At 4/15/17 01:10 AM, PrettyMuchBryce wrote:
Would you mind TLDRing us about these leaks that have been happening over the past couple of months? This is third leak of these tools if I am correct? What is in them, and why is this important?
Sure! There should only be two dumps currently, unless I somehow missed one(?) (unless you're talking about the CIA leak and not the NSA leak, in which case by far the most interesting thing is the absolute genius of their phishing campaign)
Either way, my Feedly notifs have been exploding because I follow the CVE database. Between those, the files I now have, and speculation across the internet, I can safely say that these are quite serious..
.. If you run Windows versions 8 or lower. Seriously. Literally none of this current batch can run on 8.1 or 10, and all exploits are aimed at Windows systems.
The last dump was full of C and CPP code you built yourself in Linux and then ran against whoever you wanted. The exploits themselves targeted mostly business-class firewalls and routers, but there's some smaller home-level stuff. An interesting note is that the targeted systems run in the U.S., China, and Russia in respective order to the number of exploits given. Everything there was some pretty serious shit, with codename EGREGIOUSBLUNDER topping everything else. EPICBANANA is a close second in level of threat, but takes the cake on the naming front.
Been having fun with the latest dump; most of it is GUI and can easily be run in Windows. Also interesting to note that everything can easily be decompiled or viewed simply with notepad. They comment well and make things very easy to find and change.
There's three top-level folders:
OddJob, Swift, and a folder called simply "windows"
ODDJOB is an interesting fellow. It offers a payload and a GUI builder (.hta extension) and looks like this. and this. From the user manual (yeah, they have one. And it's actually fucking hilarious to read.) it looks like a C&C server with payload and exploit building that runs on IIS7. ie. this is how they set up their blackhole boxes that they stage their ops from.
Speaking of IIS, one of the fun exploits targets IIS6 and simply creates a backdoor on the system. Fun! Locked to Windows server 2003, sadly :(
The "windows" folder is a bit odd as well. It looks like it's basically one giant framework called FUZZBUNCH. Think NSA's version of Metasploit, specifically built for 0-days. And guess what? It uses a .jar file to run and Python as its backing. I shit ye not. So, this shit's scary and I haven't been able to get it to run in the 10 minutes I've been playing with it (I'm missing a required D: drive for logs, but I'll fix that and have a play around tomorrow) - Looks like this when you get it working, though. Yeah, alright, that's some scary shit.
Finally, the one everybody's been freaking out about. "Swift" is an odd folder in the sense that there's no nice GUI or even a file to run at all, really. There's a ton of documents on some pretty weird stuff which other people are picking apart and I didn't care a whole lot about. The interesting bit (for me, at least) is the .sql files in it which are apparently scripts for scraping known fields of interest in the databases. Honestly it's not much to look at from a hacking perspective, but it's great news fodder.
Edit: In short, this dump looks like it targets specifically Windows server infrastructure, but some of the tools inside can definitely be used against normal machines.
The scary part, for me, isn't that the exploits exist; it's that they exist and now literally everyone in the world has free access to them- and they haven't been patched or even looked at closely enough to tell what they are yet. THAT is scary.
