ShadowBrokers shocked the security world again today by releasing another cache of exploits, files, and operational documents purportedly stolen from Equation Group last summer. As you may recall from our earlier publications, Equation Group is reportedly a clandestine hacking group that has been linked with NSA hacking tools.
The dump of information released today contains a number of exploits and Windows binary files that were not seen with the previous collection of information. While the ‘Auction’ file may have contained obsolete exploits and information, this new release appears to contain much more recent and current data including 0-Day exploits. While we haven’t had time to fully review the information, Twitter user HackerFantastic has already reported a successful 0-day exploit on Windows 2008 Server.
[caption id="attachment_17526" align="aligncenter" width="600"] HackerFantastic showing exploit against Windows 2008[/caption]
[caption id="attachment_17527" align="alignleft" width="300"] NSA-FTS327 USA USA strings located[/caption]
One bit of information we have already uncovered are ‘Author’ tags located on some of the document files. These tags contain reference to a string: NSA-FTS327.This string appears in a number of NSA Organizational documents and appears to be related to the Requirements and Targeting office. The Snowden Surveillance Archive identifies the Requirements and Targeting office designation as FTS327, and provides a document authored by NSA’s Texas TAO, Requirements and Targeting office suggesting that Computer Network exploitation was used to exploit a weakness in Mexican President Felipe Calderon’s public email. The program used the code name of ‘FlatLiquid’. While no mention of that particular string has been in this dump, if the Author string found on the documents is accurate, then that would suggest there may be validity in the claims that these are NSA tools.
[caption id="attachment_17528" align="aligncenter" width="600"] Screenshot of Snowden Surveillance Archive showing the FTS327 designation.[/caption]
There is lots of information to sift through in this dump before researchers have an idea to the scope of the release, and it may take several days for a full analysis of the information has been completed. If there are active 0-Days, we will see software manufactures scramble to release timely patches to help thwart almost certain use of this code by malicious actors in the ‘residential’ business of malware infection – as we saw with Microsoft earlier this week in regards to the Office 0-Day that was circulating via spam.
We are currently analyzing the roughly 1000 Windows binaries that were included, and if necessary, will be pushing any needed updated before I even finish proofing this blog entry.