UPDATE: When posting this blog, we had not done the most recent patches for patch Tuesday (in March). This SMB flaw apparently was fixed on Tuesday with MS17-010. When we did our testing, we were out of the patch cycle for March. Clarified the blog post with the update and link to Microsoft below.
Link to advisory:
This blog post contains information that was obtained publicly and not through classified methods but through the “Shadow Brokers” (suspected to be Russia) dump of the “Equation Group” (suspected to be NSA). The techniques here are zero-day in nature and can cause security issues however the information is now public and should be researched and disclosed. If the facts are indeed true, this is a dark day for our intelligence community, and can’t comprehend the damage this has done. The only hope is that while a lot of these exploits date back to research done back in 2013, that the capabilities continue to grow and expand vs. the disclosed date of today. Additionally, we don’t envy the task ahead from the fine and hard working crew working over at Microsoft during the holiday weekend and away from family. Good news is a lot of these have already been patched (some as early as last week).
Our goal with this post and at TrustedSec is not to cause harm or damages – but present information that is already exposed in order to educate and help.
This blog post was written by Justin Elze – Principal Security Consultant at TrustedSec.
Today we awoke to this link from Martin Bos (@cantcomputer) link here (thanks for ruining our day off!). Shadow Brokers leaked additional tools reportedly from the Equation Group. This peaked our interest as a company and after last week’s leak of various 0day exploits and implants for Linux/Solaris, we knew that it was probably legitimate. Leaks like this often contain 0day or known exploits with proof of concepts that have not been seen by the public. This leak was no different and far surpassed expectations.
It’s also a chance to learn new persistence and command and control methods used by government and adversaries. These techniques, tactics, and procedures (TTPs) allow the security industry a much better understanding on capabilities as well as what we need to do in order to emulate true adversarial simulation.
The data in the dump is a few years old (around 2013) but as you begin to dig into it there are multiple 0day day non-patched exploits that effect various versions of Windows from XP -> Windows 8/Server 2012. The full extent is still TBD based on the disclosure date, many of these exploits may be imported to Windows 10 and newer version of Server 2012.
This leak contained 4 files:
sha256sum.txt – Contained SHA256 hashes for the files
swift.tar.xz.gpg – Information on the SWIFT/EastNets breach
windows.tar.xz.gpg Contains numerous windows exploits and an exploitation framework called Fuzzbunch.
We verified the exploit was successful by pinging the backdoor and then going through the removal process and verifying it was removed.
Below is videos using DoublePulsar to use a CobaltStirike payload for our own RCE payload on a fully patched Windows 7 system: