Tech

Shadow Brokers Dump Alleged Windows Exploits and NSA Presentations on Targeting Banks

UPDATE: Microsoft has patched the majority of the exploits released by The Shadow Brokers. More details can be found here, and the company recommends updating to a supported version of Windows and downloading security fixes. 

The original story follows below:

Videos by VICE

This just isn’t slowing down. Last week, The Shadow Brokers, a hacker or group of hackers, released a cache of Unix focused exploits allegedly stolen from the NSA, including some that were not previously known to the affected vendors.

On Friday, the group dumped even more tools, but this time allegedly for targeting older Windows computers. The Shadow Brokers also released a series of apparent presentations and files relating to collecting data from banking systems.

“This is the remaining data (the Windows tools),” the security researcher known as Hacker Fantastic, and who has regularly combed through the Shadow Brokers’ dumps, told Motherboard in a Twitter direct message.

As has become tradition during this strange, months long campaign, The Shadow Brokers released the files along with a ranting wall of text.

“This week the-shadowbrokers be thinking fuck peoples,” the post reads. “Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.”

The post includes a link to a selection of files and folders. One sub-folder called “exploits” includes executable files with apparent codenames such as “Eternalsynergy,” “Erraticgopher,” and “Emeraldthread.”

Researchers are currently digging through the data to determine what exactly these alleged tools are designed for, and whether the dump does contain any functioning exploits against Windows platforms.

“This is phenomenal data, it has all the hallmarks of slickly produced internal attack tools,” Hacker Fantastic continued. “I am certain that analysis on this data will turn up another 0day [zero day].”

Security architect Kevin Beaumont told Motherboard in a Twitter direct message, “All of the Windows implants are new to VirusTotal [an online file scanning tool], which suggests they’ve not been seen before.”

One folder appears to concern a Windows-based implant called ODDJOB, and includes alleged configuration files and payloads. A related spreadsheet apparently lays out what versions of Windows ODDJOB will work with, ranging from “Windows 2003 Enterprise” (likely referring to Windows Server 2003 Enterprise) up to Windows XP Professional. One text file appears to show ODDJOB’s success rate at avoiding anti-virus software: “no_virus” is stamped next to companies such as F-Secure, Kaspersky, Symantec, and more. The file includes alleged timestamps from mid-2013.

Judging by those files, the dump likely relates to tools for older Windows systems (general support for Windows XP ended in April 2014). But that is not to say the files may be worthless: plenty of institutions, organizations, and individuals still use outdated Windows versions. And at least one of the exploits is allegedly designed for targeting Windows 8 systems.

A Microsoft spokesperson told Motherboard that the company is “reviewing the report and will take the necessary actions to protect our customers.”

Targets of NSA hacking operations may also be able to determine whether they were compromised thanks to these new files. Cybersecurity company Symantec recently did something similar but with details of alleged CIA hacking tools released by Wikileaks.

Another section of the dump includes several alleged presentations marked “TOP SECRET” concerning “JEEPFLEA_MARKET.” According to a previous analysis by Electrospaces.net, which searches through previously released government documents including the Snowden files for additional clues, Jeepflea is a hacking project from Tailored Access Operations (TAO), the NSA’s elite hacking unit.

Judging by the presentation and related files, JEEPFLEA_MARKET concerns Swift Alliance Access (SAA) systems. SAA is used by banks around the world for making transactions. One section called “ongoing collection on 9 SAA servers” points to several specific banks, the majority of which are located in the Middle East.

SWIFT did not immediately respond to a request for comment.

“Who knows what we having next time?” The Shadow Brokers wrote in their latest message.

Update: This piece has been updated to say that at least one of the exploits allegedly targets Windows 8. The post has also been updated with comment from Microsoft.