Update – April 15, 2017

Microsoft has evaluated the exploits released by the Shadow Brokers and confirmed that the exploits previously through to be “zero-days” were patched last month with the release of MS17- 010. Kudelski Security highly recommends that clients apply the patches included in MS17-010 as soon as possible to ensure they are protected. Below is a table of exploit codenames and how Microsoft addressed these issues:

• “EternalBlue” Addressed by MS17-010
• “EmeraldThread” Addressed by MS10-061
• “EternalChampion” Addressed by CVE-2017-0146 & CVE-2017-0147
• “ErraticGopher” Addressed prior to the release of Windows Vista
• “EsikmoRoll” Addressed by MS14-068
• “EternalRomance” Addressed by MS17-010
• “EducatedScholar” Addressed by MS09-050
• “EternalSynergy” Addressed by MS17-010
• “EclipsedWing” Addressed by MS08-067

Customers running out of support software such as Microsoft Windows XP and Microsoft Windows Server 2003 remain vulnerable as software updates and security patches are no longer provided for these operating systems. Kudelski Security recommends that clients update to supported versions of the Microsoft Windows operating system as quickly as possible.

Summary

A group called the Shadow Brokers has released a large number of Equation Group exploits, tools, and code that target the Windows platform. Security researches have verified that the release includes a hacking framework called FuzzBunch meant to make it easy for the Equation Group to quickly exploit Windows systems. The FuzzBunch hacking framework includes the ability to identify vulnerable targets, exploit them, and deploy a tool called Doublepulsar meant to provide post-exploration capabilities.

The release includes several Microsoft Windows zero-days verified to work on all Windows versions (up to Windows 8 and Windows Server 2012). The public release of the FuzzBunch framework provides attackers a highly functional and simple toolkit explicitly developed to exploit several Zero-Day vulnerabilities on a wide range of Windows systems.

Additionally, the release includes operational information about the Equation Groups operations against several Middle Eastern banking organization and SWIFT service bureaus.

Additional Details on the FuzzBunch Framework

The FuzzBunch framework is an Equation Group developed framework similar to the open source MetaSploit framework. The FuzzBunch framework includes the ability to fingerprint a system to check if it is vulnerable to any of the available exploits (many of them being zero-days). Once a vulnerable system is identified, the FuzzBunch framework makes suggestions about appropriate exploits which can be launched against the system to gain remote code execution. Once the target system has been successfully exploited, the framework will deploy a tool called “Doublepulsar” meant to be used for post-exploitation activities.

The exploits included in the FuzzBunch framework, now available to anyone, are remotely triggerable, reliable, and effective. Thus far researchers have identified zero-day exploits that take advantage of flaws in Windows versions from Windows XP to Windows Server 2012. The vulnerabilities include SMB, NetBIOS, RDP, and Terminal Services remote exploits.

Additional Details on Exploits and Vulnerabilities Identified so Far

The exploits and hacking tools examined thus far have revealed the presence of several vulnerabilities in the Microsoft Windows Operating Systems (Windows XP – Windows Server 2012, including Windows 8), Microsoft Internet Information Services Servers (6.0 and 7.0), and several Lotus Notes vulnerabilities.

• ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
• ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012
• ETERNALBLUE — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
• EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003
• EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit
• ETERNALSYNERGY — Windows 8 and Windows Server 2012

At time of release, most had a 0% detection rate on VirusTotal. However, endpoint security product vendors have begun updating their software to detect these tools.

Equation Group Post Exploitation and Windows Implants (ODDJOB)

ODDJOB appears to be both a specially crafted Command and Control (C&C) system as well as implants for the Microsoft Windows operating system. The implant can remotely collect information from targeted systems by instructing systems to “beacon” out to “Listening Posts” (C&C servers).

ODDJOB disguises its implants and its network traffic as legitimate Windows updates. It transfers data outbound by making requests to what look like legitimate Windows Update “cab” files.

Security researches are currently working on identifying ways to detect ODDJOB implants via network detection and endpoint security solutions.

Middle Eastern Banking and SWIFT Institutions Targeted

The release also included information, tools, and code leveraged by the Equation Group to hack Middle Eastern banking institutions and at least one SWIFT Service Bureau. In addition to information on hacking operations that were active in 2013, the release also includes reusable tools meant to extract the information from Oracle databases such as a list of database users and SWIFT message queries.

SWIFT has acknowledged the allegations of unauthorized access to SWIFT service bureaus. SWIFT has said that they have no evidence of unauthorized access to their network or systems. SWIFT has recommended that banking and SWIFT organizations remain vigilant.

Mitigation and Response

Microsoft has stated that they are actively reviewing the reports and will take the necessary actions to protect Microsoft customers. For now, most of the Windows exploits included in this release remain unpatched. This means that most Windows versions are vulnerable to highly reliable and effective remote code execution exploits. Microsoft has confirmed that it has patched most of the exploits previously believed to be zero-days with the release MS17-010. Kudelski Security highly recommends apply these patches as soon as possible.

Kudelski Security recommends that customers disable SMB V1 on all systems and blocking all versions of SMB at the network boundary. Clients may also consider the possibility of disabling SMB on Windows servers temporarily (except Domain Controllers). However, Windows relies heavily on the usage of SMB and NetBIOS to perform several key tasks, thus Kudelski Security recommends that clients review the potential impact of disabling SMB before taking these actions. More information from Microsoft on how to disable SMB and the potential impact is available here:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Kudelski Security remains vigilant and will provide additional information on patches from Microsoft and other vendors as soon they become available.

The Kudelski Security Cyber Fusion Center will ensure all managed and monitored security devices are updated with detection signatures and methodology to detect the uses of FuzzBunch framework, ODDJOB implants, or of the specific exploits revealed with this release as soon as they become available.

Sources

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

https://www.apnews.com/7100004c2d7e4cc28b7e6b7d4e40f812/Microsoft-says-users-areprotected-from-alleged-NSA-malware

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://www.bleepingcomputer.com/news/security/shadow-brokers-release-new-files-revealing-windows-exploits-swift-attacks/

https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

https://www.wired.com/2017/04/major-leak-suggests-nsa-deep-middle-east-banking-system/

Kudelski Security Cyber Intelligence Report for the Financial Industry (March 2017)