NSA's Leaked Malware is Being Weaponized by Criminals

NSA’s Leaked Malware is Being Weaponized by Criminals

What’s worse than a government agency (CIA) committed to violating privacy rights through weaponized malware? A bumbling one that hands your computer over to more common criminals who want banking information, tax refunds and anything else from which they can profit. What’s worse than an agency with weaponized malware blowing in the wind? Two agencies (NSA).

The CIA Fiasco Was Bad Enough

NSA's Leaked Malware is Being Weaponized by CriminalsA May 5th headline on Zero Hedge reads “WikiLeaks Reveals “Archimedes”: Malware Used To Hack Local Area Networks.” The article explains, “In its seventh CIA leak since March 23rd, WikiLeaks has just revealed the user manual of a CIA hacking tool known as ‘Archimedes’ which is purportedly used to attack computers inside a Local Area Network (LAN). The CIA tool works by redirecting a target’s webpage search to a CIA server which serves up a webpage that looks exactly like the original page they were expecting to be served, but which contains malware. It’s only possible to detect the attack by examining the page source.”

The latest release follows Wikileaks’ March-April revelation that CIA malware is running wild; the series of releases are collectively labeled known as Vault 7. (See “Your Bitcoins Open to CIA and Criminals, Heed Wikileaks’ Warning” for more information.) Fortunately, Wikileaks seems to be acting responsibly by ‘disarming’ the CIA tools before going public with them. Of course, users shouldn’t lower their guards too far.

The NSA Fiasco Is Even Worse

NSA's Leaked Malware is Being Weaponized by CriminalsThe hacker group The Shadow Brokers was behind last year’s release of hacking exploits used by the NSA. It appears to be taking a different tack than Wikileaks.

On April 8, the group published a sample of “exploits” many of which “appear to be used for attacking older or little-used systems.” In short, the publication was not of great value and may have been intended to establish the veracity of unpublished malware. If so, The Shadow Brokers achieved its goal. Edward Snowden, among others, seem to credit them.

Veracity is key to making sales. But the exploits are far more valuable if they are not disarmed.

Months ago, The Shadow Brokers reportedly tried to auction off the tools but with little to no success. According to the Hacker News (December 14, 2016), the failed auction was followed up by an attempt at private sales. The article explains, “The Shadow Brokers has now appeared to have put up the NSA’s hacking tools and exploits for direct sale on an underground website….Each of the items (NSA hacking tools) on the site is categorized into a type — like “exploits,” “Trojans,” and “implant” — each of which is ranged from 1 to 100 Bitcoins (from $780 to $78,000). Anyone, including state-sponsored hackers with nation’s funding, could buy all the exploits for around $780,000.”

Whether sales were brisk or fell flat is unknown and, perhaps, unknowable.

NSA's Leaked Malware is Being Weaponized by CriminalsFour months after the private sale, the hacker group Shadow Brokers released a treasure trove of documents and executables that disclosed some NSA surveillance tools, strategies and targets. One example: several major banks and the SWIFT banking network were clandestinely surveilled through tools that hacked Windows’ vulnerabilities. Windows is overwhelmingly the most common software used on personal and business computers around the world.

NSA tools are out of control and running wild. Security firms report that criminals on the deep web are weaponizing them, and quickly so before large-scale global patching can occur.

The International Business Times (April 28) states, “Researchers at [the computer security firm] Recorded Future (RF) said that just three days after Shadow Brokers dumped the latest trove of data, a renowned cybercriminal belonging to a ‘top-tier’ dark web community started offering detailed tutorials on how to weaponise the alleged NSA malware strains such as DoublePulsar and ExternalBlue.” Andrei Barysevich, the company’s director of advanced collection, and Levi Gundert, VP of intelligence and strategy, are quoted elsewhere on this topic. (Click here for the RF report.)

