April 19th, 2017

The Latest Leaks From The Shadow Brokers: Where Do We Stand?

The Shadow Brokers have been trickling out leaks since late last year. Their April 8 release was somewhat lackluster, but the exploits released on April 14 had the infosec world on edge. This latest set of tools includes what was initially thought to be a bunch of zero-day exploits, as well as code that seems to enable access to the SWIFT international banking system.

Shadow Brokers Impact as of August 2016.

Code-named Lost in Translation, The Shadow Brokers leaks are spread across three main folders, called windows, oddjob and swift. The windows and oddjob folders contain exploits for various Windows products, while swift seems be used to infiltrate the SWIFT system. The code is alleged to have leaked from the NSA, however its authenticity is yet to be confirmed.

In the initial hysteria, many in the security industry were assuming that hackers would be able to download the toolkit and quickly take advantage of vulnerable systems across the world. Microsoft quickly allayed their fears with a blog post, stating that the current vulnerabilities had already been patched in March.

The Windows Exploits

The Shadow Brokers release includes a range of tools that affect many different Windows products. Some of these are old, while others were thought to be zero day exploits that could wreak havoc on several different versions. Most of the initial examinations were conducted on research systems that hadn’t been updated with the latest patches, which led to widespread alarm within the industry.

While it is easy to criticize the researchers for not testing with the latest patch, in the early hours of the leak, Microsoft had not released any indications that the vulnerabilities had already been addressed.

According to the subsequent Microsoft blog post, the following exploits have already been patched: EternalBlue, EmeraldThread, EternalChampion, ErraticGopher, EskimoRoll, EternalRomance, EducatedScholar, EternalSynergy, and EclipsedWing had already been patched. Some of the issues were addressed much earlier, but the last few were taken care of with last month’s MS17 patch.

On systems that haven’t been patched, EternalBlue allows hackers to infiltrate both Windows 7 and Windows Server 2008 without authentication. They can then install DoublePulsar to inject malicious DLLs.

EducatedScholar and EmeraldThread are both SMB exploits, the latter targeting Windows XP and Server 2003. EternalChampion is an SMBv1 exploit, while EternalSynergy is a SMBv3 remote code execution exploit that works against Windows 8 and Server 2012 if they aren’t patched.

ErraticGopher is an SMB exploit that targets Server 2003 and Windows XP, while EskimoRoll is a Kerberos Exploit that targets Windows 2000, as well as Server 2003, 2008 and 2008 R2 domain controllers. Eternal Romance is a remote SMBv1 network file server exploit. It can affect Windows XP, 2003, Vista, 7, 8, as well as server 2008 and server 2008R2. EclipsedWing is an RCE exploit that targets Windows Server 2008 as well as older versions.

The other three exploits, EnglishmanDentist, EsteemAudit and ExplodingCan, only affect unsupported versions of Windows such as XP, Vista and Exchange 2007. Because these platforms aren’t supported, they are inherently insecure and Microsoft will not be patching the vulnerabilities.

One of the biggest questions surrounding this is how did Microsoft know about the vulnerabilities? Sure, they could have just discovered them by chance, but the timing of the patches seems far too coincidental.

Some of the more cynical theories include that Microsoft was notified of the exploits by the NSA, or that they may have even paid The Shadow Brokers for the information. If either of these cases are true, it could explain why Microsoft haven’t named their source, as is normally done in these instances. 

Listening In On International Banking

The swift folder contains exploits which appear to link the NSA to a number of tools that enable them to access the Society for Worldwide Interbank Financial Telecom’s (SWIFT) international banking network. The SWIFT network is used by banks to securely send information regarding financial transactions across the world.

According to Reuters, the leaks indicate that the NSA may have the capability to access the SWIFT network and monitor or perhaps even disrupt communications. SWIFT is yet to admit to a breach of their main network, stating in a press release that there is no evidence of this occurring. This can be taken in several different ways.

The first would be that they are telling the truth and their main network has not been breached – this seems unlikely given the leaked evidence. Another possibility is that only the network of a SWIFT client bank has been infiltrated, not the main network. It is also possible that there has been a breach but SWIFT lack the reporting tools to discover it. Another option is that they are just buying time at the moment while they investigate the issue further.

Whether the NSA has access to SWIFT’s network is yet to be confirmed by either side. If the NSA does have access, they may be using it to monitoring large scale funds transfers, particularly those between terrorist networks.

What Are the Repercussions of the Lost in Translation Leaks?

Thankfully, the exploits revealed in the latest leak aren’t as bad as initially expected. Microsoft had already patched the vulnerabilities beforehand, so hackers couldn’t run rampant while the developers hurried to get out the update. Despite this, there are still several things we can learn from the latest leaks:

Updates Are Essential

More than anything else, these leaks are a reminder of just how important it is to be running the latest security updates. Those who have already updated their systems with Microsoft’s March update should be protected from the latest exploits released by The Shadow Brokers.

If you are running a platform that Microsoft no longer supports, it needs to be upgraded as soon as possible. Versions prior to Microsoft 7 are unsupported and have far too many vulnerabilities.

Security is a dynamic environment and threat actors are constantly coming up with new ways to infiltrate systems. As soon as developers discover these vulnerabilities, they quickly send out a patch to fix the holes. If you aren’t updating your devices as soon as these patches are made available, you are leaving your system open to attacks. This is why updating systems frequently is so crucial.

Unfortunately, we’re all human and we tend to make mistakes, put things off and forget about them. This is why auto-updating is such an important feature. If you only update manually, it is very easy to get behind and leave your systems vulnerable. Turning on auto-updates across all of your devices will help to boost your security by automatically installing the latest patches. This lessens the amount of time that your systems are vulnerable.

Routers and IoT devices are often overlooked when it comes to updates. These are just as critical when it comes to keeping your systems secure. Unfortunately, many of them don’t auto-update, meaning that they are frequently left vulnerable to the latest attacks.

If your router or IoT devices don’t auto-update, you need to make sure that you manually update them frequently. For enhanced security, you should specifically look at buying devices that can auto-update. Not only will this make your devices less of a target, but it also shows that the manufacturer takes security more seriously. There are a host of products on the market with very poorly designed security, so it is important to take this into account when making purchases.

Keep It in the Cloud

Another option to enhance your security could be to migrate to a cloud-based solution. With software-as-a-service, your host company will take care of the updates, which can take some of the pressure off you. It’s important to note that cloud hosts don’t take on all of the security responsibilities – depending on the arrangement, you will probably be responsible for data classification, endpoint security and other aspects.

Summing It All Up: Security in the Modern World

This leak certainly won’t be the last and threat actors won’t stop trying to breach our systems any time soon. Keeping our systems safe is becoming increasingly challenging, especially as our lives step further and further into the online realm.

To minimize the chance of becoming a victim, it is important to be aware of information security and follow best practices. Your systems will never be 100% bulletproof, but taking simple steps can boost your security immensely. Regular updates are just one of many ways you can reduce the chance of being breached. While security can seem like a hassle, a serious attack can have tremendous affects on your business or personal life. It’s much easier to prevent an attack than to pick up the pieces.


Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.