Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers. (credit: Matthew Hickey)
The people behind Tuesday’s massive malware outbreak had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according to evidence unearthed by researchers from antivirus F-Secure.
EternalBlue and EternalRomance, as the two exploits were code-named, were two of more than a dozen hacking tools leaked on April 14 by an as-yet unknown group calling itself the Shadow Brokers.

Almost immediately, black-hat and grey-hat hackers used EternalBlue to compromise large numbers of computers running out-of-date versions of Microsoft Windows. Within a week or two, blackhats started using EternalBlue to install cryptomining malware. No one really noticed until the outbreak of the WCry ransomware worm on May 12, which infected an estimated 727,000 computers in 90 countries.
On Thursday, F-Secure researchers said they have evidence the still-unknown developers of Tuesday’s NotPetya malware had access to EternalBlue and EternalRomance as early as February, when they finished work on the malware component that used the stolen NSA exploits.

The timeline is all the more significant considering the quality of the component, which proved surprisingly adept in spreading the malware from computer to computer inside infected networks.

The elegance lay in the way the component combined the NSA exploits with three off-the-shelf tools including Mimikatz, PSExec, and WMIC.

The result: NotPetya could infect both patched and unpatched computers quickly.

Code that complex and effective likely required weeks of development and testing prior to completion.
Read 9 remaining paragraphs

Leave a Reply