Mitigating Against the Shadow Broker Exploit DumpApril 17th, 2017 by Cory Mathews
On Friday, April 14, a group called “Shadow Brokers” released multiple exploits and tools, purported to be from the NSA, entitled “Fifth Leak: Lost in Translation”. Over the holiday weekend, the Critical Start research team and the greater InfoSec community went through and analyzed many of the tools.
The tools are primarily comprised of Windows binaries, or executables, and python scripts. They target a wide range of computer software including Windows desktop operating systems (XP, Vista, 7, and 8), Windows server operating systems (2000, 2003, 2008 and 2008 R2), and application suites (including Lotus and SWIFT banking and messaging systems). The tools allow malicious actors to run commands and access hosts running those operating systems and applications.
Windows released a security patch in MS17-010 ( https://technet.microsoft.com/en-us/library/security/ms17-010.aspx ). This security patch addresses previously unknown vulnerabilities exploited by this toolset. Other tools exploited vulnerabilities that have already been patched (e.g. MS08-067, MS10–061, etc.).
Unpatched Windows Vulnerabilities
Some of the tools exploit previously unknown vulnerabilities in End of Life (EoL) systems, such as Windows XP, Server 2000, and Server 2003. As these systems are EoL, no official patches are expected to be released.
In addition to normal patch and vulnerability management, clients and users are advised to apply MS10-061 as soon as possible, treating the patch as a Critical Priority.
If possible, clients and users with EoL systems (e.g. Windows XP and Server 2003) are advised to migrate to supported systems. As this is not always feasible in a business sense, clients that are unable to migrate immediately are advised to secure the systems as best as possible by limiting port and service access, apply endpoint protection, and limit network access to the hosts.
To discuss specific remediation strategies, please reach out to your Critical Start Account Manager.
- News Article: https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/
- Microsoft Statement: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
- MS17-010 Patch: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx