The name Equation Group was coined by Kaspersky, while they didn’t directly state that Equation Group is the NSA (or possibly, just NSA’s TAO group), a close look at the evidence is quite clear. The level of detail about targets, and details from operator logs should allow the NSA to narrow the possible sources I’m hoping that at some point there’s an official statement about who they believe is releasing these files – though the odds of that happening don’t seem good.
The SWIFT files could have been positioned as a WikiLeaks-styled bombshell, though was dropped quietly without the fanfare to make news outside of the normal technology publications – while the exploits have a substantial impact, they are of little interest to most people outside of the industry, the SWIFT work on the other hand, could be of much larger significance.
EASYBEE EXPLOIT HOW TO
One likely scenarios is that a jump-server was captured by another intelligence agency, and the leaks and bizarre rants were part of a political play – though their choices of how to release information has greatly reduced their effectiveness. This would explain the type of files and documentation found – and would explain the files that aren’t included, such as source code, training material, and similar files that an insider would have access to, but wouldn’t be stored on a server outside of their network. The data is most likely from a jump-server – a server that NSA operators would push their files to, and connect to targets from. There’s been a great deal of debate about the source of these files, some have suggested that it was an insider, possibly even Harold Thomas Martin, though an insider makes little sense.
A variety of different things pulled together over the years from different sources. Their collection is just that, a collection. We will likely see just how effective these exploits are though, as criminals work to leverage these exploits in exploit-kits and the like – you can be sure, just because these exploits are known, this certainly isn’t the last we’ll see of them. What’s clear here is, there is some real value in the exploits that have been released ( estimated at $2M or more) – and are likely very important to NSA intelligence operations (or at least they would have been till they learned that they had been compromised).Īs a security person – best interest to review/investigate SB dump to validate TTPs, but still feel dirty doing it.Īs NSA doesn’t talk about anything if it can be avoided, it’s unlikely that we will ever know what the impact is to their operations.
EASYBEE EXPLOIT PATCH
A number of versions of Windows targeted by these exploits are not supported, such as Windows XP, Windows 2003, and Vista – meaning that there’s no patch coming, these systems will remain vulnerable forever. This is just one exploit, there’s also ETERNALCHAMPION, EASYBEE, EASYPI, ECLIPSEDWING, EDUCATEDSCHOLAR, EMERALDTHREAD, EMPHASISMINE, ENGLISHMANSDENTIST, ERRATICGOPHER, ESKIMOROLL, ESTEEMAUDIT, ETERNALROMANCE, ETERNALSYNERGY, EWOKFRENZY, EXPLODINGCAN, and ZIPPYBEER – there’s a lot of work to be done to fully understand the impact and figure out what needs to be fixed.
EASYBEE EXPLOIT WINDOWS 10
ETERNALBLUE appears to be an 0day against Windows XP, Vista, 2003, 2008, 2008R2, and Windows 7 (it’s being reported that Windows 10 is vulnerable as well 3) – one can imagine that there is panic in Redmond as Microsoft works to analyze it and prepare a patch. #ShadowBrokersĪs the community works to analyze the latest dump, going through the exploits trying to identify what they are, and if they are known some very interesting things have been found. I know a few NSA contractors/providers being really upset to see some of their gold exploits being publicly exposed/killed.