Shadow Brokers, Who Leaked WannaCry SMB Exploit, Are Back With More 0-Days

the-shodow-brokers-wannacry-hacking

The infamous hacking collective Shadow Brokers – the one who leaked the Windows SMB exploit in public that led to last weekend’s WannaCrypt menace – are back, this time, to cause more damage.

In typically broken English, the Shadow Brokers published a fresh statement (with full of frustration) a few hours ago, promising to release more zero-day bugs and exploits for various desktop and mobile platforms starting from June 2017.

However, this time the Shadow Brokers leaks will not be available for everybody, as the hacking collective said:

“TheShadowBrokers is launching new monthly subscription model. Is being like [the] wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month.”

To some extent, this is good news, but it is terrible news too. Good because now all these upcoming alleged unpatched vulnerabilities will be patched after being disclosed and terrible because the group will sell new zero-day exploits and hacking tools to private members with paid monthly subscription, instead of telling them to Microsoft.

Apparently, other hackers, criminal gangs, state-sponsored hackers, maybe some journalists and people from tech companies, would naturally join Shadow Brokers’ membership.

Get Ready for the ‘Wine of Month Club’

So, anyone buying the membership of the “wine of month club” would be able to get exclusive access to the upcoming leaks, which the Shadow Brokers claims would include:

  • Exploits for web browsers, routers, and smartphones.
  • Exploits for operating systems, including Windows 10.
  • Compromised data from banks and Swift providers.
  • Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.

The claims made by the group remain unverified at the time of writing, but since the Shadow Brokers’ previously released data dump turned out to be legitimate, the group’s statement should be taken seriously, at least now, when we know the EternalBlue exploit and DoublePulsar backdoor developed by the NSA and released by the Shadow Brokers last month was used by WannaCry to cause chaos worldwide.

Before publicly dumping these exploits in April, the Shadow Brokers put an auction of cyber weapons stolen from NSA’s elite hacking team called Equation Group for 1 Million Bitcoin.

After failed auction, the hacking group even put up those hacking tools and exploits for direct sale on an underground site, categorizing them into a type — like “exploits,” “Trojans,” and “implant” — each of which ranged from 1 to 100 Bitcoins (from $780 to $78,000).

After failure from all sides, the group started leaking those hacking exploits. Last month, the Shadow Brokers released a Microsoft Windows SMB exploit that was used by the WannaCry ransomware, which infected 200,000 machines in 150 countries within just 48 hours.

While talking about the WannaCry ties with North Korean state-sponsored hacking group Lazarus Group, the group said:

“The Oracle is telling theshadowbrokers North Korea is being responsible for the global cyber attack Wanna Cry. Nukes and cyber attacks, America has to go to war, no other choices!”

Shadow Brokers Lashed out on US Government and Tech Companies

In its recent post, the Shadow Brokers criticized both the US government and tech companies, such as Microsoft, for not cracking down on the exploits when they had the chance, months before their release.

The hacking group said the US government is paying tech companies not to patch zero-days in their products, claiming that it has spies inside Microsoft among other US tech firms.

The Shadow Brokers even accused Google Project Zero team, saying:

“TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? Coincidence?”

Who knows if these accusation made by the Shadow Brokers group are true or not, but the world should be well prepared for another WannaCry-like massive destroyer.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

cia-Athena-windows-hacking-tool

WikiLeaks has published a new batch of the ongoing Vault 7 leak, detailing a spyware framework – which “provides remote beacon and loader capabilities on target computers” – allegedly being used by the CIA that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.

Dubbed Athena/Hera, the spyware has been designed to take full control over the infected Windows PCs remotely, allowing the agency to perform all sorts of things on the target machine, including deleting data or uploading malicious software, and stealing data and send them to CIA server.

The leak, which includes a user manual of Athena, overview of the technology, and demonstration on how to use this spyware, reveals that the program has two implications:

  • Primary: Athena for XP to Windows 10
  • Secondary: Hera for Windows 8 through Windows 10

According to the whistleblower organization, Athena has the ability to allow the CIA agents to modify its configuration in real time, while the implant is on target “to customize it to an operation.”

“Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system,” WikiLeaks claims.

The leaked documents suggest that Athena, written in Python programming language, was developed in August 2015, just a month after Microsoft released its Windows 10 operating system.

Interestingly, one document also suggests that the CIA agents have been advised to make sure that the spyware should not get caught by antivirus software programs, especially Kaspersky AV software.

cia-Athena-windows-hacking-tool

Athena has been developed by the CIA in cooperation with Siege Technologies – an American cyber security firm that offers offensive cyber war technologies and works in close cooperation with the United States government.

However, WikiLeaks has not provided any detail about the operations being conducted by the agency using Athena, but it is not hard to imagine how the intelligence agency would be using this program to spy on their targets.

Last week, WikiLeaks dumped two apparent CIA malware frameworks – AfterMidnight and Assassin – for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.

