Mitigating Against the Shadow Broker Exploit Dump

April 17th, 2017 by Cory Mathews

On Friday, April 14, a group called “Shadow Brokers” released multiple exploits and tools, purported to be from the NSA, entitled “Fifth Leak: Lost in Translation”. Over the holiday weekend, the Critical Start research team and the greater InfoSec community went through and analyzed many of the tools.

Affected Systems
The tools are primarily comprised of Windows binaries, or executables, and python scripts. They target a wide range of computer software including Windows desktop operating systems (XP, Vista, 7, and 8), Windows server operating systems (2000, 2003, 2008 and 2008 R2), and application suites (including Lotus and SWIFT banking and messaging systems). The tools allow malicious actors to run commands and access hosts running those operating systems and applications.

Windows Patches
Windows released a security patch in MS17-010 ( https://technet.microsoft.com/en-us/library/security/ms17-010.aspx ). This security patch addresses previously unknown vulnerabilities exploited by this toolset. Other tools exploited vulnerabilities that have already been patched (e.g. MS08-067, MS10–061, etc.).

Unpatched Windows Vulnerabilities
Some of the tools exploit previously unknown vulnerabilities in End of Life (EoL) systems, such as Windows XP, Server 2000, and Server 2003. As these systems are EoL, no official patches are expected to be released.

Remediation
In addition to normal patch and vulnerability management, clients and users are advised to apply MS10-061 as soon as possible, treating the patch as a Critical Priority.

If possible, clients and users with EoL systems (e.g. Windows XP and Server 2003) are advised to migrate to supported systems. As this is not always feasible in a business sense, clients that are unable to migrate immediately are advised to secure the systems as best as possible by limiting port and service access, apply endpoint protection, and limit network access to the hosts.

To discuss specific remediation strategies, please reach out to your Critical Start Account Manager.

Related Links:


Critical Start is the fastest-growing cybersecurity integrator in North America. Our mission is simple: protect our customers’ brands and reduce their business risk. We do this for organizations of all sizes through our award-winning portfolio of end-to-end security services – from security-readiness assessments using our proven framework (the Defendable Network) to the delivery of managed detection and response, incident response, professional services, and product fulfillment. Critical Start has been named to the CRN 2018 Tech Elite 250 and top 100 Security MSPs lists.