Data analysis of the Shadow Brokers leak

The purpose of this blogpost is to drill down a first analysis of the data provided by The Shadow Brokers Friday, April 14th 2017, and to highlight the level of potential threat towards every user. Data, which are now publicly available consist, amongst other information, of a complete portfolio of attack tools and exploits, supposedly belonging to NSA hacking team.

Data available are spread out in the following categories :
- Advanced attack tools, and in particular a complete penetration testing framework;
- Exploits codes related to patched and unpatched vulnerabilities, mostly on Microsoft products, but also Unix world, IBM, Oracle, Alt-N, and so on ;
- Information and attack techniques focusing on SWIFT interbank system, with explicit proofs of targets sensitive information.

Other blogposts will be published to go deeper in each category.

The Shadow Brokers team, who previously leaked hacking tools and exploits from the NSA, just strikes again Friday, April 14th 2017 by publishing new archives full of attack tools and advanced exploits (however only binaries files are available, no source codes provided). These exploits have very specific code names and target multiple services like Microsoft IIS Web servers, Microsoft SMB file sharing service, IBM Lotus Domino mail server, IMail and Alt-N Mdaemon, and so on; here is a preview :
 

EASYBEE : MDaemon exploit;
ETRE : IMail 8.10 to 8.22 exploit;
EASYPI : IBM Lotus Domino exploit;
EWOKFRENZY : IBM Lotus Domino 6.5.4 to 7.0.2 exploit;
EMPHASISMINE : IMAP exploit for Lotus Domino ;
ENGLISHMANSDENTIST : use Outlook Exchange Web Access rules to trigger on client side;
EXPLODINGCAN : IIS 6.0 exploit which seems to be linked with PROPFIND exploit, recently published ;
ETERNALROMANCE : SMBv1 exploit for Windows XP, 2003, Vista , 7 Windows 8, 2008 and 2008 R2, which allows to get SYSTEM privileges;
EDUCATEDSCHOLAR : SMB exploit;
EMERALDTHREAD : SMB exploit for Windows XP and 2003 ;
ERRATICGOPHER : SMBv1 exploit for Windows XP and 2003 ;
ETERNALSYNERGY : remote code execution exploit through SMBv3 for Windows 8 and 2012 ;
ETERNALBLUE : SMBv2 exploit;
ESKIMOROLL : Kerberos exploit for Windows 2000,, 2003, 2008 and 2008 R2 ;
ESTEEMAUDIT : RDP exploit for Windows 2003 ;
ECLIPSEDWING : RCE on Windows 2008 server service ;
FUZZBUNCH : exploitation framework ;
DOUBLEPULSAR : RING0 injection of a backdoor in memory ;
GROK : keylogger ;
ODDJOB : allows to setup an implant and a C&C server.
 

PASSFREELY : utility to bypass Oracle servers authentication;
SMBTOUCH : allows to check if the target is vulnerable to ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE exploits ;
ERRATICGOPHERTOUCH : to verify if the target has RPC services available ;
IISTOUCH : to check if IIS remote server is vulnerable (may be linked to EXPLODINGCAN exploit ) ;
RPCOUTCH : to check some specific information related to RPC service ;
DOPU : to connect to targets infected with ETERNALCHAMPIONS exploit.

The following table shows part of the different exploits, their targets, versions and related exploitation systems :

Source : https://twitter.com/etlow/status/853439288926777344

It is quite interesting to notice that those tools were put on the market some months ago by The Shadow Brokers with prices from one to hundreds of bitcoins (650 BTC for FUZZBUNCH framework) :


With this leak being now public, multiple security researchers - including Digital Security CERT-UBIK team - have been able to test those tools and exploits which are fully operational on recent unpatched exploitation systems (Windows 7/8, Windows Server 2008 and 2008 R2, Windows 2012). Please have a look at our post about FuzzBunch and DanderSpritz tools.

Even if an official communication from Microsoft about the leak underlines the fact that there is a security patch for vulnerabilities used by the tools (only for supported products), a lot of Internet facing servers are still vulnerable at the time of writing and may easy target in the coming days.
Furthermore, one can question the fact that an important number of leaked vulnerabilities have been patched by an update published ... last month (March 2017), which means the software company have been somehow informed about the upcoming leak, and that even though a lot of systems are not updated yet.

With these multiple exploits available, Internet facing servers could be compromised very rapidly. And if we add classical issues with network partitioning, attackers may also easily spread inside companies information systems. These exploits and tools now publicly available could also be used by cybercrime teams, for example to increase their use of ransomwares attacks on customer networks. Following a successful phishing campaign, lateral moves inside an enterprise networks could lead to a full company freeze. Some leaked exploits codes are focusing on remote administration services, which may increase automatization of such infections from the Internet.

It is important to notice that Microsoft solutions are not the only ones targeted by this leak. Indeed, multiple exploits like ExtremeParr and Ebbisland target Solaris x86/SPARC systems and allow respectively a privilege escalation, and root remote code execution. A lot of other exploits targeting other vendors are still to be analyzed.

Question everyone has to ask himself is “how me and my company are concerned by this event, what are the potential impacts and how to protect me?”.

A lot of exploits target Microsoft services installed by default and always deployed in most companies. This make is very clear how important it is to urgently update company servers and workstations. First step is to check external visibility of the servers to assess correctives measures as soon as possible. Secondly, each and every internal most critical servers must be updated and patched (Active Directory servers, files servers, mail servers, and so on.) as well as workstation. Finally, servers which may not be updated easily or rapidly, best way to handle the situation is to apply strict network filtering rules, log everything and partition the networks to minimize the risks.

Regarding exploitation systems not supported anymore by Microsoft (2000, 2003, XP, Vista), a quick migration process should be planed or they should be partitioned because they will not receive any update anymore and they are still vulnerable to revealed attacks and exploits. Presence of such servers on the network has to be considered as a true danger to handle, danger which could become as big as Blaster worm.