Pierluigi Paganini May 04, 2017

The installation of monitoring software has been conducted either by NSA highly sophisticated hacking team or by hackers who leveraged the tools leaked by the Shadow Brokers.

Last week, a collection of spy tools allegedly used by the National Security Agency for operations against global targets of interest was leaked online by the underground hacking group, Shadow Brokers.

The tools were released online in the following form and were accessible to anyone:

NSA’s cyber-weapons include many exploits for Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS, Solaris systems and Microsoft Exchange, as well as additional Python-based tools.

These tools (Fuzzbunch, Eternalblue, Doublepulsar, Danderspritz) are part of the powerful NSA hacking toolset (also known as NSA Metasploit) exploited by the intelligence organization for hacking operations against governments, companies, and organizations.

THE RESEARCH

SecNews researchers conducted a thorough study of the Shadow Brokers leak, mainly focusing on its effects. As it has been known, the NSA backdoor has already been installed on thousands of computers and servers around the world. A map of the affected countries is presented below:

The purpose of SecNews research, considering the importance of the leaked data, was to identify companies or networks exclusively from the Greek Territory that have been targeted by malicious activities related to NSA’s cyber weapons.

After analyzing the leaked NSA toolkit and taking into consideration its particular digital features, we conducted an investigation as to detect which IP addresses in Greece are affected by the NSA cyber weapons!

The assessment procedure was carried out in the following steps:

• Firstly, we scanned the Greek Internet for publicly exposed SMB (Port 445) & Remote Desktop (RDP Port 3389) services.
• We detected 1086 IP addresses with SMB enabled online
• We detected 4263 IP addresses with Remote Desktop enabled online
• Then, using properly parameterized scripts like Mass-scan, detect_doublepulsar_rdp & smb (Python) and in conjuction with the NSA-leaked files, we detected where the cyber weapon is installed.

The final findings/results are shown in the table below. For security reasons, the IP addresses are hidden, as to protect the targeted companies/organizations. Thus, it is not possible for a malicious user to use the mentioned cyber-weapon for his own benefit.

CONCLUSIONS

According to the findings, the NSA remote access software was installed:

• Within the network (AIA-Cust3-Infr) of Athens International Airport “Eleftherios Venizelos”. We are not in a position to know whether the network is related to the airport’s infrastructure or to a third party company in which the airport provides backbone access.
• On a web server (accessible via the internet) belonging to SKAI TV, one of the largest media groups in Greece.
• On a server belonging to Vodafone (or an affiliated company).
• On a server / part of the Internal Network Management system of Interworks Cloud (interworks.biz, webserve.gr). It is worth mentioning that the Business marketplace of the telecommunications company Wind (windbusiness.com.gr) is located in the same IP class.
• On a PC with DSL / VDSL connection (OTE/Cosmote) but it’s not known whether it is a corporate customer or a home user. In every case, it does not seem to have any correlation with OTE / Cosmote ‘s critical infrastructure.
• Within a server of SYKARIS (possibly a graphic arts company).
• Within a server of MELKA (possibly a construction company).
• On a terminal / server of the Civil Engineering Department of The Aristotle University of Thessaloniki.
• On a terminal / server of the Technological Educational Institute of Epirus, in the VLAN management system.
• On a terminal at the University of Thessaly (possibly a remote DSL connection).

According to our research, all of the aforementioned systems were infected with the “Doublepulsar”  exploit. Doublepulsar allows an attacker to install malicious software of choice, that can not be tracked as a DLL.

“It must be mentioned that we can not know whether the installation of the cyber weapons was conducted by the NSA or third-party hackers who leveraged the tools leaked by the ShadowBrokers. One think is sure, however, that the affected companies/organizations should immediately test and evaluate their systems security (and especially if the affected systems are related to internal networks).”

The same procedure that we’ve applied during our research to the Greek Public Internet, can be also implemented on internal servers, in order to check if the cyber-monitoring software is installed. The aforementioned targets are ought to conduct digital analysis and security audits as to get an objective analysis of the affected servers.

SecNews researchers are at the disposal of administrators or legal representatives of the affected companies, organizations, and entities, as to provide them with any additional information needed. Details on the assessment procedure or οn how security audits can be performed on an internal network can be also provided, after the detection of a related infection by the administrators and the identification of its extent.