Have You Heard about the Shadow Brokers Tools Dump?

Have you ever heard of the “Shadow Brokers?” Until recently, I had not heard the term, but it appears the Shadow Brokers are a group of hackers who have really put a new spin on the phrase “lost in translation.” On Good Friday, and ahead of the Easter holiday, the Shadow Brokers dumped a new collection of files, which they called “Lost in Translation,” containing what appear to be exploits and hacking tools targeting Microsoft’s Windows OS, Linux, firewalls, and others. At the same time, they presented evidence that the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.

So, first a little background to put some pieces into place. The Shadow Brokers are a group of hackers who were able to gain access to the servers of a cyber-espionage group known as the Equation Group. They stole the “Lost in Translation” files and tools from the Equation Group. Actually, there are many different security firms and groups, and they have made the claim that the Equation Group is actually the NSA or at least a subsidiary of it. The Shadow Brokers originally offered the tools up for sale to the highest bidder, but it would seem that they did not find anyone interested in paying the one million Bitcoins ($570 million dollars) for the tools. Once it was clear that the Shadow Brokers were not going to get the ransom, or asking price, for the tools, they decided to release into the wild what they stole as open-source software for the world to see.

It should be no surprise that government agencies would develop and maintain these kinds of capabilities, but what is surprising is that it was possible for this collection of tools to be stolen in the first place, not to mention their being released for the world to see and use.

So, should we, as professionals in the industry, download and spend time and energy reverse engineering these tools? Should we take the time to examine and study the methods and processes that are utilized in these tools? Or should these tools be considered off-limits because of the means by which they were acquired? In my opinion, these tools are now out in the wild, with multiple copies appearing to have been posted and made available at GitHub by different security firms and groups. For that reason, I believe that it would be prudent for all of us in the industry to make some time to study and learn from these tools so that we can start to engineer some kind of stopgap measure until the different vendors and OEMs are able to develop and release patches to protect against these tools and the zero-day exploits they use.

In case you have never heard of a zero-day exploit or vulnerability, it is basically an unknown or undisclosed vulnerability or flaw that has the ability to be exploited to gain access to or adversely affect computer systems or services. It gets its name, “zero-day,” from the fact that if the vulnerability is currently not known publicly, or even just internally to the software company, it leaves zero days in which interested parties can patch the vulnerability or at least provide guidance for a workaround to block or mitigate the effects of the vulnerability. It is the zero-day vulnerabilities that are of the greatest concern to system administrators, because you never know how long it will take before a patch becomes available to address the problem, and in that time it can leave multiple systems from different companies around the world in a vulnerable state.

I think it will be awhile before we can establish a solid understanding of how these tools work. So far, all we have learned has come from a few security researchers’ tweets reporting on what they have managed to figure out so far. Just in case you are not too concerned about these tools and how they could affect the systems in your environment, let me present a summary of the tools. You can decide for yourself whether you think your systems or the systems you support and maintain have the potential to affect you and yours, and just how bad you think things could be.

  • EASYBEE appears to be an MDaemon email server vulnerability [source, source, source]
  • EASYPI is an IBM Lotus Notes exploit [source, source] that gets detected as Stuxnet [source]
  • EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2 [source, source]
  • EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor [source, source]
  • ETERNALROMANCE is a SMBv1 exploit over TCP port 445, which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges [source, source]
  • EDUCATEDSCHOLAR is an SMB exploit [source, source]
  • EMERALDTHREAD is an SMB exploit for Windows XP and Server 2003 [source, source]
  • EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino [source, source]
  • ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client’s side to send an email to other users [source, source]
  • ERRATICGOPHER is an SMBv1 exploit targeting Windows XP and Server 2003 [source, source]
  • ETERNALSYNERGY is an SMBv3 remote code execution flaw for Windows 8 and Server 2012 [source, source, source]
  • ETERNALBLUE is an SMBv2 exploit [source]
  • ETERNALCHAMPION is an SMBv1 exploit [source]
  • ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers [source, source]
  • ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003 [source, source]
  • ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later [source, source]
  • EXPANDINGPULLEY is another Windows implant [source]
  • GROK is a keylogger for Windows, also known about since Snowden [source]
  • ETRE is an exploit for IMail 8.10 to 8.22 [source]
  • FUZZBUNCH is an exploit framework, similar to MetaSploit [source, source], which was also part of the December–January “Windows Tools” Shadow Brokers auction [source]
  • DOUBLEPULSAR is a RING-0 multiversion kernel mode payload [source]
  • PASSFREELY is a tool that bypasses authentication for Oracle servers [source]
  • EquationGroup had scripts that could scrape Oracle databases for SWIFT data [source, source]
  • ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later [source, source], also not detected by any AV vendors [source]
  • Metadata [possibly faked, possibly real] links NSA to Equation Group [source]
  • NSA used TrueCrypt for storing operation notes [source]
  • Some of the Windows exploits released today were undetectable on VirusTotal [source]
  • Some EquationGroup humor in the oddjob instructions manual [source, source]
  • JEEPFLEA_MARKET appears to be an operation for collecting data from several banks around the world [source], previously linked to the NSA by Snowden [source, source]
  • The Equation Group targeted EastNets, a SWIFT connectivity provider [source, source, source, source, source]
Posted in SecurityTagged , ,