Mitigating Against the Shadow Broker Exploit Dump | Critical Start
Learn real world attack and defense strategies with Adversarial Emulation and Active Defense training from TEAMARES
TEAMARES launches Breach Attack as a Service for quick testing whenever your environment changes.
Webinar Series | Once More unto the Breach | Lessons Learned from Billion Dollar Breaches

Mitigating Against the Shadow Broker Exploit Dump

On Friday, April 14, a group called “Shadow Brokers” released multiple exploits and tools, purported to be from the NSA, entitled “Fifth Leak: Lost in Translation“. Over the holiday weekend, the CRITICALSTART research team and the greater InfoSec community went through and analyzed many of the tools.


Affected Systems
The tools are primarily comprised of Windows binaries, or executables, and python scripts. They target a wide range of computer software including Windows desktop operating systems (XP, Vista, 7, and 8), Windows server operating systems (2000, 2003, 2008 and 2008 R2), and application suites (including Lotus and SWIFT banking and messaging systems). The tools allow malicious actors to run commands and access hosts running those operating systems and applications.


Windows Patches
Windows released a security patch in MS17-010. This security patch addresses previously unknown vulnerabilities exploited by this toolset. Other tools exploited vulnerabilities that have already been patched (e.g. MS08-067, MS10–061, etc.).


Unpatched Windows Vulnerabilities
Some of the tools exploit previously unknown vulnerabilities in End of Life (EOL) systems, such as Windows XP, Server 2000, and Server 2003. As these systems are EOL, no official patches are expected to be released.


In addition to normal patch and vulnerability management, clients and users are advised to apply MS10-061 as soon as possible, treating the patch as a Critical Priority.

If possible, clients and users with EoL systems (e.g. Windows XP and Server 2003) are advised to migrate to supported systems. As this is not always feasible in a business sense, clients that are unable to migrate immediately are advised to secure the systems as best as possible by limiting port and service access, apply endpoint protection, and limit network access to the hosts.

To discuss specific remediation strategies, please reach out to your CRITICALSTART Account Manager.


Related Links:

Contact an MDR Specialist Today

Get in Touch
Path 11 Copy 2 Created with Sketch.
Path 11 Copy 3 Created with Sketch.

Related Content