NSA's arsenal of Windows hacking tools has leaked

The NSA used the Windows hacking tools to target several banks.
Written by Zack Whittaker, Contributor

(Image: file photo)

A new trove of alleged surveillance tools and exploits from the National Security Agency's elite hacking team have been released by the Shadow Brokers' hacking group.

The group Friday appeared to release tools designed to target Windows PCs and servers, along with presentations and files purporting to detail the agency's methods of carrying out clandestine surveillance.

According to several documents, the NSA used the Windows hacking tools to target several banks, including the SWIFT banking system.

The dump of Windows exploits -- arguably affecting the most people and organizations and likely to cause the most damage and embarrassment to the intelligence agency -- has been expected since the hacking group first emerged on the scene last year.

In case you missed it, hacking tools that were confirmed to belong to the NSA's so-called Equation Group were stolen last year in one of the biggest breaches of classified files since the Edward Snowden revelations. These tools, allowed NSA analysts to break into a range of systems, network equipment, and firewalls, and most recently, tools to target the Linux operating system -- many of which were old and outdated. The group attempted to auction off the files but failed, and it has been releasing portions of the stolen files in stages.

Researchers are currently poring over the cache of files.

Several of the files we've seen appear to be "top secret" in classification, such as JeepfleaMarket, which appears to utilize the Jeepflea program to collect data on servers at least nine international banks.

The document purports to show the infrastructure behind the system, along with another document, which shows that the NSA has deep access to some networks by exploiting VPN and firewall systems.


(Image: supplied, via Kevin Beaumont)

It appears that most of the exploits target older Windows versions, dating back as early as Windows XP and Windows Server 2003.

Among the more interesting exploits found in the cache include ExplodingCan, which exploits older versions of Windows' web server Internet Information Services with a remote backdoor. Security researcher Kevin Beaumont, who examined the exploit, said in a tweet that the tool was "very well" built.

Another exploit, dubbed EmeraldThread, is a remote Windows SMB exploit for Windows XP and 2003.

And while little is known about the so-called OddJob implant, it appears to have exploits for almost every version of Windows 2000 and later, including some server editions, some of which may still work.

Other tools point to several other remote exploits in every version of Windows, according to Hacker Fantastic, a security researcher who has been analyzing the files. (The researcher followed up in a tweet noting that not current all patches were applied at the time.)

The researcher was able to run many of the exploits found in the cache, according to a tweet.

It's not known how many of the exploits, if any, are unknown to the manufacturer. These so-called zero-day vulnerabilities are closely guarded secrets to allow analysts to carry out surveillance.

But Beaumont said that some of the tools he examined "may be" previously undisclosed, but they have yet "to be confirmed."

A Microsoft spokesperson said in a statement late Friday that it has "confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products" and gave a more detailed breakdown in a blog post.

A spokesperson for the NSA did not return a call Friday.

This post has been updated several times over the past few days, and some information relating to Windows 8 was removed after claims were proven incorrect.

Everyday ways your personal privacy is under threat:

Editorial standards