Last week, a collection of spy tools allegedly used by the National Security Agency for operations against global targets of interest was leaked online by the underground hacking group, Shadow Brokers.
The tools were released online in the following form and were accessible to anyone:
NSA’s cyber-weapons include many exploits for Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS, Solaris systems and Microsoft Exchange, as well as additional Python-based tools.
These tools (Fuzzbunch, Eternalblue, Doublepulsar, Danderspritz) are part of the powerful NSA hacking toolset (also known as NSA Metasploit) exploited by the intelligence organization for hacking operations against governments, companies, and organizations.
SecNews researchers conducted a thorough study of the Shadow Brokers leak, mainly focusing on its effects. As it has been known, the NSA backdoor has already been installed on thousands of computers and servers around the world. A map of the affected countries is presented below:
The purpose of SecNews research, considering the importance of the leaked data, was to identify companies or networks exclusively from the Greek Territory that have been targeted by malicious activities related to NSA’s cyber weapons.
After analyzing the leaked NSA toolkit and taking into consideration its particular digital features, we conducted an investigation as to detect which IP addresses in Greece are affected by the NSA cyber weapons!
The assessment procedure was carried out in the following steps:
The final findings/results are shown in the table below. For security reasons, the IP addresses are hidden, as to protect the targeted companies/organizations. Thus, it is not possible for a malicious user to use the mentioned cyber-weapon for his own benefit.
According to the findings, the NSA remote access software was installed:
According to our research, all of the aforementioned systems were infected with the “Doublepulsar” exploit. Doublepulsar allows an attacker to install malicious software of choice, that can not be tracked as a DLL.
“It must be mentioned that we can not know whether the installation of the cyber weapons was conducted by the NSA or third-party hackers who leveraged the tools leaked by the ShadowBrokers. One think is sure, however, that the affected companies/organizations should immediately test and evaluate their systems security (and especially if the affected systems are related to internal networks).”
The same procedure that we’ve applied during our research to the Greek Public Internet, can be also implemented on internal servers, in order to check if the cyber-monitoring software is installed. The aforementioned targets are ought to conduct digital analysis and security audits as to get an objective analysis of the affected servers.
SecNews researchers are at the disposal of administrators or legal representatives of the affected companies, organizations, and entities, as to provide them with any additional information needed. Details on the assessment procedure or οn how security audits can be performed on an internal network can be also provided, after the detection of a related infection by the administrators and the identification of its extent.
(Security Affairs – Shadow Brokers, NSA)