WannaCry XXL? 2nd even bigger global cyber attack already underway

As the world reels from the WannaCry ransomware attack, it’s now emerged that a second, potentially larger attack, is already under way. It seems the widespread proliferation of military-grade cyberweapons has ushered in a new era of digital crime.

*

Cyber bandits have again deployed both the EternalBlue and DoublePulsar exploits developed and used by the NSA which were released by the ShadowBrokers hackers back in April.

“Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection,” wrote a security researcher who goes by the alias Kafeine at cybersecurity company Proofpoint.

This latest attack uses the two exploits to install the cryptocurrency miner Adylkuzz over corporate Local Area and wireless networks but, rather curiously, may actually have helped slow the spread of WannaCry.

READ MORE: Ransomware virus plagues 100k computers across 99 countries

However, in an apparent case of “picking your poison,” the Adylkuzz miner dramatically slows PC and server performance as it extracts cryptocurrency but it does not lock users out of their machines and data, as WannaCry did.

Screen Shot 2017-05-17 at 7.18.43 PM

Researchers at Proofpoint estimate that the Adylkuzz attack may have begun as early as April 24 but was subsequently overshadowed in the hysteria that followed the WannaCry ransomware attacks.

The attack is launched from multiple virtual private servers which scour the internet for vulnerabilities to install the Adylkuzz miner.

The malware infection occurs as follows:

The EternalBlue exploit opens the door for infection with DoublePulsar on a target machine. DoublePulsar then downloads and runs Adylkuzz on the computer.

Adylkuzz then stops any preexisting versions of itself on a target machine, while also blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations. It initially prevents cybersecurity professionals from identifying that there is a problem.

Once the door has been held open and detection risks have been minimized, Adylkuzz then downloads mining instructions, the cryptocurrency miner itself and a variety of cleanup tools to mask its activities.

Screen Shot 2017-05-17 at 7.19.53 PM

While the term cryptocurrency is typically associated with Bitcoin, Adylkuzz actually mines Monero, a similar but more heavily encrypted digital currency. Monero recently saw a significant uptick in usage after it was adopted in the AlphaBay market on the Dark Web.

Screen Shot 2017-05-17 at 7.20.49 PM

As with other cryptocurrencies, Monero expands in market cap through self-proliferation via digital mining. One monero is roughly equivalent to $27 at current exchange rates.

During its research, Proofpoint identified three addresses which had already generated $7,000, $14,000 and $22,000 respectively, before being shut down.

To cover their tracks, whoever is behind the attack regularly changes the online payment address to avoid attracting too much attention.

As in the case of the WannaCry attack, hackers have leveraged the NSA’s weaponized exploits of legacy Microsoft operating systems to infect hundreds of thousands of machines worldwide with malware. Since the Shadow Brokers’ leak of these NSA exploits there have been two high profile attacks with many more expected in the future.

CIA is world’s most dangerously incompetent spy agency – Assange

WikiLeaks founder Julian Assange has described the CIA as “dangerously incompetent,” in response to the US agency branding him a “friend of terrorists.” The war of words started after RT asked the CIA to comment on reports of its hacking exploits.

*

“Dictators and terrorists have no better friend in the world than Julian Assange, as theirs is the only privacy he protects,” CIA spokesperson Heather Fritz Horniak told RT in an email.

*

The scathing response came after RT asked the CIA to comment on the assessment of former agency analyst Ray McGovern. He suggested that the capability to falsify digital fingerprints, exposed by WikiLeaks as part of its ongoing Vault 7 disclosure, cast doubt on allegations against Russia in connection with the 2016 US presidential election.

READ MORE: #Vault7: How CIA steals hacking fingerprints from Russia & others to cover its tracks

“Could it be that the ‘Russian hack’ was really done by John Brennan of the CIA? If I were asked to bet on that, then I would bet that that was exactly the case,” McGovern told RT’s Going Underground program.

“What does that mean? It means that these trumped-up charges against Trump, pardon the pun, are baseless,” McGovern added.

Brennan’s successor as CIA director, Mike Pompeo, sparked concerns in April when he suggested that WikiLeaks, which he described as “a non-state hostile intelligence service,” could be prosecuted for the publication of confidential US documents. He also attacked Assange and his associates, branding them “demons.”

Critics said Pompeo was setting a dangerous precedent, which exposed any media outlet reporting on leaks or the accounts of whistleblowers. They also criticized his comment that Assange “has no First Amendment freedoms.”

READ MORE: WikiLeaks ‘hostile intel,’ Assange & his followers ‘demons’: CIA chief goes ballistic

When asked for comment, Assange reiterated his earlier criticism of the US intelligence agency.

*

“The CIA is the world’s most dangerously incompetent spy agency. It has armed terrorists, destroyed democracies and installed and maintained dictatorships the world over,” he said in an email. “There are good men and women at the CIA but if our publications are any guide they work for WikiLeaks.”

