NSA hacking tools has been leaked before. An example is DOUBLEPULSAR, one of the NSA hacking tools that got by the Shadow Brokers group. This malware has been used by ordinary hackers which in turn infected over 36,000 computers wold wide.
The malware contaiend a bunch of hacking tools which include FUZZBUNCH, which is a platform to deliver exploits to a selected target, and coincidentally is similar to the Metasploit framework used by pentesters and security researchers.
It is known that the Shadow Brokers group leaked more than 20 exploit packages which can be bundled up with FUZZBUNCH. The attack is done through vulnerable services and open aconnection with the NSA/Hackers could exploit to plant malware on targeted computers.
These NSA Windows exploits are designed to take advantage of a lot of vulnerabilities in the SMB (Server Message Block) protocol. This provides file sharing capabilities between Windows computers. This makes DOUBLEPULSAR an effective downloader.
They have code dump from Shadow Brokers which includes implants, which is the technical term used for malware implantation on targeted systems.
The implants included with DOUBLEPULSAR is “RING-0 multi-version kernal mode payload”. It is a “malware downloader” which is an intermediary for downloading more potent malware executables to infected hosts.
Earlier this week, trying to assess the number of users vulnerable to the malware leaked last Friday, cyber-security firm Below0Day has performed an Internet-wide scan for Windows computers with open SMB ports (port 445).
Their scan returned a number of 5,561,708 Windows computers with port 445 exposed to external connections.
If the owners of these 5.5 million computers haven’t installed patches Microsoft made available for the SMB flaws exploited by the NSA tools, they are vulnerable to exploits such as ETERNALBLUE, ETERNALCHAMPION, ETERNALSYNERGY, ETERNALROMANCE, EMERALDTHREAD, or EDUCATEDSCHOLAR.
The next step for Below0Day researchers was to take the 5.5 million IP addresses they previously identified and scan them with a tool released on Monday, capable of identifying computers infected with DOUBLEPULSAR based on SMB connection responses.
When the results came in, researchers discovered 30,625 computers that provided an SMB reply consistent with a DOUBLEPULSAR infection.
According to threat intelligence company SenseCy, this shouldn’t be a surprise, as hackers started discussing how to deploy the leaked NSA Windows hacking tools as soon as they appeared.
It is really surprising that there are large number of computers infected by the NSA’s former malware.
Hackers and malware developers alike would just take a few hours to download the Shadow Brokers dump and scan the internet, and in turn downloads the FUZZBUNCH to deliver some other exploits. This would give people a hard time including security experts until computers get patched up to avoid falling victim to DOUBLEPULSAR.