NSA-linked hacking tools are being used by cybercriminals in efforts to remotely steal money and confidential information from online banking users, according to research conducted by cybersecurity firm Proofpoint.
Proofpoint researchers discovered two different banking trojans in the wild, with computer code taken from a now-publicly available exploit known as "EternalBlue" (CVE-2017-0144).
EternalBlue is used by the NSA to gather intelligence, and targets a vulnerability in Microsoft's Server Message Block protocol, which affects outdated versions of several different Microsoft operating systems. It allows hackers to quickly compromise multiple computers on a shared network, as long as they are all similarly running dated software.
The two Trojans — Retefe and TrickBot — are relatively common, and have been in use for several months as part of various email phishing campaigns targeted at companies and individual users. The latest versions of these trojans carry elements of EternalBlue.
Nonetheless, the use of EternalBlue doesn't appear to be focused or aimed at one specific industry or region, and there is no common theme in terms of targeting for attacks leveraging EternalBlue. Attackers appear to be pursuing both disruptive and destructive ends, as with WannaCry — which was also propagated via EternalBlue.
In the past, EternalBlue exploits have been used tandem with ransomware to extort money from businesses. It's not entirely clear who is behind Retefe or Trickbot, although a relatively small group is thought to be behind the spread of Retefe.
The EternalBlue exploit first became publicly known — and adoptable — following the publication of a package of NSA documents by a group known as The Shadow Brokers.