CIA spokesperson Horniak also lashed out at RT for questioning the allegations of Russia’s interference in the US election.

“The responsibility of the Russian intelligence services for the election-related hacking is an established fact, but it is not surprising that an identified propaganda outlet like RT would attempt to muddle those facts. No reputable news organization doubts Russian culpability,” Horniak claimed.

In response, RT’s editor-in-chief, Margarita Simonyan, said that such unquestioning obedience by the western mainstream media to the US establishment only leads to a decline in their popularity.

“The CIA & Co haven’t bothered to present a shred of evidence besides their own claims, and are now actually boasting about how happy the ever-loyal press is to unquestioningly go along with the story,” Simonyan said, adding, “This is exactly why people have stopped trusting the mainstream media and are seeking out alternative sources of news and analysis.”

So far, no definitive evidence of the alleged hacking has been made public. A declassified report by the US intelligence community didn’t state that such hacking took place, but rather said the agencies had “confidence” that it did.

The full episode of Going Underground featuring McGovern will be aired on Wednesday at 6pm Moscow time (15:00 GMT).

NSA BLIMP SPIED IN THE UNITED STATES…

Screenshot 2017-04-24 18.12.54

By Ryan Gallagher

TO RESIDENTS OF MARYLAND, catching an occasional glimpse of a huge white blimp floating in the sky is not unusual. For more than a decade, the military has used the state as a proving ground for new airships destined for Afghanistan or Iraq. But less known is that the test flights have sometimes served a more secretive purpose involving National Security Agency surveillance.

Back in 2004, a division of the NSA called the National Tactical Integration Office fitted a 62-foot diameter airship called the Hover Hammer with an eavesdropping device, according to a classified document published Monday by The Intercept. The agency launched the three-engined airship at an airfield near Solomons Island, Maryland. And from there, the blimp was able to vacuum up “international shipping data emanating from the Long Island, New York area,” the document says. The spy equipment on the airship was called Digital Receiver Technology – a proprietary system manufactured by a Maryland-based company of the same name – which can intercept wireless communications, including cellphone calls.

With the exception of a few military websites that refer to the Hover Hammer as an “antenna mounting platform,” there is little information in the public domain about it. The classified NSA document describes the airship as a “helium-filled sphere inside another sphere, constructed of Spectra, the same material used to make bullet-proof vests. … It ‘hovers’ above small arms fire, has a negligible [infrared] signature, and radar can’t detect it.” The agency added in the document that it planned to conduct more tests with the Hover Hammer, and said it wanted to develop a larger version of blimp that would be capable of flying at altitudes of 68,000 feet for up to six months at a time. “More experiments, including the use of onboard imagery sensors, are being conducted,” it said.

The NSA declined to comment for this story.

In recent years, airships – or aerostats, as they are formally called – have been a source of major military investment. Between 2006 and 2015, the U.S. Army paid Raytheon some $1.8 billion to develop a massive missile-defense blimp called the JLENS, which is equipped with powerful radar that can scan in any direction 310 miles. (That’s almost the entire length of New York state.) In October 2015, the JLENS attracted national attention after one became untethered amid testing and drifted north from Maryland to Pennsylvania before it was brought back under control. In 2010, the Army commissioned another three airships – called Long Endurance Multi-Intelligence Vehicles – as part of a $517 million contract with Northrop Grumman. The company stated that the airships would “shape the future” of the military’s intelligence-gathering capabilities and provide a “persistent unblinking stare” from the sky.

Unsurprisingly, privacy groups have expressed concerns about the prospect of the blimps being used domestically to spy on Americans. However, military officials have often been quick to dismiss such fears. In August 2015, Lt. Shane Glass told Baltimore broadcaster WBAL that the JLENS blimps being tested in Maryland were not equipped with cameras or eavesdropping devices. “There are no cameras on the system, and we are not capable of tracking any individuals,” Glass stated. The same cannot be said, it seems, of the NSA’s Hover Hammer.

LEAKED NSA MALWARE THREATENS WINDOWS USERS AROUND GLOBE…

Capture

By Sam Biddle

The ShadowBrokers, an entity previously confirmed by The Intercept to have leaked authentic malware used by the NSA to attack computers around the world, today released another cache of what appears to be extremely potent (and previously unknown) software capable of breaking into systems running Windows. The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users.

The leak includes a litany of typically codenamed software “implants” with names like ODDJOB, ZIPPYBEER, and ESTEEMAUDIT, capable of breaking into — and in some cases seizing control of — computers running version of the Windows operating system earlier than the most recent Windows 10. The vulnerable Windows versions ran more than 65 percent of desktop computers surfing the web last month, according to estimates from the tracking firm Net Market Share.

