lolloj - Fotolia
The Shadow Brokers returned to ruin Easter weekend with a new batch of Windows exploits and attacks on the SWIFT banking system that leverage Cisco router flaws.
The Shadow Brokers Friday released small batches of cyberweapons related to the Equation Group -- the alleged hacking arm of the National Security Agency (NSA) -- after a failed auction, but experts had been unimpressed with the data in the past. However, Cris Thomas, strategist at Tenable Network Security, based in Columbia, Md., said today's dump "seems to be the largest and most damaging release to date."
"Based on the information contained in the data dump, the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor -- if not disrupt -- financial transactions to terrorists groups," Thomas told SearchSecurity. "There appears to be at least several dozen exploits, including zero-day vulnerabilities, in this release. Some of the exploits even offer a potential 'God Mode' on select Windows systems."
Editor's note: Microsoft later confirmed the majority of the Windows exploits published in the dump were not zero-days and had already been addressed with patches.
Experts have been reviewing the latest Shadow Brokers release, and one of the more dangerous findings is evidence of exploiting the SWIFT banking transaction system.
Matt Suiche, Microsoft MVP and founder of Comae Technologies, based in the United Arab Emirates, wrote on Medium this release details evidence "of the largest infection of a SWIFT Service Bureau to date."
"In this case, if Shadow Brokers claims are indeed verified, it seems that the NSA sought to totally capture the backbone of international financial system to have a God's eye into a SWIFT Service Bureau -- and potentially the entire SWIFT network," Suiche wrote.
Suiche told SearchSecurity that, "technically speaking, they had full control of the SWIFT Service Bureau (EastNets) environment," but it is unclear why. Although, Suiche said one script found in the release would allow the attacker to read all SWIFT banking transactions.
Hazem Mulhim, CEO and founder of EastNets, said he "can confirm that no EastNets customer data has been compromised in any way." And an EastNets statement read:
The reports of an alleged hacker-compromised EastNets Service Bureau network is totally false and unfounded. The EastNets Network internal Security Unit has run a complete check of its servers and found no hacker compromise or any vulnerabilities. The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks.
A SWIFT banking representative backed up EastNets' statement, saying there was "no impact on SWIFT's infrastructure or data," and there was "no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."
However, Kevin Beaumont, a security architect based in Liverpool, said on Twitter that this was "demonstrably untrue." And Suiche called the statement "lies" and questioned how EastNets was able to check its systems in just a few hours in order to make such a statement.
According to Suiche and other security researchers, the Shadow Brokers dump includes exploits for Cisco routers and tools to extract information from Oracle databases, which would have been used to infiltrate the SWIFT banking system.
Beaumont also dug through the Shadow Brokers release and found a number of Windows exploits, including exploits against the Remote Desktop Protocol, Kerberos and Outlook Web App. Additionally, he confirmed three exploits of the Windows Server Message Block that currently work.
Learn about mandatory SWIFT banking security controls on the way.
Find out how to tell if you have Windows SMBv1 on your systems.
Get info on how SWIFT banking security could be improved.