Shadow Brokers: The release of Microsoft based exploits

The Shadow Brokers first came to prominence in regard to the US intelligence agencies cyber weapons scandal in August 2016, where it is alleged that the Shadow Brokers group stole a collection of cyber weapons, which are currently being released in batches, from the Equation Group. It was discovered that the Equation Group has links to the NSA, and by extension the US intelligence agencies cyber weapon cache.

Having initially attempted to auction off the cyber weapon cache for 1 million bitcoins (£301,778,739) in April 2016, the price was eventually lowered to 10,000 in January 2017 (£6,612,941), in an attempt to crowdsource the funds required to release the cache to the public. Ultimately neither of the auction prices were met and on the 15th April 2017 the Shadow Brokers group released a part of the cache to the public.

Once several exploits, along with a framework, were released then interest in the Shadow Brokers group was renewed, the released malware and hacking tools are primarily targeted towards Microsoft products at this time, however other technologies are also vulnerable. Relief from these exploits came in the form of Microsoft’s March security patch, this relief is short lived however due to estimates that approximately 183,000 devices connected SMB machines are currently vulnerable as of 25th April, with the figures indicating and increase in the number daily. The most prolific of the cyber weapons recently dumped (April 2017) by the shadow brokers are:

  • Fuzzbunch: The NSA’s own “Metasploit” platform used to launch a diverse range of exploits with a variety of different purposes. At the moment the released exploits only focus on Microsoft Windows based systems.
  • Eternalblue: A Microsoft Windows 7 & Server 2008 Operating System exploit that is capable of granting access to a system without requiring authorisation. Such an exploit is used as a phase within a sustained cyber-attack in order to gain an initial foothold within a system, with the goal of exploiting further vulnerabilities to gain additional privileges and access to more sensitive information. Once the exploit is successful then other exploits such as EternalRomance and Doublepulsar can be remotely installed upon the victim system. This exploit was addressed within Microsoft security patch MS17-010.
  • EternalRomance: An exploit with the objective of Remote Privilege Escalation upon Microsoft Windows XP & Server 2008 Operating Systems by exploiting the systems over TCP ports 445 (Active Directory) and 139 (NetBIOS). This exploit was addressed within Microsoft security patch MS17-010.
  • Doublepulsar: An exploit used to create a command and control channel to establish persistence upon the victims system, through the remote injection of a malicious DLL into the victims system. Such a channel can be used to achieve objectives such as data exfiltration and launching remote commands.
  • EternalSynergy: An exploit facilitating remote code execution upon a victim system, with the purpose of activities such as data exfiltration. Such an exploit can be used on a wide variety of windows systems, such as Windows Vista, 7, 8, 8.1, 10 and Server 2008, 2012 and 2016 operating systems. This exploit was addressed within Microsoft security patch MS09-050.

This is only a few of the exploits released by the Shadow Brokers hacker group and such exploits have the potential to cause critical level damage to vulnerable Microsoft systems. A full list of exploits that have been released can be found in the table below.

Ultimately what should be taken away from the release of such exploits is to expect more exploits to be released at a later date and to also ensure any systems that you currently oversee are properly patched in order to mitigate the successful implementation of such exploits.

Tool Name Exploit Type Target Software Relevant patch
Earlyshovel Exploit Sendmail 8.11.x RedHat 7.0
Easybee Remote Exploit MDaemon email server version 9.x – 13.0 19th April EssBee Exploit notice patch, versions 12.0, 12.5, and 13.0 only.
Easypi IBM Lotus Notes exploit, used to leverage command and control. IBM Lotus Domino server.
Ebbisland Root Remote Code Execution exploit. Solaris versions 6, 7, 8, 9, 10 & 11. April patch, for Versions 10 & 11 only.
Echowrecker Remote Exploit Samba Linux Operating System Version 3.0.x
Eclipsedwing Remote Code Execution Exploit Windows 2000 through to Windows 2003 SP2 server operating systems. Windows XP and 7 operating systems.  MS08-67 Microsoft Patch
Educatedscholar Exploit Microsoft Windows server operating systems 2000,2003 and 2008. Windows XP & 7. MS09-050 Microsoft Patch
Emeraldthread Remote code injection exploit Microsoft Windows server operating systems 2000,2003 and 2008. Windows XP & 7. MS10-061 Microsoft Patch
Emphasismine  Remote IMAP exploit IBM Lotus Domino versions 6.6.4 to 8.5.2.
Englishmandentist Remote code injection exploit Microsoft Outlook Exchange clients. Addressed within Outlook Exchange version 2010 or later.
Epichero Remote code execution exploit Avaya Media Server
Erraticgopher Exploit Microsoft Windows 2003 and XP. Addressed prior to the release of Windows Vista Operating System.
Eskimoroll Elevation of Privilege Exploit Windows server 2003 & 2008 Operating Systems. Windows Vista, 7, 8 & 8.1.  MS14-068 Microsoft Patch
Esteemaudit Remote Desktop Exploit, which exploits smart card authorization. Windows Server 2003 and XP operating system. Addressed in Windows 7 or later versions.
Eternalchampion Exploit Windows Vista, 7, 8.1, 10, Server 2008-2016 operating systems. MS17-010 Microsoft Patch

 

Etre Exploit IMAIL version 8.10-8.22
Ewokfrenzy Exploit IBM Lotus Domino versions 6 and 7
Explodingcan Exploit Microsoft IIS 6 Addressed in operating system versions 7 and later.
Zippybeer Exploit Microsoft Domain Controller May have been patched in 2014, however not confirmed.
Oddjob Implant Builder, Command and Control Server. Microsoft Windows Server 2000 and later. N/A

Table 1: A list of released exploits, the exploit type, the software being targeted and the patch fixing the vulnerability (If applicable).

References

http://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers

https://www.virtualizationpractice.com/heard-shadow-brokers-tools-dump-40065/?utm_source=FB&utm_medium=TVP+Facebook&utm_campaign=vPractice

http://www.informationsecuritybuzz.com/articles/chinese-russian-cyber-communities-dig-malware-april-shadow-brokers-release/

https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq

https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/

https://blog.qualys.com/securitylabs/2017/04/15/the-shadow-brokers-release-zero-day-exploit-tools

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://www.dearbytes.com/blog/playing-around-with-nsa-hacking-tools/

https://www.exploit-db.com/docs/41896.pdf

https://www.theregister.co.uk/2017/04/10/shadow_brokers_open_sources_hacker_trove/

https://www.myhackerhouse.com/easter-egg-hunt_greetz/

https://www.theregister.co.uk/2016/08/15/shadow_broker_hackers_auctions_nsa_spy_tools/

https://www.theregister.co.uk/2017/01/12/shadow_brokers_retire/

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

http://www.altn.com/Support/#EasyBeeExploitNotice

https://technet.microsoft.com/en-us/library/security/ms09-050.aspx

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

http://securityaffairs.co/wordpress/58025/hacking/shadow-brokers-windows-exploits.html

https://hackmd.io/s/r1gLMUUpx

https://www.bleepingcomputer.com/news/security/shadow-brokers-release-new-files-revealing-windows-exploits-swift-attacks/