The crown jewel of the implant collection appears to be a program named FUZZBUNCH, which essentially automates the deployment of NSA malware, and would allow a member of agency’s Tailored Access Operations group to more easily infect a target from their desk.

via Matthew Hickey

According to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.

“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyberweapon for hacking into computers…people will be using these attacks for years to come.”

Hickey provided The Intercept with a video of FUZZBUNCH being used to compromise a virtual computer running Windows Server 2008an industry survey from 2016 cited this operating system as the most widely used of its kind.

https://player.vimeo.com/video/213263277?title=0&byline=0&portrait=0&badge=0&color=ff0179

Susan Hennessey, an editor at Lawfare and former NSA attorney, wrote on Twitter that the leak will cause “immense harm to both U.S. intel interests and public security simultaneously.”

A Microsoft spokesperson told The Intercept “We are reviewing the report and will take the necessary actions to protect our customers.” We asked Microsoft if the NSA at any point offered to provide information that would help protect Windows users from these attacks, given that the leak has been threatened since August 2016, to which they replied “our focus at this time is reviewing the current report.” The company later clarified that “At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers.”

Update: April 14th, 2017, 7:20 p.m.

This post has been updated with an additional comment from Microsoft.

40 targets in 16 countries: Scale of CIA-linked #Vault7 hacking tools revealed by Symantec

Hacking tools linked to the CIA in the recent WikiLeaks Vault 7 release were used to target at least 40 organizations in 16 countries, according to internet security firm Symantec.

*

READ MORE: WikiLeaks publishes #Vault7: ‘Entire hacking capacity of the CIA’

The techniques detailed in Vault 7 were almost certainly developed and used by the same group, Symantec said Monday. The tech company has corroborated a number of the tool “development timelines” put forward by WikiLeaks.

While Symantec does not specifically mention the CIA – instead referring to the group responsible for the attacks as ‘Longhorn’ – the latest revelation gives further credence to WikiLeaks’ assertion that Vault 7 is part of the intelligence service’s “hacking tools”.

Screen Shot 2017-04-10 at 10.32.14 AM

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks,” a Symantec statement said.

“The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tacts to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.”

Screen Shot 2017-04-10 at 10.33.28 AM

Longhorn has been active since at least 2011, according to Symantec, infiltrating targets in the financial, telecoms, aerospace and natural resources industries.

READ MORE: #Vault7: WikiLeaks reveals ‘Marble’ tool could mask CIA hacks with Russian, Chinese, Arabic

“All the the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally,” Symantec added.

WikiLeaks recently published a tranche of information purportedly comprising files from a CIA center in Langley, Virginia. The hacks detailed in the documents included using of malware and trojans designed by a CIA Engineering Development Group to be “unaccountable” and “untraceable”, Julian Assange said.

READ MORE: #Vault7: Key revelations from WikiLeaks’ release of CIA hacking tools

A WikiLeaks description of a “Fire and Forget” process for a tool called Archangel is “closely matched” with a Longhorn tool called “Backdoor.Plexor”, according to Symantec.

Meanwhile, WikiLeaks’ release of a development timeline for malware called Fluxwire closely aligns with a Longhorn tool tracked and labeled Corentry by Symantec. Evidence of Longhorn’s use of advance “zero day” techniques leaves “little doubt” about the group’s link to Vault 7, the internet firm adds.

The CIA has refused to comment on the authenticity of the WikiLeaks documents, which so far have been published in four batches online.

“The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community’s ability to protect America,” the CIA said in a statement last month.

“Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools to do us harm.”

SHADOW BROKERS HACKERS RELEASE NSA HACKING TOOLS TO PUNISH TRUMP FOR ‘ABANDONING’ HIS BASE

NSA whistleblower Edward Snowden has confirmed that the leak included authentic NSA software

Hacking group Shadow Brokers has released the password to a trove of NSA exploits in what they say is a form of protest against President Donald Trump for going back on his campaign promises, and warning the president, “Don’t forget your base.” 

The shadowy group first emerged last August and released hacking exploits used by the NSA’s Equation Group, which included vulnerabilities in firewall products, and a list of IP addresses the NSA had exploited, which the group released at a later date.

Screen Shot 2017-04-09 at 4.42.30 PM

Shadow Brokers released passwords to the rest of the exploits on Saturday, in a move they described as a protest against Trump, who they say has “abandoned” his base by going back on many promises made on the campaign trail.

NSA whistleblower Edward Snowden has confirmed that the leak included authentic NSA software. The leak doesn’t contain the entire spy tools library, Snowden tweeted.

However, he added that “NSA should be able to instantly identify where this set came from and how they lost it. If they can’t, it’s a scandal.”

Screen Shot 2017-04-09 at 4.44.59 PM

Back in August, The Intercept used unreleased documents from Snowden to confirm the Shadow Brokers’ exploits were authentic.