Since March, the whistleblowing group has published nine batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:

  • Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
  • Scribbles – a piece of software allegedly designed to embed ‘web beacons’ into confidential documents, allowing the spying agency to track insiders and whistleblowers.
  • Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
  • Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
  • Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
  • Weeping Angel – spying tool used by the agency to infiltrate smart TV’s, transforming them into covert microphones.
  • Year Zero – dumped CIA hacking exploits for popular hardware and software.
Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

AlienVault

Latest Stories

More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry

Since the Shadow Brokers released the zero-day software vulnerabilities and hacking tools – allegedly belonged to the NSA’s eli…

WikiLeaks Reveals ‘Athena’ CIA Spying Program Targeting All Versions of Windows

WikiLeaks has published a new batch of the ongoing Vault 7 leak, detailing a spyware framework – which “provides remote beacon …

WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky …

Zomato Hacked; Hacker Puts Up 17 Million Users’ Emails and Passwords On Sale

If you ever ordered food from Zomato, You should be Worried! India’s largest online restaurant guide Zomato confirmed today th…

ExtraTorrent, Popular Torrent Site, Permanently Shuts Down!

After the shutdown of Kickass Torrents and Torrentz.eu, it’s time for the torrent community to say goodbye to the second most p…
Comments (2)

Hacker News: WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom

wannacry-ransomware-decryption-tool-unlock-files-free

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

WannaCry Ransomware Decryption Keys

The WannaCry’s encryption scheme works by generating a pair of keys on the victim’s computer that rely on prime numbers, a “public” key and a “private” key for encrypting and decrypting the system’s files respectively.

To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here’s the kicker: WannaCry “does not erase the prime numbers from memory before freeing the associated memory,” says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.

Note: Below I have also mentioned another tool, dubbed WanaKiwi, that works for Windows XP to Windows 7.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.” says Guinet

So, that means, this method will work only if:

  • The affected computer has not been rebooted after being infected.
  • The associated memory has not been allocated and erased by some other process.

In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!,” Guinet says.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API.

While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.

WanaKiwi: WannaCry Ransomware Decryption Tool

Good news is that another security researcher, Benjamin Delpy, developed an easy-to-use tool called “WanaKiwi,” based on Guinet’s finding, which simplifies the whole process of the WannaCry-infected file decryption.

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won’t work for every user due to its dependencies, still it gives some hope to WannaCry’s victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft’s operating system.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Lada Ray analysis: @realDonaldTrump tweet on Russia and Ukraine causes firestorm

Ukraine should know it’s place, otherwise do something about the Western coup and kick out Washington’s puppet Poroshenko.

Futurist Trendcast

!

A very admirable sentiment from #POTUS Donald Trump that peace needs to be made between Russia /Donbass and Ukraine. I couldn’t agree more. Looks like Trump is on his way to make good on his campaign intention, and according to my predictions here and also here.

USA wants to slowly and secretly distance itself from Ukraine, while attempting to save face. What a bummer for Obama and his handlers, after all their efforts to the contrary!

This alone was enough to cause a major Internet storm. But it gets better!

TRUMP’S TWEET:

May 11

Notice one crucial difference between two photos, the difference that made the Kiev junta very upset?

Is it that Trump…

View original post 850 more words

Heil, Poroshenko! Ukraine junta bans Russian SM, prepares to ban Russian Orthodox Church

Futurist Trendcast

porosh-nazi

A lot is happening in Ukraine, as Kiev junta continue beating record after record in schizophrenia and fascist extremism.

Today the Kiev Rada is supposed to pass the new law, which effectively outlaws the traditional Russian Pravoslavnaya (Orthodox) Church, Moscow Patriarchy. The majority of Ukrainians belong to this church — one of the main and most influential branches of the global Christianity.

The breakaway branch of the ‘Ukrainian Church’ is unrecognized by any other religious organization in the world. Yet, it is to this outcast church that the Kiev junta is preparing to pass all the churches belonging to the Russian Pravoslavnaya Church on the territory of Ukraine.

This includes up to 14,000 parishes with church buildings, plus hundreds of monasteries and tens of thousands of church properties all over Ukraine. Each parish owns precious religious relics, icons and other highly valuable items, many in gold and silver. Among important relics…

View original post 1,636 more words

Trump’s Plan Finally Becomes Clear

sentinelblog

Source: The Strategic Culture Foundation, by Eric Zuesse

The first stage of U.S. President Donald Trump’s plan to restore America’s former dominance as a manufacturing country will be announced this coming weekend in Riyadh Saudi Arabia and Washington DC, but its outlines are now already more than clear. The biggest-ever foreign sale of U.S.-made weaponry will be announced at that time, and, according to a little-noticed report by Reuters on May 12th, an unidentified U.S. government official informed Reuters that «We are in the final stages of a series of deals», whose size will be of truly extraordinary historic proportions.

Trump will announce during this, his first trip abroad as the U.S. President, starting on Friday May 19th, deals for the fundamentalist-Sunni government of Saudi Arabia to purchase more than $100 billion, and perhaps more even than $300 billion, in U.S.-made weaponry. The announced intention of…

View original post 668 more words

%d bloggers like this: