXXXYYZZ (e.g. BARCGB22 for Barclays Bank in Great Britain).
What is a SWIFT Service Bureau ?Accredited SWIFT service bureau offers a cost-effective solution for access to the complete range of SWIFT services by eliminating the need for in-house SWIFT expertise and operational support. Think of them of the equivalent of the Cloud providers for Banks. There are 74 certified bureau in the World.ShadowBrokers’ new releaseFew hours ago, (14 April  Release) ShadowBrokers just released a new archive divided in three different categories:
- swiftIMHO, the most interesting archive as it contains the evidences of the largest infection of a SWIFT Service Bureau to date.
- windowsA series of windows tools, and reusable remote exploits for Windows included out of support Windows version and fuzzbunch the 'NSA-metasploit'.
- toolsThis release includes logs, excel files, and even for the first time PowerPoint of TOP SECRET documents. This is a first from Shadow Brokers, this would mean ShadowBrokers has definitely more than only tools.
IMHO, this is the most interesting archive. There are two programs mentioned:
- JEEPFLEA_POWDERThis is the second significant SWIFT hack revealed in less than 2 years, the first one being the 2016 Bangladesh Bank heist allegedly executed by the North Korean government."
This is definitely the most relevant dump from #ShadowBrokers - Hacking SWIFT is BIG DEAL. Here is why: https://t.co/pYbvnNgf1L— Matt Suiche (@msuiche) April 14, 2017
See my earlier posts on Stuxnet, the Shadow Brokers, Kekkism, and Vault 7:
- Computer Virus used as Ersatz Military Strike (18 December 2010)
- UK Calls for Cyber War Rules of Engagement (5 February 2011)
- Fukushima - Media Blackouts and Media Nightmares (16 April 2012)
- The Internet's Ticking Time Bomb (1 May 2012)
- Visits from the Dark-Haired Girl (27 September 2016)
- World War III Projections: The Worm that Sleeps in the Wild (7 November 2016)
- World War III Projections: If Only She Could Talk (27 December 2016)
- WikiLeaks: Vault 7 Tests the CIA (7 March 2017)