The deep web watchdog Darknetmarkets (April 27) states, “Tutorials on how to make good use of some of the tools began emerging that same day the NSA documents were published originally, and this is according to researchers at Israel-based dark web intelligence firm SenseCy.Forum.”

NSA’s Leaked Malware is Being Weaponized by CriminalsMicrosoft claims to have patched all the vulnerabilities on supported versions of Windows. This means those “running Windows 7 or above” should be safe as long as the computers have been updated. But some gotchas remain.

The tech site the Verge explains (April 15) that the patches are “available for all currently supported versions of Windows….[O]lder Windows XP or Windows Vista systems could still be vulnerable to three of the exploits released, but it’s unlikely that Microsoft will supply patches for these older versions of Windows as they’re already unsupported.” Other sites flatly state “it will not happen.”

Even supported machines could be vulnerable if they have not been thoroughly updated. Ars Technica supplies a valuable list and brief summary of the NSA tools that may be weaponized. In a separate article, the tech news source provides link to Microsoft Security Bulletins (patches) for specific tools.

Older machines remain open to at least three of NSA’s tools.

NSA’s Leaked Malware is Being Weaponized by Criminals“Of the three remaining exploits, EnglishmanDentist, EsteemAudit, and ExplodingCan, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk,” Phillip Misner, security manager at Microsoft’s Security Response Center, blogged. “Customers still running prior versions of these products are encouraged to upgrade to a supported offering.”

Even the computers of those who update regularly may not be secure. There are at least three reasons:

1. Some of the patches may not work. The RF report observes, “Chinese-speaking actors additionally…claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses….Chinese users are particularly interested in the unique malware triggers and many feel the underlying vulnerability exploited by these toolsets has not been completely mitigated by the patches.”

2. Some of the patches are so recent that customers may not have installed them.

3. Some computers may have been infected with vulnerabilities before the patches were available. The Register (April 14) reports, “The leaked archive also contains the NSA’s equivalent of the Metasploit hacking toolkit: FUZZBUNCH. Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.”

Common criminals have a huge opportunity to attack the computers of a vast number of users. It makes a mockery of NSA’s name – the National Security Agency.

What do you think about this new weaponized malware, the NSA and the way it handles its software? Let us know in the comments below.

Images courtesy of Shutterstock.

Need to calculate your bitcoin holdings? Check our tools section.

Wendy McElroy is a Canadian individualist anarchist and individualist feminist. She was a co-founder of the Voluntaryist magazine and modern movement in 1982, and has authored over a dozen books, scripted dozens of documentaries, worked several years for FOX News and written hundreds of articles in periodicals ranging from scholarly journals to Penthouse. She has been a vocal defender of WikiLeaks and its head Julian Assange.
  • Good morning! I will be dropping by today and through the weekend to answer questions or to chat. I hope you find the article useful.

  • cb75075

    This can never work. Any back door NSA puts in can be found and exploited. Its like the police demanding they have a key to your home then they just keep the keys in a shoe box in a closet somewhere. So they have provided guaranteed access to your computer for thieves.

    Also who do they actually catch. Reminds me of the Simpons movie where there is this cia giant room full of hundreds of people just watching monitors and someone spots Marge simpson then stands up and says “we finally got someone!”. Its not worth the effort, certainly not exposing a back door.

    So I wonder if its for something else, like preventing people from emptying their bank account and fleeing. To seize assets etc.

    • cb75075

      Also there is a massive incentive advantage/disadvantage here. The programmer at the NSA only has the advantage of doing a job and getting paid. The hacker has the incentive of breaking in. So clearly the person with the higher incentive has the strongest chance of succeeding.

      Thieves are always more incentivised than the police. So they wil always defeat anything the police come up with.

