NSA hacking tools are "frequently used by an array of nation state hackers," were used by Russia's Petya among others: "The same leak [of NSA hacking tools] contains powerful exploits that could be weaponised by state adversaries, organised crime or by anyone possessing basic technical knowledge - as we saw with the Petya ransomware attack in Eastern Europe."
3/15/18, "US Accuses Russia Of Cyber Attacks, Sanctions "Putin's Chef", Russian Troll Farm," zero hedge, Tyler Durden
"The US Treasury’s Office of Foreign Assets Control has posted a new and improved list of cyber-related sanctions targeting several Russian individuals and entities....
Treasury also points to 2017 'NotPetya' attack, which the U.S. says was "the most destructive and costly cyber-attack in history."
NotPetya resulted in billions of dollars in damage across Europe, Asia and U.S., disrupted global shipping, trade and medicine production, and rendered several U.S. hospitals unable to create electronic records for more than a week."...
Added: Russia's Petya attack used NSA hacking tools:
9/18/17, "Take Cybersecurity Away From Spies-For Everyone's Sake," chathamhouse.org, Emily Taylor ("originally published by Wired Magazine")
"The NSA's leaks show that even the best intelligence agencies are not invulnerable to hacking....Weaving public-safety responsibility into a secret and secretive operation is always likely to cause conflicts of interest. WannaCry was an example of a state-developed cyber weapon turned against its creators.
The core exploit, Eternal Blue, is believed to have been created by the US National Security Agency (NSA), who presumably intended to keep it secret. Then, in April 2017, it was leaked, along with a suite of hacking tools targeting Windows PCs.
The same leak [of NSA hacking tools] contains powerful exploits that could be weaponised by state adversaries, organised crime or by anyone possessing basic technical knowledge - as we saw with the Petya ransomware attack in Eastern Europe.
Had the NSA chosen to inform Microsoft of the vulnerability, there would have been no Eternal Blue, and no WannaCry. But intelligence agencies have a different motivation: they want to keep such "zero-day" vulnerabilities secret for potential development into a cyber weapon....
Loading responsibility for public cyber-safety on to the intelligence services is bad for both public safety and national security. It also risks diverting resources and energies away from national security and covert operations.
The WannaCry attack should provide an opportunity to separate two key roles: clandestine signals intelligence and the cyber security of...critical national infrastructure."...
"This article was originally published by Wired Magazine"
"Eternal Blue's widespread use [for at least 5 years] is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people's crowbar. It is also frequently used by an array of nation state hackers....It will be years before enough computers are patched against EternalBlue." Eternal Blue can mask or give false clue about the geographic location of the hacker.
3/7/18, "The Leaked NSA Spy Tool That Hacked the World," Wired, Lily Hay Herman
EternalBlue is the name of both a software vulnerability in Microsoft's Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers.
Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA.
The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.
Microsoft released its EternalBlue patches on March 14 of last year. But security update adoption is spotty, especially on corporate and institutional networks. Within two months,
WannaCry ransomware attacks....As WannaCry hit, Microsoft even took the "highly unusual step" of issuing patches for the still popular, but long-unsupported Windows XP and Windows Server 2003 operating systems.
In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen.
The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue's profile, many attackers had already realized the exploit's potential by then.
Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. "WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them," says Jérôme Segura, lead malware intelligence analyst at the security firm Malwarebytes. "There are definitely a lot of machines that are exposed in some capacity."
Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. "EternalBlue will be a go-to tool for attackers for years to come," says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. "Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed.
There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms."
At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker's toolbox—much like the password extraction tool Mimikatz. But EternalBlue's widespread use [for at least 5 years] is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people's crowbar. It is also frequently used by an array of nation state hackers including those in Russia's Fancy Bear group, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks.
New examples of EternalBlue's use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. "EternalBlue is ideal for many attackers because it leaves very few event logs," or digital traces, Rendition Infosec's Williams notes. "Third-party software is required to see the exploitation attempts."
And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms.
"It's incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors," says Vikram Thakur, technical director of Symantec's security response. "To [a hacker] it’s just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three."
It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for it—and to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks."