The Shadow Brokers – a hackers group that claimed to have stolen a bunch of hacking tools from the NSA – released today more alleged hacking tools and exploits that target earlier versions of Windows operating system, along with evidence that the Intelligence agency also targeted the SWIFT banking system of several banks around the world.
Last week, the hacking group released the password for an encrypted cache of Unix exploits, including a remote root zero-day exploit for Solaris OS, and the TOAST framework the group put on auction last summer.
The hacking tools belonged to "Equation Group" – an elite cyber attack unit linked to the National Security Agency (NSA).
Now, the Shadow Brokers group just published a new 117.9 MB of encrypted archive via its new blog post, titled "Lost in Translation," which can be unlocked by anyone using password "Reeeeeeeeeeeeeee."
Someone has already uploaded the unlocked archive on GitHub and listed all the files contained in the dump released by the Shadow Brokers, which includes 23 new hacking tools.
These hacking tools have been named as OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar, and others.
Security researchers have started delving into the dump to determine the capabilities of the alleged exploits, implants and payloads that are claimed to work against Windows platforms.
NSA DUMP: Windows, Swift, and OddJob
The latest dump comprises of 3 folders: Windows, Swift, and OddJob.
"So this week is being about money. TheShadowBrokers showing you cards theshadowbrokers wanting you to be seeing. Sometime peoples not being target audience. Follow the links for new dumps. Windows. Swift. Oddjob," the Shadow Brokers latest blog post reads.The Windows folder holds many hacking tools against Windows operating system, but works against only older version of Windows (Windows XP) and Server 2003, according to researchers.
“ETERNALBLUE is a #0day RCE exploit that affects latest & updated Windows 2008 R2 SERVER VIA SMB and NBT!” tweeted the security researcher known as Hacker Fantastic on Twitter.
Another folder, named OddJob, contains a Windows-based implant and includes alleged configuration files and payloads. While the details on this implant are scarce at the moment, OddJob works on Windows Server 2003 Enterprise up to Windows XP Professional.
confirmed via Twitter, which indicates that the tools have not been seen before.
"A lot of good remote exploits in the #EquationGroup tools. Just a few well-designed 0days is enough to pwn the planet," tweeted another security researcher, who uses Twitter handle x0rz.
The SWIFT folder contains PowerPoint presentations, evidence, credentials and internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.
"A SWIFT Service Bureau is the kind of the equivalent of the Cloud for Banks when it comes to their SWIFT transactions and messages; the banks' transactions are hosted and managed by the SWIFT Service Bureau via an Oracle Database and the SWIFT Softwares," security researcher Matt Suiche explains in a blog post.
The folder includes SQL scripts that search for information from the Oracle Database like the list of database users and the SWIFT message queries.
"SWIFT Host of Palestinian Bank was running Windows 2008 R2 vulnerable to exploit framework FUZZBUNCH." Matt tweeted.More key findings will come as soon as other security researchers delve into the latest dump.
This release is the latest from the Shadow Brokers desk and at the moment, it's not confirmed whether the hacking group holds more NSA hacking tools and exploits or this one is the last batch it stole from the United States intelligence organization.
UPDATE: EastNets Denies SWIFT Hacking Claims
In an official statement published today, EastNets denies that its SWIFT bureau was compromised, and says the reports of hack are "totally false and unfounded."
"The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded. The EastNets Network internal Security Unit has run a complete check of its servers and found no hacker compromise or any vulnerabilities."
"The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013."