      • But the police are not trying to come up with solutions except when it compromises their own agencies, interests and cronies. Law enforcement agencies pose the greatest cyber threat to the average person whom they target for surveillance — for national security, tax reasons, whatever — and the police do not care one whit if the tools of their targeting endanger the average person by being released into the wild, so to speak. They care about totally separate issues, such as how it makes an agency look, how the tools are used against them, etc. So I’m not sure incentives re protection v. violation work here. That is, law enforcement are paid and incentivized to violate your privacy and pocketbook — rather like the common criminal — not to work for your protection. I don’t think your paradigm holds up. BTW, thanks for the interesting posts, CB.

    • Brad R

      Regarding “who do they actually catch,” you have to ask who are they targeting? If their goal is to protect American citizens, you’d think they’d have teams searching for software vulnerabilities and then reporting them to Microsoft et al. for patching as soon as they’re found. Instead the NSA and CIA hoard these vulnerabilities so that they can become crackers themselves, and gain unauthorized access to citizens’ computers. Tough luck if a bad guy also finds one of those undisclosed vulnerabilities.

    • I am not sure what it is you are saying “can never work.” Let me presume, first of all, that you mean protecting your computer’s security is a doomed attempt. (NOTE: I am not a security expert and so the following is merely the
      opinion of a woman who has read e-stacks of articles by people who are :-).) If you are talking about back doors, then your point is a strong one because the access is a design feature of which you presumably know nothing. But many of the attacks described above rely on people’s bad habits (clicking on suspicious links) or on features that can be patched. It may well be insufficient to eliminate bad habits and necessary to adopt totally new good ones, like eschewing “the cloud,” being scrupulous about security updates and using Linux. Keeping your wallet on your own hard drive or a USB stick and
      disconnecting from the internet whenever you are not active is also a
      good idea.

      Does that protect you absolutely? No. Even though I have come to believe there can be close-to-unhackable protocols — Bitcoin’s blockchain comes to mind — even diligent users of software and devices will have vulnerabilities. At this point, the best protection is more psychological than technological. For example, make yourself inconspicuous because — as with burglars — e-criminals will go after the easy marks. A person puts in a house security system even though it doesn’t offer 100% guarantee; so, too, a user should employ every tech and psychological tool in the arsenal to become a difficult and unattractive target. Privacy is a huge tool in that arsenal. Another one is to be a small fish; I know a bitcoin holder who breaks his coins into several wallets, and for 2 reasons…1) if a wallet is cracked, well, then only one is cracked, and 2) high value targets are probably more sought after by thieves than low value ones. There are many more.

      Bottom line, and to be repetitive, is there anyway to absolutely protect your bitcoin? No. But there is also no way to absolutely protect cash, credit cards, bank accounts or any other type of wealth. Even with current threats, the educated user and holder stands a better chance of self-protection than the average person with a bank account.

      • cb75075

        I meant putting in a back door to access an account will never be safe since that will always get leaked.

  • Aquazul

    Does this give Bitcoin a better or worse public image?

    • Worse, I believe. The fact that bitcoin is the payment of choice may be used to call for further regulation in order (allegedly) to keep it from becoming the currency of criminals. Cash is used by criminals in the same manner, of course, so the logic breaks down. But we are not talking about logic, only about politics.

      • Aquazul

        If some detective agency (private or government) used the blockchain to track down the perpetrators of this crime then the criminals would stay away from Bitcoin. It is really not anonymous like cash so maybe they will be caught. What do you think?

        • Bitcoin is pseudonymous rather than anonymous, which means the transaction is open and traceable but the real name of the actor can be masked with some ease…at least, in peer to peer exchanges. If the cryptocriminals were smart — and I don’t know if they were but it looks that way — then they would have a vast number of wallets and use further means of anonymization such as a tumbler. By the time they were traced, if they could be traced at all, they would be gone. I’m not pleased to write these words but I think they express the truth of the situation. Thanks for the posts Aquazul.

  • Fritz Knese

    I notice that NPR makes a big deal of stating that the crooks demand payment in Bitcoin in every article about this. Sounds like they are using the opportunity to build up resentment to Bitcoin.