Shadow Brokers Leaks Hacking Tools: What it Means for Enterprises
On April 14, several hacking tools and exploits targeting systems and servers running Microsoft Windows were leaked by hacking group Shadow Brokers. Several of these were reportedly tools targeting financial organizations worldwide. The hacking group initially put these troves of stolen malware up for sale last year but failed, and has incrementally released them since.
The latest haul of malware released by Shadow Brokers enables attackers to breach systems (including Linux), networks, and firewalls.
Which systems and platforms are affected?
Trend Micro’s initial (and ongoing) analyses found over 35 information-stealing Trojans included in this latest leak. The dump included exploits that target several system and server vulnerabilities, along with Fuzzbunch—a network-targeting hacking framework (similar to penetration testing tool Metasploit) that executes the exploits.
Here are some of the vulnerabilities exploited by the hacking tools:
- CVE-2008-4250 (exploit for which is codenamed “EclipsedWing”, patched October, 2008 via MS08-67)
- CVE-2009-2526, CVE-2009-2532, and CVE-2009-3103 (“EducatedScholar”, patched October, 2009 via MS09–050)
- CVE-2010-2729 (“EmeraldThread”, patched September, 2010 via MS10-061)
- CVE-2014-6324 (“EskimoRoll”, patched November, 2014 via MS14-068)
- CVE-2017-7269 (a security flaw in Microsoft Internet Information Services 6.0)
- CVE-2017-0146 and CVE-2017-0147 (“EternalChampion”, patched March 2017 via MS17-010)
Other exploits addressed by Microsoft were “ErraticGopher”, fixed before the release of Windows Vista, as well as “EternalRomance” and “EternalSynergy”. The two latter exploits leverage security flaws in Windows SMB server, and were patched in March 2017 via MS17-010.
Some of the hacking tools chain several security flaws in order to execute the exploit. Many of these exploits are relatively old, with some dating as far back as 2008, for which patches and fixes have long been available. The Microsoft Security Response Center (MSRC) Team was quick to issue a security advisory detailing the patches/fixes that address the exploits confirmed to be in Shadow Brokers’s latest dump.
Trend Micro’s detections for exploits/Trojans related to Shadow Brokers’s leak are:
- TROJ_EASYBEE.A
- TROJ_EDUSCHO.A
- TROJ_EFRENZY.A
- TROJ_EQUATED.G (several variants)
- TROJ_ETERNALROM.A
- TROJ_EXCAN.A
- TROJ_STUXNET.LEY
- TROJ64_EQUATED.E
Based on Trend Micro’s ongoing analyses, affected platforms include private email servers and web-based email clients as well as business collaboration software. Windows systems and servers 2000, XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2 are affected by exploits that leverage Internet and network protocols. Some of these include: Internet Message Access Protocol (IMAP), network authentication (Kerberos), Remote Desktop Protocol (RDP), and Remote Procedure Call (RPC) service.
What does it mean for enterprises?
Patching plays a vital role in combating these threats. Many of the exploits from Shadow Broker’s latest dump take advantage of reasonably dated vulnerabilities that enterprises can avert given the availability of their fixes/patches.
Conversely, they are still credible threats for many organizations, particularly those that run systems and servers on Windows 8 (versions 8 and 8.1), XP, Vista, 2000, and Windows Server 2008. For enterprises that use Windows Server 2003, the risk is exacerbated as Microsoft already ended support for the OS two years back.
The hacking tools also target vulnerabilities in email-based applications along with business-related software platforms, particularly those that manage collaborative functions in the workplace. Windows Server OSes are also an integral part of the network, data, and application infrastructure for many enterprises across all industries around the world.
Initial newscasts indicate that the leaked exploits and hacking tools mainly targeted international banks. Nevertheless, any threat actor that can get their hands on these malware can customize them against their targets of interest, even including newer platforms and OSes.
What can be done?
Shadow Brokers is just one of the many groups whose arsenal of threats can risk businesses to significant damage to reputation and disruption to operations and bottom line. While there is no silver bullet for these threats, a multilayered approach is key to mitigating them.
IT/system administrators can deploy firewalls, as well as intrusion prevention and detection systems that can inspect and validate traffic going in and out of the enterprise’s perimeter while also preventing suspicious or malicious traffic from going into the network. Information technology and security professionals can also consider further securing their organization’s remote connections by requiring users to employ virtual private network when remotely accessing corporate data and assets. Disabling unnecessary or outdated protocols and components (or applications that use them), such as SMB1, unless otherwise needed, can also reduce the company’s attack surface. Promoting a cybersecurity-aware workforce also helps mitigate the company’s exposure to similar threats, particularly against socially engineered attacks.
Incorporating and configuring additional layers of security to remote connections can also help—from network-level authentication, user privilege restriction and account lockout policies, and using RDP gateways, to encrypting remote desktop connections.
The hacking tools and exploits rely on security flaws to breach the systems and servers. Businesses can prevent attacks that utilize these exploits by keeping the OS and the software installed in them up-to-date, employing virtual patching, and implementing a robust patch management policy for the organization. Enterprises can also consider migrating their infrastructure to newer and supported versions of OSes to mitigate the risks of end-of-life software.
Trend Micro Solutions:
Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuse unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect similar threats even without any engine or pattern update.
Trend Micro’s Hybrid Cloud Security solution, powered by XGen™ security and features Trend Micro™ Deep Security™, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads/servers.
TippingPoint’s Integrated Advanced Threat Prevention provides actionable security intelligence, shielding against vulnerabilities and exploits, and defending against known and zero-day attacks. TippingPoint’s solutions, such as Advanced Threat Protection and Intrusion Prevention System, powered by XGen™ security, use a combination of technologies such as deep packet inspection, threat reputation, and advanced malware analysis to detect and block attacks and advanced threats.
A list of Trend Micro detections and solutions for Trend Micro Deep Security, Vulnerability Protection, TippingPoint and Deep Discovery Inspector can be found in this technical support brief.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.