CRITICAL: NSA tools leaked, now being weaponized and used

The quick version:

You may or may not have heard the news: a group calling themselves “The Shadow Brokers” has released an archive of exploits purportedly used by the NSA’s TAO (Tailored Access Group) from 2013. These exploits target all versions of Windows up to Windows 8, and Windows Server 2008 R2 currently, though it is likely that Windows 10 and Windows Server 2012+ are also vulnerable. The level of compromise possible with the released code and the relative ease of deployment, combined with the potential harm to protected systems are the reason we feel the need to explain the problem, warn you of the potential and provide some suggestions about how you may protect your vulnerable assets.

Microsoft has released a patch, as of a month ago under the MS17-010 Bulletin, which addresses many but not all of the more serious vulnerabilities revealed in the archive. If you haven’t applied this patch to all Windows computers, or are not sure, quit reading this and go patch now. The rest can wait. This is that important.

“Okay, we’re patched. What was all the fuss about?”

Let start with the Shadow Brokers. Last August, this person or group posted exploits to Github targeting Linux systems. The Shadow Brokers stated they had stolen these tools from the NSA’s “Tailored Access Operations” group, which we know through the Snowden leaks to be the NSA’s Red Team operations, the group which oversees compromising computer networks, aka CNE (Computer Network Exploitation.) The Shadow Brokers used this initial dump as proof that their content was real, and asked for bids on the rest of the package promising Windows 0-day (vulnerabilities with no existing patches at time of release) exploits were included.

Again in October, January, and April 8th, they posted additional exploits though they were mostly older exploits and less interesting from a larger security impact. The Shadow Brokers maintained, however, that they had in their possession 0-day exploits for Microsoft Windows systems, and continued to ask for payment.

More about the Shadow Brokers and their history:

https://adamcaudill.com/2017/04/14/shadow-brokers-equation-group/

On April 14th, the Friday before Easter weekend, the Shadow Brokers released their largest and most significant dump yet. Initial reports suggested that this data dump included 0-day exploits targeting Windows 8 and earlier, and Windows Server 2008 R2 and earlier. Further research revealed that in fact Microsoft HAD patched the vulnerabilities in MS17-010, released exactly one month prior on March 14th. Included in this latest dump are multiple exploits for Microsoft SMB (the underlying file sharing protocol for Windows), Lotus Notes, and a smattering of Linux, Unix, Solaris, and RedHat exploits. Additionally, tools for encoding these exploits were included for bypassing antivirus signatures as well as command and control (C2) tools.

I can say without hyperbole that the full package gives any script kiddy nation-state level tools for compromising Windows domains. This is point and click hacking for the masses.

“How bad is it?”

This is the largest single dump of exploits the industry has ever seen. Combined with all the tools to encode the payload, and C2 to control the victims, we’re looking at very simple, extremely effective, and highly dangerous tools in the hands of anyone. Most of our clients know to block SMB at the firewall, though it’s not entirely unprecendented. Tools like Shodan.io will allow potential attackers to find all available targets on the internet and exploit them with this toolset. As for systems inside of a firewall, If it hasn’t happened already, those systems left unpatched WILL be compromised.

“What can we do?”

Patch. Patch now. Block ports 445 and 139 at the firewall. Then, disable SMBv1 network wide as a precautionary measure.

If you are a Critical Informatics Critical Insight customer, you should know that Critical Informatics is already monitoring networks for specific indicators related to these tools through our Critical Insight product. Our analysts have been working through the weekend since this archive was released, discovering the methods and indicators used in these toolsets. Rest assured, if we see any sign that one of the released exploits are active on any monitored network, we will keep your phone ringing and email pinging until it’s been neutralized.

More reading:

An initial analysis by TrustedSec:

https://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully-patched-cobalt-strike/

In-depth by Ars Technica:

https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

Microsoft denies being alerted by the NSA about the Shadow Brokers stolen exploits:

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

In Microsoft’s own words:

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

Cisco ASA’s also affected:

https://communities.cisco.com/community/technology/security/ngfw-firewalls/blog/2017/04/14/equation-group-exploit-hits-newer-cisco-asa-juniper-netscreen

Table of Exploits leaked:

https://twitter.com/etlow/status/853439288926777344

Jeremy Johnson
Jeremy Johnson
Offensive cybersecurity specialist and author of the blog: https://bneg.io/