Shadow Brokers Release Attack Tool Archives
On April 9 and April 14, 2017, the Shadow Brokers threat group released archives of attack tools and other information that it claims originated from the National Security Agency (NSA). The contents included exploits against Windows, Solaris, and other software from as early as 2008, as well as information about a campaign targeting EastNets, a SWIFT (Society for Worldwide Interbank Financial Telecommunication) Service Bureau.
Despite some reports that the archives contain exploits for unpatched Windows vulnerabilities, SecureWorks(R) Counter Threat Unit(TM) (CTU) researchers determined that there are no functional exploits against fully patched, supported Microsoft software. Several of the vulnerabilities were addressed in Microsoft Security Bulletin MS17-10, which was released as part of March’s patch cycle. Three other exploits target Windows XP, Vista, Server 2003, Server 2008, and IIS 6.x, but Microsoft does not plan to provide patches for these exploits as the products are no longer supported.
Two attack tools target unpatched vulnerabilities in current Solaris versions:
– EBBISLAND is a remote buffer overflow exploit against XDR code that targets any running RPC service.
– EXTREMEPAAR is a local privilege escalation exploit.
Another buffer overflow exploit named VIOLENTSPIRIT targets the ttsession daemon in Solaris 2.6-2.9. The archives also included exploits targeting less-common software such as Lotus Domino versions 6 and 7, Lotus cc:mail, RedFlag Webmail 4, Avaya Media Server, and phpBB.
According to the Shadow Brokers’ April 14 release, the PLATINUM COLONY threat group (also known as Equation Group) gained access to the EastNets network, monitored SWIFT transactions from a select number of targeted financial services institutions between March 2013 and at least October 2013, and had persistent and wide-ranging access to the EastNets network. CTU(TM) researchers assess with high confidence that PLATINUM COLONY is operated by a United States intelligence agency. The group has been active since at least 2001 and likely uses its sophisticated toolset for military espionage and national security objectives, rather than for economic espionage activities.
PowerPoint and Excel documents within the leaked files list SWIFT Alliance Access servers run by EastNets, and several of the servers are marked as compromised for data collection. There is no indication that networks and hosts operated by EastNet customers outside the EastNet environment were compromised, but SWIFT transactions in 2013 could have been monitored by an unauthorized party as they traversed EastNets servers. EastNets released a public statement saying, “The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded.” However, the documentation provided in the Shadow Brokers leak strongly suggests a compromise.
CTU researchers recommend that clients ensure that the MS17-10 security updates have been applied. In addition, clients should upgrade unsupported Windows operating systems and IIS web servers to a supported version and should restrict external access to RPC services on Solaris servers.
The CTU research team is investigating the feasibility of countermeasures to detect the published exploits.
If you have any questions or concerns, please submit a ticket via the SecureWorks Client Portal.