The files appeared to be from up to late 2013, after Snowden had revealed the NSA’s spying reach. They included code to exploit unknown security flaws in CISCO hardware.

Screen Shot 2017-04-09 at 4.47.01 PM

The password provided by Shadow Brokers unlocks the hacking tools, which include servers belonging to companies and universities which are allegedly used to deploy malware, according to researchers who have examined some of the documents. WikiLeaks tweeted the dump includes “hacking attacks on EU states, Russia, China, Japan and South East Asia.”

Screen Shot 2017-04-09 at 4.48.17 PM

Screen Shot 2017-04-09 at 4.49.30 PM

Screen Shot 2017-04-09 at 4.50.05 PM

Shadow Brokers listed some of the reasons they were unhappy with Trump in a Medium blog post:

W (TheGlobalists) and Military Industrial Intelligence Complex (MIIC), cabinet, #2 — Backtracked on Obamacare, #3 — Attacked the Freedom Caucus (TheMovement), #4 — Removed Bannon from the NSC, #5 — Increased U.S. involvement in a foreign war (Syria Strike).”

The group also criticized Trump for launching the cruise missile strikeagainst Syria, saying: “Whose war are you fighting? Israeli Nationalists’ (Zionist) and Goldman Sachs’ war? Chinese Globalists’ and Goldman Sachs war? Is not looking like you fighting the domestic wars, the movement elected you to be fighting.”

The group earlier attempted to auction the “best files” for more 1 million Bitcoin, but abandoned the plan in January.

The post seemingly lends clues as to the identity of the group. “Did you know most of theshadowbrokers’ members have taken the oath ‘…to protect and defend the constitution of the United States against all enemies foreign and domestic…’.” it reads. “Yes sir! Most of us used to be TheDeepState everyone is talking about.”

While the Shadow Brokers were accused of being Russians, several NSA insiders earlier told the media that signs pointed to it being someone within the NSA.

Intel Agencies Obstruct Trump On Leaks – Reassign Analysts To Aleutians, Sudan, Yemen

By Rick Wells

It was one thing when the John Kerry State Department refused to provide Hillary Clinton emails while the enemy Democrats were in power or when DHS and DOJ were obstructionists in prosecutions, investigations or FOIA requests under Lynch, Comey and Jihadi Jeh Johnson. That was a little surprising at first but we soon learned as the Obama regime dragged on that it was not a government as much as it was a mechanism of social manipulation and perpetrator protection.

What is surprising is that the stonewalling and obstructionism is continuing under President Trump, with some of the denials directly impacting him in a negative manner. Most prominent and incredible are the revelations that the intelligence community is stonewalling the investigation into leaks of classified information to the “press” about Trump associates. In doing so the deep state operatives are not only telling the president to “stick it,” they’re telling members of Congress the same thing.

Fox News cites one unnamed source who sits on the House Intelligence Committee, likely a Republican, who said, “Our requests are simply not being answered. The agencies are not really helping at all and there is truly a massive web for us to try and wade through.”

The same story was told to them by a Senate Intelligence Committee member who said, “Any information that will help find the wide extent on the unmasking and surveillance is purposely not being provided.”

The NSA denied it was happening, saying, “Allegations that the National Security Agency is ‘withholding information’ from congressional intelligence committees investigating Russian interference in the 2016 election are categorically untrue.”

They added, NSA fully supports the committees’ work. We have already made available significant information in response to their requests, and we look forward to continuing to work with them in the execution of their important responsibilities.” That sounds eerily like Clinton’s statements about the 33,000 email pages of spam that were held up as proof of their cooperation.

Surely President Trump can find a solution to this problem without too much effort. It would seem that within the web of think tanks and retired experts in DC there would be twenty people with top level security clearances, ten of which could be assigned as a special operations unit to the NSA and another ten to the CIA. They would need to be familiar with the capabilities and procedures so that they couldn’t be lied to about whether or not something could be done and the amount of time required.

Then President Trump could simply send them out as information posses, with instructions to not leave the facility they where they went for the documents until they were in their possession. If they needed a military escort in order to secure its release, that would be pre-arranged with the Pentagon or whatever was the most appropriate military facility.

He’s the Commander-in-Chief, for crying out loud. How difficult can this be? If the recalcitrant analyst persisted, he could be escorted off property, his access cards confiscated and a transfer to the Aleutian Islands or similar “prime” duty station set up for the following day. There would be plenty of empty time in a hellhole like that to think about their attitude and what could be done to improve their willingness to work with others andfollow instructions.

After one or two postcards home from the reassigned troublemakers, the rest of the malcontents would likely decide that it’s better to do their job than to freeze or get shot at on some misguided principle. As cold as DC is in the winter, it’s nothing like Alaska, the information would start flowing immediately. Maybe they need analysts in Libya, Yemen, or Somalia. The possibilities for motivational readjustment assignments are endless.