Securing business data

Blog Item

Shadow Brokers Leak - What Lessons Have Been Learnt?

By Andy Swift, Head of Testing, CNS Group

Following a great deal of hype surrounding the hacking group Shadow Brokers and their most recent release of the National Security Agency's (NSA) hacking tools, there are a number of interesting lessons to observe and apply to our own internet facing assets to ensure their safety. 

Sam Warren, Director of Marketing at top-rated SEO service, RankPay, says: "Digital security is a more important consideration for businesses of all sizes. In fact, it is more so today, than ever before.

"The risk of being attacked in some capacity is very real, and businesses that don't secure their websites, emails, and the like, are putting themselves in harms way.

Small steps can make big progress, however. Something as simple as buying a password management software for employees can be the difference between an uneventful year and digital catastrophe. Being prepared for DDOS attacks and malicious login attempts is also critical for any and all webmasters. Make no mistake, if you own a website, attackers will attempt to log in to your administrative back-end. It's not a question of if, but when."

Pierre Tagle, Ph.D., Head of GRC Consulting ANZ & SEA at Secureworks, adds: "Cyber crime and security breaches are definitely a genuine concern to businesses across the world. A recent breach at PageUp has exposed recruitment records of major Australian companies with hundreds of thousand job seekers reportedly affected. If you think this is an isolated incident, you only have to look at second Notifiable Data Breach Quarterly Statistics Report that was released by the Office of the Australian Information Commissioner last 31 July for confirmation that the risk is real – that report indicated 242 breach notifications of which 59% were attributed to malicious or criminal attacks. The number is significantly higher than the previous report in April, which include 65 notifications. Even more alarming is the fact that it is often too hard to say for how long criminals were accessing personal information as often times, organisations that fall victim to cyber criminals are unaware of the incident until weeks or even months after the attack has occurred.

“In today’s cyber landscape, investing in security should be a priority for businesses. CEOs who don’t invest in cyber security solutions are taking a serious risk with not only their finances and company’s standing in the market, but their employees’ and customers’ personal information. That along with the passing of legislation such as GDPR in Europe and the Mandatory Data Breach Notification legislation in Australia leaves businesses at risk of suffering reputational and financial damages should a breach occur."

For those still absorbing the news, the Shadow Brokers group released a reasonably large data dump belonging to an advanced persistent threat called the Equation Group. The group is thought to be a threat actor tied to the NSA. 

Following analysis, it appears that the set of documents and tools seem to stem from 2013. What made this release such big news was that the data dump included tools that are essentially point and click tools for exploiting a wide range of largely Windows based operating systems. 

The biggest noise was surrounding two tools in particular. One named Fuzzbunch, which was a metasploit styled framework for launching a number of previously unknown exploits. The second a windows based backdoor named DoublePulsar.

The Fuzzbunch framework is capable of delivering a number of, what at the time would have been classified as, zero-day exploits that mainly target the SMB protocol. The exploits collectively affect most versions of Windows, including Windows 8, 10 and server 2012. A brief list of some of the more interesting exploits the framework can deliver are listed below.

ETERNALROMANCE - Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
ETERNALCHAMPION, ETERNALSYSTEM - Remote exploit up to Windows 8 and 2012
ETERNALBLUE - Remote exploit via SMB & NBT (Windows XP to Windows 2012)
EXPLODINGCAN - Remote IIS 6.0 exploit for Windows 2003
EWORKFRENZY - Lotus Domino 6.5.4 and 7.0.2 exploit
ETERNALSYNERGY - Windows 8 and Windows Server 2012


Interestingly, Microsoft provided a statement shortly after the release, stating the issues had already been patched around a month before the release, although this is slightly suspicious to say the least. What is potentially more worrying is that some of these exploits have been in existence since 2013. Four years on, it would be naive to believe that this was the end of the line. It does make you wonder what might still be out there undiscovered. Nonetheless, below is a list of the exploits and their corresponding patches so we can get patching:

Shadow Brokers

As one can imagine, the sight of some free to download point and click tools that can exploit pretty much and Windows based system quickly resulted in the number of infected machines on the internet rapidly rising. A recent report stated that around five million internet connected hosts were potentially exposed to exploitation via these new SMB exploits, which was backed up by a report stating 56,000 hosts were already infected with the DoublePulsar backdoor.

Without dwelling on too much of the technical detail, what is interesting is that these exploits are only ever going to be a problem if the build standards of the hosts are poor in the first place. As a general rule of thumb, the same advice stands tall and really does apply: internet facing hosts should only expose the bare minimum of secure services required for their functionality. Any common Windows or administrative services such as SMB (445) or RDP (3389) should be kept away from the internet and bound to an internal management interface only. Either that or they should be secured behind a firewall to ensure limited access can be gained from the outside world.

The same too can be said of outdated operating systems or missing patches. It is all too easy to believe said systems will never be attacked and "risk accept" systems becoming end of life. In a world where such critical issues, that have existed unpatched since 2013, have only just been patched this year, the approach to a secure environment needs to be more than just applying vendor supplied patched. It needs to include thorough system hardening, ensuring only necessary services are exposed to public facing networks.

Aaron Fisher, Managing Director at My Intro Tech Partner, offers the following advice: "There is no 100 percent foolproof way to keep hackers out of your network. However, there are things you can do to help strengthen your defenses. The best method is offence, and the next best is a defense in depth methodology.

"What do I mean by defense in depth? It involves layering defenses on top of each other to ensure you cover as many areas of your technology investment as possible. This should include things such as network segregation (segregating different areas of your technology network). This goes beyond just VLANs, but it also requires a next generation firewall sitting in between all the segments, applying policies based at the application layer. This allows only applications required to be used, and blocks everything else by default."

Colton De Vos from Resolute Technology Solutions, says: "There are many things you can do to secure your website from hackers, but here are a few quick hits.

"Firstly, you can lock down your website to only allow login from certain IP addresses to prevent intruders. This can limit flexibility of who can make updates on your site, but it has a huge security advantage. Secondly, there are many security plugins you can add to your website if it is built on a CMS (Content Management System). Search for one that is well-supported and has a lot of good reviews. These plugins can block out brute force attempts and identify breaches.

"One last tip that is mentioned everywhere, but is still powerful: have complex, unique passwords for logging into your website and hosting provider. If hackers can get in there, they can do a lot of damage."

Jonathan Rhodes, Technical Lead at Sitback Solutions, adds that unpatched software is one of the weakest links in businesses that can lead them being hacked. He advises: "Keep all software up-to-date, and if you’re using a CMS like Drupal or Wordpress, consider both the core framework and any contributed modules/plugins that you might be using. Additionally, don’t forget other appliances, such as routers and file servers.

"You should also institute a patch management program to ensure that devices, and software, are kept up to date at all times."

Click here to find out more about Penetration Testing services.



call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere