The Group Shadow Brokers has leaked more files which include a servers list allegedly used by the Equation Group – one of the contractors of the NSA – in its attacks.
In mid-august, Shadow Brokers emerged with proofs of their hack, when it leaked roughly 300 MB of firewall exploits and tools taken from Equation Group servers. While the sample exploits were old, it helped firewall vendors to discover unknown vulnerabilities in their products. Some of the popular firewall vendors affected include Cisco, Juniper, Fortigate, Watchguard, and TopSec.
The group initially auctioned the rest of the files it had, but when the plan failed, it announced to make it publicly available once they raise 10,000 bitcoins in crowdfunding. With the current situation of 2 bitcoins raised so far, it is unlikely that this plan will continue to work.
However, the Shadow Brokers group released a new batch of files on Monday. They explained that the domain and IPs mentioned in the archives correspond to servers used by the Equation Group to breach networks.
After the release of archives, the leak has been analyzed by various security researchers. One of the researchers Mustafa Al-Bassam said that the files contain a list of compromised servers to act as staging actors in the Equation group attacks. The researchers confirmed that the archives are old and date back between 2000 and 2010 and the affected servers have most likely be cleaned up or replaced.
However, the detailed analysis of the dump by Hacker House suggests that some of the affected host servers are still active and infected with the previously undisclosed tools that are mentioned in the latest leak.
Researchers at Hackers House says, “These hosts may still contain forensic artifacts of the Equation Group APT group and should be subject to incident response handling procedures.”
The tools referenced in the archives includes INCISION, DEWDROP, JACKLADDER, PATCHICILLIN, ORANGUTAN, SIDETRACK, RETICULUM, and STOICSURGEON. Other notable tools referenced in the files are PITCHIMPAIR and INTONATION – Shadow Brokers suggests that these two exploits are a sort of redirector tools. It is worth noticing that these names align with the same naming convention as in NSA’s famous ANT catalog.
The experts analyzed and have confirmed 352 IPs and 306 domain names including 9 .gov domains, and 32 .edu domains, spread across 49 countries, mostly Asia Pacific region. The countries affected include China, Korea, Japan, Germany, Spain, India, Mexico, Taiwan, Italy, and Russia.
The Hacker House also pointed out that the Equation Group seemed to be using Sendmail exploit.
In their latest statement, Shadow Brokers talked about upcoming elections in the US. They urged people to disrupt the elections, either by hacking or physical actions, such as protests or destroying voting equipment.
The aim of Shadow Brokers still, is to make money from Equation Group archives, but the experts say the files are not valuable as the hacker group believes it to be.
It’s still not clear that who’s behind this Shadow Broker group. Popular theories include an NSA insider, the Russian government, or the opportunist hackers who breached the data on the NSA’s server.
The linguistic experts Taia Global’s analysis suggests that the people behind Shadow Brokers are native English speaker who is trying to appear as non-native. The latest statements published by the hacker group supports this theory.
Share this article
About the Author
Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.
More from Peter ButtlerRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...