A day after global ransomware attack, hacker group announces new malicious tools dump

The Shadow Brokers just announced their July auction so we talk to HackerFantastic to find out what it means for cybersecurity.

Source: Wikimedia

The mysterious hacker group Shadow Brokers have announced the release of their newest dump of cyber-weapons to exploit systems, a day after the ‘Petya’ cyberattack paralysed systems in countries worldwide. The ‘Petya’ attack was the largest cyberattack since WannaCry, which had crippled the NHS healthcare system in the UK, and uses the same vulnerability leaked by the Shadow Brokers in April, as part of their NSA hacking tools dump.

The post makes three key announcements: the first, that their June auction had been a success, confirming that they have received payments for the sale of these malicious tools; second, a VIP service where hackers can request specific exploits for systems in exchange for a monthly subscription; third, they mention ‘a mystery gift’, which is possibly a link to an FBI darknet hacking service.

The group first emerged in August 2016, auctioning cybertools used by an elite threat group called Equation Group, which targeted vulnerabilities in systems of security vendors like Topsec, Cisco and Juniper to exploit them. The sale was initially priced at 1 million bitcoins but due to lack of response, they lowered their rates. The Petya attack, like the Wannacry NHS attack in May, uses the EternalBlue vulnerability in Microsoft Windows systems disclosed from their leaks, to spread the ransomware infection laterally across networks. Windows released a patch to prevent this but not all users have installed it yet.

Ransomware is essentially a special type of malware that holds your information ‘ransom’ till the requested sum is paid in full to the attacker. A ransomware attack typically encrypts all the files on the computer and offers to release it after the payment of a fixed sum via the untraceable crypto-currency BitCoin. After the payment has been made, the attacker then releases a digital key which can be used to decrypt and restore the files ‘held hostage’. The Petya ransomware demands $300 in Bitcoin.

According to the Spectator Index, the Petya attack affected companies and government bodies in Ukraine (where it originated), Russia, USA, India, Spain, Germany, Norway, Denmark, Netherlands, South Africa and the UK. Among those affected was Ukraine’s international Boryspil Airport, Russia’s central bank, German postal company Deutsche Post, India’s largest container port JNPT, world’s largest advertising firm WPP, legal firm DLA Piper, Danish shipping and transport firm Maersk, and food company Mondelez; leading to data on PCs being held for ransom. The UK’s Houses of Parliament were targeted in another cyberattack on Friday, paralysing the email systems of MPs who then took to Twitter to post updates.

Cybersecurity firms have since then issued updates to software to protect against infections. Kaspersky labs issued a statement saying they had traced the infections to “a new ransomware that has not been seen before”. Comae Technologies Founder Matt Suiche, however, noted that Petya was a “wiper malware” meant to destroy files as opposed to hold them for ransom. “We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker”. In a blogpost, security researcher Grugq noted that the real Petya “was a criminal enterprise for making money,” but that the version doin rounds “is definitely not designed to make money.

Many ethical hackers who were involved in mitigating the WannaCry attack were actively working to stop the Petya attack and provide advice on best practices if infected. Matthew, of Hacker House noted on Twitter:

We got in touch with Matthew to ask his opinion about the new dump, and the potential implications it might have on global cybersecurity:

What is your assessment of the new dump?

It doesn’t tell us much, just that they [the Shadow Brokers] have had some subscriptions and they’re going to increase their price. They’ve also linked to a darknet hacking service and said that it could be tied to the FBI but they haven’t really given us any further details, so there’s no more technical announcements to make. They said they’ve had some payments and that they will continue to dump every month; what those tools are we won’t know unless somebody receives and publicly discloses them.

So there’s nothing we can do for now?

They’ve given us no indication. The really worrying thing here is that they claim they’ve had payments so if they are serious and do disclose those tools (which is what many of us believe), then they will be in the hands of individuals who may not have the noblest of intentions. So we will not know what attacks they may then go on and conduct.

How does the Petya attack compare to WannaCry?

Petya was sophisticated attack from Wannacry and propagates through use of exploits but is also making use of local techniques, including steps to find antivirus signatures, so it was a preventable incident spreading through known weaknesses. These attacks are evolving because cybercriminals are spending more time engineering them and they understand how to increase the successfulness of their attack. Unfortunately, the fact that these tools are out there puts the capability of the NSA into the hands of organised crime groups so they are able to conduct very sophisticated attacks with relative ease now.

Do you hold the NSA, the Shadow Brokers and the cybercriminals at an equal level of blame for these attacks?

The NSA put us all in danger when they created powerful weaponised exploits, and stockpiled those over a period of many years. Ultimately these tools were stolen and re-purposed so the NSA definitely hold some accountability because they should have had these issues addressed when initially identified, instead of letting these threats linger inside of computer systems for espionage purposes.

Really, they gambled with the security of the public.

Equally, I hold the criminals responsible for writing such tools since they were the ones who engineered the threat into an actual cyberattack. The Shadow Brokers, in my eyes, having disclosed these issues, brought them forward to the public’s attention, so I don’t really see them anywhere near as culpable. Vulnerability disclosures happen on a day to day basis so patches can be made available. I don’t really hold them as accountable as the NSA or cybercriminals making use of these threats.

Follow @manisha_bot on Twitter for more.