Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds
High-value servers targeted by cyber-weapons dumped online by Shadow Brokers
Miscreants are using a trio of NSA hacking tools, leaked last year by the Shadow Brokers, to infect and spy on computer systems used in aerospace, nuclear energy, and other industries.
This is according to Kaspersky Lab, whose researchers today said the American snooping agency's DarkPulsar cyber-weapon – along with a pair of toolkits called DanderSpritz and Fuzzbunch that can remotely control infected machines – have been used by hackers to commandeer Windows Server 2003 and 2008 boxes in Russia, Iran, and Egypt.
The infected vulnerable servers are used in some 50 organizations within industries including aerospace and nuclear energy, particularly those with large IT and R&D departments.
"The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools," Kaspersky Lab's Andrey Dolgushev, Dmitry Tarakanov, and Vasily Berdnikov reported. "Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims."
ShadowBrokers put US$6m price tag on new hoard of NSA hacksREAD MORE
What was less clear was how the DanderSpritz and Fuzzbunch toolboxes could be linked up to access the infected machine. This is where DarkPulsar comes in.
DarkPulsar itself is a backdoor that, when used with the Fuzzbunch exploit kit, gives the hacker remote access to the targeted server. From there, the attacker could use DanderSpritz with specialized plugins to monitor and extract data from the compromised servers.
The Kaspersky researchers say that the finding is significant, as it shows in the wild how DanderSpritz, DarkPulsar, and Fuzzbunch would potentially be chained together by crooks or state spies on a budget to create a formidable attack package.
"The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness," Kaspersky Lab said.
"The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional."
The discovery allows researchers to piece together how, both before and after their leak, the NSA hacking tools would be linked up together in combination to perform hacking operations.
Their writeup includes technical details on how to detect and stop the tools within your own networks. Patches should also be available for the vulnerabilities targeted by the leaked NSA exploits. ®