What Happens When Exploits Discovered by the Best of the Best Are Dumped Online

Rafia Shaikh
malware outbreak eternalblue
Criminals get their hands on sophisticated utilities and exploits

Malware attacks reach a new high thanks to the massive online dump of exploits allegedly developed by the cybersecurity experts at the NSA. What happens when security exploits and malware developed by the best in the industry are leaked into the wild or sold to criminals? We see an exponential increase in the number of attacks. While much of the security industry has a custom of putting the blame on the victim, saying somebody must have done something stupid, it is becoming increasingly difficult even for the most careful users to stay safe from the constantly evolving malware attacks.

Security experts at the Kaspersky Lab said that 2017 Q2 was game changing for the industry following the publication of the archive of exploits and utilities supposedly developed by the NSA and other US special services. In just 3 months, Kaspersky alone blocked more than five million attacks designed to exploit unpatched - and even patched - vulnerabilities dumped by the Shadow Brokers in their "Lost in Translation" archive.

Related StoryJason R. Wilson
Your Copy of MSI Afterburner Could Be Bloated With Crypto Malware

In total, "Kaspersky Lab solutions detected and repelled 342,566,061 malicious attacks from online resources located in 191 countries all over the world."

Earlier this year, Shadow Brokers dumped the archive online and later on moved to a subscription based model selling the exploits to only those who were paying the group. While Microsoft had fixed several of those leaked vulnerabilities with the MS17-010 update just a month before this dump, its online publication had "horrendous consequences" despite this patch, according to Kaspersky.

"The damage from worms, Trojans and ransomware cryptors being distributed via the network with the help of EternalBlue and EternalRomance, as well as the number of users infected, is incalculable," the company wrote in its Q2 threat evolution report.

In the second quarter of 2017 only Kaspersky Lab blocked more over five million attempted attacks involving network exploits from the archive. And the average number of attacks per day was constantly growing: 82% of all attacks were detected in the last 30 days.

The landscape has visibly shifted in the past few months since several of the high profile ransomware and malware campaigns used the exploits dumped by Shadow Brokers. Attacks like WannaCry, Petya, NotPetya, and ExPetr used the EternalBlue exploit developed by the National Security Agency and leaked by Shadow Brokers.

The security lab also said that the use of "in-the-wild vulnerabilities" were more popular in the second quarter of 2017. "The appearance of several 0-day vulnerabilities for Microsoft Office resulted in a significant change in the pattern of exploits used," the security experts wrote.

And even though Microsoft had fixed this vulnerability in April, the number of attacks on Microsoft Office users increased "almost threefold, to 1.5 million" simply because users don't update their devices and products on time.

"While suppliers patch vulnerabilities on a regular basis, many users don’t pay attention to this, which results in massive-scale attacks once the vulnerabilities are exposed to the broad cyber criminal community," Alexander Liskin, security expert at Kaspersky Lab wrote.

Security experts constantly advise consumers to keep their software up to date to avoid falling for vulnerabilities that have already been patched. Their warnings have never been more critically important.

Share this story