Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves.
According to SenseCy’s analyst team, the Darknet hacking community is currently uploading tutorials, taken from security researchers, on how to utilize the exploits and the Equation Groups‘s self-developed framework, called Fuzzbunch.
For example, a moderator of one of the forums uploaded the entire leak (more than 6,000 files) to the private server of a closed forum called Kickass, for the use of the “community.”
On another popular closed Darknet forum, one of the members expressed his disappointment when he failed to install some of the tools:
With regard to the Russian underground, hackers shared the leaked information on various platforms, including explanations published by Russian-language blogs.
In particular, we identified a discussion dealing with the SMB exploit, where hackers expressed interest in its exploitation and shared instructions on how to do so.
On a different note, and in what seems to be a worrisome development, SenseCy researchers noted that cybercriminals are utilizing the MS17-010 vulnerability, which affects Windows-based machines and was utilized in the Equation Group attacks.
We are now seeing a trend that most likely will gain momentum in the following weeks, of infecting Windows servers with ransomware utilizing the leaked exploits.