One of the most significant events in computer security happened in April 2017, when a still-unidentified group calling itself the Shadow Brokers published a trove of the National Security Agencys most coveted hacking tools. The leak and the subsequent repurposing of the exploits in the WannaCry and NotPetya worms that shut down computers worldwide made the theft arguably one of the NSAs biggest operational mistakes ever.
On Monday, security firm Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. An advanced persistent threat hacking group that Symantec has been tracking since 2010 somehow got access to a variant of the NSA-developed "DoublePulsar" backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.
The revelation that the powerful NSA tools were being repurposed much earlier than previously thought is sure to touch off a new round of criticism about the agencys inability to secure its arsenal.
“This definitely should bring additional criticism of the ability to protect their tools,” Jake Williams, a former NSA hacker who is now a cofounder of Rendition Infosec, told Ars. “If they didn't lose the tools from a direct compromise, then the exploits were intercepted in transit or they were independently discovered. All of this completely kills the NOBUS argument.”
“NOBUS” is shorthand for nobody but us, a mantra NSA officials use to justify their practice of privately stockpiling certain exploits rather than reporting the underlying vulnerabilities so they can be fixed.
Symantec researchers said they didnt know how the hacking group—variously known as Buckeye, APT3, Gothic Panda, UPS Team, and TG-0110—obtained the tools. The researchers said the limited number of tools used suggested the hackers access wasnt as broad as the access enjoyed by the Shadow Brokers. The researchers speculated that the hackers may have reverse-engineered technical “artifacts” they captured from attacks the NSA carried out on its own targets. Other less likely possibilities, Symantec said, were Buckeye stealing the tools from an unsecured or poorly secured NSA server, or a rogue NSA group member or associate leaking the tools to Buckeye.
The attack used to install Buckeye's DoublePulsar variant exploited a Windows vulnerability indexed as CVE-2017-0143. It was one of several Windows flaws exploited in Shadow Broker-leaked NSA tools with names like "Eternal Romance" and "Eternal Synergy." Microsoft patched the vulnerability in March 2017 after being tipped off by NSA officials that the exploits were likely to be published soon.
Symantecs report means that by the time the NSA reported the vulnerabilities to Microsoft, they had already been exploited in the wild for months.
“The fact that another group (besides NSA) were able to successfully exploit the Eternal series of vulnerabilities… is very impressive,” Williams said. “It speaks to their technical abilities and resourcing. Even if they stole the vulnerabilities while they were being used on the network, that's not enough to recreate reliable exploitation without tons of extra research.”
Tale of two exploits
Security protections built into modern versions of Windows required two separate vulnerabilities to be exploited to successfully install DoublePulsar. Both the NSA and Buckeye started by using CVE-2017-0143 to corrupt Windows memory. From there, attackers needed to exploit a separate vulnerability that would divulge the memory layout of the targeted computer. Buckeye relied on a different information-disclosure vulnerability than the one the NSAs Eternal attacks used. The vulnerability used by Buckeye, CVE-2019-0703, received a patch in March, six months after Symantec privately reported it to Microsoft.
Symantec said the earliest known instance of Buckeye using the NSA variants came on March 31, 2016 in an attack on a target in Hong Kong. It came in a custom-designed trojan dubbed "Bemstour" that installed DoublePulsar, which runs only in memory. From there, DoublePulsar installed a secondary payload that gave the attackers persisteRead More – Source