Attackers are targeting high-value servers using a three of hacking tools from NSA arsenal, including DarkPulsar, that were leaked by the Shadow Brokers hacker group.
The hackers used the powerful cyber weapons to compromise systems used in aerospace, nuclear energy, R&D, and other industries.
According to experts from Kaspersky Lab, threat actors leverage NSA tools DarkPulsar, DanderSpritz and Fuzzbunch to infect Windows Server 2003 and 2008 systems in 50 organizations in Russia, Iran, and Egypt.
The infected vulnerable servers are used in some 50 organizations within industries including aerospace and nuclear energy, particularly those with large IT and R&D departments.
“DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.” Kaspersky Lab experts Andrey Dolgushev, Dmitry Tarakanov, and Vasily Berdnikov wrote.
“Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc.”
DarkPulsar is a backdoor that could be used by attackers in conjunction with the Fuzzbunch exploit kit to gain remote access to the targeted server.
Once the backdoor is established the attackers could use the plugins of DanderSpritz to monitor and exfiltrate data from the compromised machines.
Each hacking tool supports a set of plugins designed for different tasks, the FuzzBunch plugins are used for reconnaissance and hacking the target system, DanderSpritz plugins are used for the management of already infected victims.
The discovery of the last wave of attacks is very important, it demonstrates that threat actors could chain nation-state hacking tools and exploit to create a powerful attack package. It shows how hackers combined the tool to carry out high sophisticated hacking operations.
“The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness,” Kaspersky Lab said.
“The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.”
The expert from Kaspersky also provided technical details and IoCs for the attacks leveraging the NSA tools.
It is important to remind that security patches are available for the vulnerabilities targeted by the leaked NSA exploits.
“The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools,” concludes the experts.
“Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims.”
(Security Affairs – NSA hacking tools, DarkPulsar)