Securing business data

Blog Item

Shadow Brokers Leak - What Lessons Have Been Learnt?

by Jess Tanner | Apr 27, 2017

By Andy Swift, Head of Testing, CNS Group

Following a great deal of hype surrounding the hacking group Shadow Brokers and their most recent release of the National Security Agency's (NSA) hacking tools, there are a number of interesting lessons to observe and apply to our own internet facing assets to ensure their safety. 

For those still absorbing the news, the group released a reasonably large data dump belonging to an advanced persistent threat called the Equation Group. The group is thought to be a threat actor tied to the NSA. 

Following analysis, it appears that the set of documents and tools seem to stem from 2013. What made this release such big news was that the data dump included tools that are essentially point and click tools for exploiting a wide range of largely Windows based operating systems. 

The biggest noise was surrounding two tools in particular. One named Fuzzbunch, which was a metasploit styled framework for launching a number of previously unknown exploits. The second a windows based backdoor named DoublePulsar.

The Fuzzbunch framework is capable of delivering a number of, what at the time would have been classified as, zero-day exploits that mainly target the SMB protocol. The exploits collectively affect most versions of Windows, including Windows 8, 10 and server 2012. A brief list of some of the more interesting exploits the framework can deliver are listed below.

ETERNALROMANCE - Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
ETERNALCHAMPION, ETERNALSYSTEM - Remote exploit up to Windows 8 and 2012
ETERNALBLUE - Remote exploit via SMB & NBT (Windows XP to Windows 2012)
EXPLODINGCAN - Remote IIS 6.0 exploit for Windows 2003
EWORKFRENZY - Lotus Domino 6.5.4 and 7.0.2 exploit
ETERNALSYNERGY - Windows 8 and Windows Server 2012


Interestingly, Microsoft provided a statement shortly after the release, stating the issues had already been patched around a month before the release, although this is slightly suspicious to say the least. What is potentially more worrying is that some of these exploits have been in existence since 2013. Four years on, it would be naive to believe that this was the end of the line. It does make you wonder what might still be out there undiscovered. Nonetheless, below is a list of the exploits and their corresponding patches so we can get patching:

Shadow Brokers

As one can imagine, the sight of some free to download point and click tools that can exploit pretty much and Windows based system quickly resulted in the number of infected machines on the internet rapidly rising. A recent report stated that around five million internet connected hosts were potentially exposed to exploitation via these new SMB exploits, which was backed up by a report stating 56,000 hosts were already infected with the DoublePulsar backdoor.

Without dwelling on too much of the technical detail, what is interesting is that these exploits are only ever going to be a problem if the build standards of the hosts are poor in the first place. As a general rule of thumb, the same advice stands tall and really does apply: internet facing hosts should only expose the bare minimum of secure services required for their functionality. Any common Windows or administrative services such as SMB (445) or RDP (3389) should be kept away from the internet and bound to an internal management interface only. Either that or they should be secured behind a firewall to ensure limited access can be gained from the outside world.

The same too can be said of outdated operating systems or missing patches. It is all too easy to believe said systems will never be attacked and "risk accept" systems becoming end of life. In a world where such critical issues, that have existed unpatched since 2013, have only just been patched this year, the approach to a secure environment needs to be more than just applying vendor supplied patched. It needs to include thorough system hardening, ensuring only necessary services are exposed to public facing networks.

Click here to find out more about Penetration Testing services.

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere