Shadow Brokers
One of the most significant events in computer security began in April 2017, when the still-unidentified group Shadow Brokers published a trove of the National Security Agency’s most coveted hacking tools. Shadow Brokers released what it alleged was a series of surveillance-enabling tools stolen from the National Security Agency (NSA). It’s not clear if a former insider was once a contractor or in-house employee of the secretive agency. The investigation went beyond Harold Martin, the former Booz Allen Hamilton contractor. Security experts have theorized over the last year that the Shadow Brokers are hackers who broke into a faulty NSA attack server to steal tools and other secretive information. This remains a possibility, but it does not explain why the group was able to publish an internal powerpoint presentation.
Cyber adversaries can exploit vulnerabilities in older operating systems and un-patched software now more than ever before. The breadth and complexity of the exploits and malware often exceed the protections that reactive defenses like anti-virus software can provide. Proactive defenses like those provided by Microsoft and other third parties can help.
In September 2016) Cisco Systems started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the US National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA. Extra Bacon was released earlier this month together with other by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction. ExtraBacon exploits a buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) implementation from Cisco's ASA software. It allows attackers to remotely execute rogue code on the affected devices, as long as they can send traffic to their SNMP interface.
Security researchers established links between the code in the tools leaked by Shadow Brokers and those previously found in the wild and attributed to the Equation group. Furthermore, 14 files leaked by Shadow Brokers contain a 16-character string that NSA operatives are known to have used in their malware and which is listed in an NSA manual leaked by Edward Snowden, The Intercept reported. There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011.
North Korea was suspected to be the architect of WannaCry, which was written after the Shadow Brokers release. The NSA issued an internal assessment that linked the ransomware to North Korea’s RGB. The assessment attributes WannaCry to North Korea with “moderate confidence,” and includes as evidence IP addresses in China that are known to have been used by the RBG. The WannaCry hackers are said to be part of the “Lazarus Group” that was also behind February 2016 SWIFT hacks. In both cases, the cyberattacks may have been used as an attempt to raise revenue for the regime.
Ransomware like Petya or WannaCry that can exploit the security vulnerability EternalBlue found on Microsoft’s Windows-based systems. Published by the hacking group Shadow Brokers in April 2017, this security vulnerability targets Windows’ SMB file-sharing system 1.0. This is a network file sharing protocol that allows computer applications to read and write to files, and to request services from systems that are on the same network. Left unpatched, hackers and other cyber actors can exploit this vulnerability and spread WannaCry and other infections to other unpatched computers and networks. Versions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016 are all vulnerable to the EternalBlue exploit.
The Microsoft Security Response Center (MSRC) published information April 15, 2017 on several recently publicized Shadow Brokers exploit tools which affect various Microsoft products. Users and administrators were reminded that software no longer supported by Microsoft (also known as end-of-life (EOL) software) is particularly at risk for exploitation. Server Message Block (SMB) is an enhanced version of CIFS (Common Internet File System) done by Microsoft for the release of Windows 95 in the early 1990s. Due to CIFS challenges with security, slow file transfer, and taking a lot of time responding to service requests and responses, SMB was developed.
The Shadow Brokers (hacker group) leaked a developed SMB exploit, also known as EternalBlue. Microsoft was forced to issue a critical security bulletin (MS17-010) on March 14, 2017. EternalRocks uses seven NSA tools where WannaCry, for example, only used two (EternalBlue and another called DoublePulsar).
EternalBlue was used as the initial compromise vector or as a method of lateral movement for other cyberattacks such as WannaCry, Emotet, NotPetya and TrickBot. WannaCry takes advantage of SMBv1 vulnerability to compromise Windows machines, load malware, and propagate to other machines in a network. Emotet infections are initiated by different mailspam campaigns. Once Emotet is downloaded it can undetectably install Trickbot via SMB vulnerability onto the host system. TrickBot uses standard attack vectors for infection to spread to other clients/servers such as malvertising, spear phishing, network vulnerabilities (SMB and RDP), and secondary payloads. NotPetya malware uses a variety of techniques to spread to other computers, including EternalBlue and EternalRomance. Known to target mostly Ukrainian industries.
The WannaCry ransomware targeted computers running Microsoft Windows operating system by encrypting data and demanding ransom payment in the Bitcoin cryptocurrency. The initial infection was likely through an exposed vulnerable internet-facing SMB port according to the Lessons learned review of the WannaCry Ransomware Cyber Attack.
By June 2019 the people of Baltimore were beginning their fifth week under an electronic siege that had prevented residents from obtaining building permits and business licenses – and even buying or selling homes. A year after hackers disrupted the city’s emergency services dispatch system, city workers throughout the city were unable to, among other things, use their government email accounts or conduct routine city business.
Over 75% of unpatched vulnerabilities among SMBs are more than one year old, according to Alert Logic research. It’s only a matter of time before there is another attack. As a recap, remember it only takes one determined attacker and one system to gain access to a wall or network.
|
NEWSLETTER
|
| Join the GlobalSecurity.org mailing list |
|
|
|
