Pierluigi Paganini
April 08, 2017
The Shadow Brokers is the mysterious group that in October 2016 claimed to have stolen a bunch of hacking tools used by the NSA for its operations.
At the end of October 2016, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.
The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The Shadow Brokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC.
The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.
The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.A couple of weeks before the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.
Back to the present, today the Shadow Brokers group released more alleged hacking tools and exploits that allegedly belong to the Equation Group.
The group has launched the bomb, it has finally released password for the encrypted dump of NSA files and anyone can access them.
The group shared the following password:
CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN
in a blog post on the Medium platform titled “Don’t Forget Your Base“
The post is an open letter to President Donald Trump, the group expressed its point of view on the Trump’s policy, it explicitly refers Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.
“Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.” reads the post.
A security expert that goes online with the Twitter handle x0rz, has uploaded all files after decryption on Github.
A close look at the archive revealed the existence of numerous tools that was developed to target specific platforms, including:
Solaris rpc.cmsd remote root exploit (TAO's EASYSTREET) #0day pic.twitter.com/yaVVblHzRU
— x0rz (@x0rz) April 8, 2017
NSA operators notes about their access inside
Pakistan Mobilink GSM network https://t.co/q45HHmru7K #ShadowBrokers #EquationGroup #APT pic.twitter.com/Ezk5kuJxpV
— x0rz (@x0rz) April 8, 2017
TAO's TOAST framework used to clean Unix wtmp events, no logs no crime
#opsec pic.twitter.com/XfeT0OH9Qp
— x0rz (@x0rz) April 8, 2017
One of the #EquationGroup tool (ELECTRICSLIDE) impersonates a Chinese browser with fake Accept-Languagehttps://t.co/fCQ77KqK0I pic.twitter.com/jIrtelcbu9
— x0rz (@x0rz) April 8, 2017
If you want, the group is still accepting donations, below its Bitcoin wallet: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK
That received a total of 10.41198465 bitcoins
Stay Tuned … it is just the beginning!
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Shadow Brokers, NSA)
[adrotate banner=”5″]
[adrotate banner=”13″]
