The Shadow Brokers need no introduction. The same can be said for the batch of stolen files the Shadow Brokers recently set loose. And naturally, the stolen files made their rounds across the internet. As with many things in this sector, it took no time before the darknet started crawling with both the files and communities—new and old—centered around the collection of hacking tools and zero-day exploits.
According to an analyst team at SenseCy, a cyber intelligence group, some underground hacking communities have hit their highest point yet. Not only because these hacking tools proved themselves some of the most powerful tools to date, but a interest spike too. This should come as little surprise as well; every time the Shadow Brokers surfaced in the news, even the mainstream media involved themselves.
As we have written about in the past, hidden service Russian forums routinely come off as the most brazen of them all. SenseCy analysts reported seeing such forums buzzing with extreme activity. “For example, a moderator of one of the forums uploaded the entire leak (more than 6,000 files) to the private server of a closed forum called Kickass, for the use of the community,” the SenseCy blog explained.
Tutorials for using some of the files—the files in the form of really deployable tools—appeared on the clearnet and darknet the very same day of the data dump. Analysts at the Israel-based cyber intelligence firm revealed that the Equation Groups self-developed framework attracted a serious interest. (The Equation Groups self-developed framework or the National Security Administration‘s; at this point, the connection between the two, or lack thereof, means very little). CyberScoop compared Equation Groups framework to Metasploit, a renowned penetration testing framework.
Both Russian and Chinese forums displayed a particular interest in a Microsoft Windows SMB exploit. The exploit, dubbed ETERNALBLUE, developed a reputation for itself as one of the most powerful exploits released. “Hackers [have] shared the leaked [NSA] information on various platforms, including explanations [for how to use the tools] published by Russian-language blogs,” SenseCy Director Gilles Perez told CyberScoop. “We identified [one] discussion dealing with the SMB exploit [ETERNALBLUE], where hackers expressed interest in its exploitation and share instruction on how to do so.”
Microsoft dealt with the exploit in a March security update. But “Actors were focused on the unique trigger point for [ETERNALBLUE] and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses,” analysts at the cyber intelligence firm Recorded Future wrote.
We have seen this type of behavior in the past, albeit with less equipped and less devastating tools. Usually we see new variations of various banking trojans or ransomware kits. One thing is certain; this type of software will almost always find a home on darknet forums. Given that many of the tools came in the form of zero-day exploits and the Shadow Brokers released 6,000 or more of these files to the public, a new wave of attacks is imminent.