The Shadow Brokers (TSB) vs. Equation Group Third Time is the Charm

WikiLeaks, The Shadow Brokers, and others are making the most of the tools leaked or stolen from the Equation Group — a name alternately applied to the set of tools, or to the operators of the namesake collection considered to be tied to the US National Security Agency.  In August of last year, the Shadow Brokers hacking group — which many consider affiliated with Russian intelligence — announced that it had stolen the collection of tools from the Equation Group, and put them up for auction to the highest bidder.

In March, WikiLeaks made public the “Vault7” information about a similar collection of hacking tools.  This second wave did not contain executable software, but rather a large assemblage of information about vulnerabilities, exploit tool development, and details of operations and maintenance. Even so, it contained sufficient detail about undisclosed vulnerabilities, for example in the details of the “EXTRABACON” tool, that it was considered a 0-day event for certain network devices. 

Not to be outdone this past week in April, the Shadow Brokers released a large set of operable tools thought to be the collection they were unsuccessful at auctioning and a majority of what had been originally taken from Equation Group. It is unclear if this is actually the full collection they had in hand or a subset, but the security implications are sufficient to warrant priority response either way.

What we know

Under a post titled “Lost in Translation” this past week, this data dump contains almost 300 MB of hacking tools and data. It targets a range of Windows client and server operating systems up to Windows 10 and Server 2016, and Linux systems; applications including the Swift banking system; specific client-side tools that target Lotus Domino, Outlook rules, and others. There is even a management framework for exploit delivery and C2 similar to Metasploit called FuzzBunch. 

While initial reports indicated the collection contained a large number of 0-day attacks against Windows systems, Microsoft claimed by the end of the week that they had issued patches or previously fixed all reported Windows exploits in MS17-010. Our own analysis corroborates other researchers’ findings that most of the other vulnerabilities — particularly those that exploit the remote use of services and protocols typically used only on an internal network — would be blocked by typical firewall configurations on a relatively well secured and managed network.

Perspectives and approach

That’s not to say there’s little to worry about. Far from it: A very large number of tools have been put in the hands of the public, which means the pool of adversaries has grown to include many who would not have had the sophistication to build or obtain a well-rounded toolset, and those that already were sophisticated now have ever more resources at their disposal.

The positive news is at least twofold: First, the collection of offensive tools is relatively well organized, which makes defensive analysis easier to structure and proceed through. As the pragmatist philosopher Dewey put it, “a problem well put is half solved.” This eases the process of research, testing, and development of accurate detection mechanisms to best identify and block malicious activities as they evolve and proliferate. Second, some of the most severe and widespread risks are on platforms for which Microsoft has already released patches, or for which upgrades of older systems removed the vulnerabilities years ago. 

The bad news is that this is a large collection that requires triage and analysis against the actual attack surfaces of a wide swath of customers to identify the highest risks and treat them with priority. Unpatched systems or older vulnerable web applications may persist for a variety of good and bad reasons; sometimes governance and compliance requirements dictate that specific application and operating system versions remain in service; while in other cases customers may not have the resources or knowledge to protect themselves or upgrade their way out of certain pits of risk.

Approach and coverage

Our Intelligence and Research groups have identified key components that pose a high risk to our customers.  This also informs our normal process of engagement between customers and the Alert Logic Security Operations Center (SOC), and feeds the process of investigating, developing, testing, and deploying new detection capabilities for our SOC teams as a standard service component for all of our customers.  Where there is a convergence between the tools and their utility and our customers’ aggregate attack surface, the resultant risk is treated with priority. 

Adventures in Windows SMB

Several of the exploit tools examined run against Windows services that use Server Message Block (SMB) protocol, including ErraticGopher, EternalRomance, EternalBlue, Eternal Synergy, and the associated DoublePulsar payload.

  • ErraticGopher appears to be the first tool of this batch to target SMBv1 on Windows XP and Server 2003, accompanied by ErraticGopherTouch to probe for the vulnerability on targeted systems. Use of either of these tools would be blocked by a typical web application firewall (WAF), which is some good against the news that this 0-day won’t be patched as the targets are too far out of support.
  • Another exploit tool is accompanied by DoublePulsar (“DoPu”) as a C2 payload dropped upon successful EternalChampion SMBv1 exploit.  DoublePulsar establishes a covert channel for C2 control of the exploited system. While we currently exclude EternalChampion here and list it below for further investigation, Alert Logic has developed detection logic for the DoublePulsar C2 channel, and will shortly have it deployed fully to protect customers and inform the SOC of attempts.  
  • EternalRomance also uses SMBv1 vulnerability, but to different ends — providing remote code execution (RCE) to the tool’s operator with a refined user interface. Research indicates this is applied as a one-and-done tool and would be used against different targets where persistence was not required (consequently no opportunity to detect a control channel). Alert Logic is continuing to investigate.
  • EternalBlue appears to be a further iteration, which The Shadow Brokers claim provides operators with SMBv2 exploit capability on Windows 7 SP1, in addition to NetBT. However, Microsoft indicates it re-enables SMBv1 vulnerability on that platform and the provided bulletins and patch advice is identical.  Alert Logic telemetry indicates EternalBlue is used to drop a payload for covert C2 in the same fashion as DoublePulsar, and we are currently deploying detection logic to customers.
  • EternalSynergy uses a SMBv3 vulnerability to provide remote code execution (RCE) similar to EternalRomance, hardcoded against Windows 8 and Server 2012 SP0.  Detection logic for this variant of RCE network exploit attempt is under investigation. 

Typical WAF configurations already block SMB from the internet, and Alert Logic’s vulnerability scanning provides notice to customers of configurations the would create exposure to SMB exploits such as ErraticGopher, EternalChampion, EternalRomance, EternalBlue, and Eternal Synergy.

Directory and authentication exploits

For sophisticated adversaries, the best prizes are often the ability to assume the identity of a privileged account as quickly after initial exploit as possible. From that point on, there are few opportunities to detect security errors or alerts – just deviations from normal behavior within the authorized bounds.  These tools fit into that operational approach and are often the last opportunity to detect an adversary before they blend into the environment.

  • ZippyBeer is an exploit against Kerberos services in a Windows Domain Controller that leverages an authenticated connection via SMB.  Written as a Python script, options include Intrusion Detection Systems (IDS) recognizing network activity in SMB between unusual platform combinations, and/or Windows log-based detection of .py scripts that open the distinctive pattern of connections.  Alert Logic is continuing to investigate.
  • EsteemAudit is a Remote Desktop Protocol (RDP) exploit and installs an implant for Windows Server 2003 and XP that exploits SmartCard authentication. Microsoft indicates it won’t patch this 0-day exploit as it’s too old.  However Alert Logic has detection logic available for anomalous RDP connections (as legitimate RDP is most often within a VPN session) and scanning services will alert customers to exposure. However, due to the age of the target systems and the relatively high noise from false-positive detection, customers should contact Alert Logic to consider options for detection or blocking.
  • EskimoRoll is another Kerberos exploit against Active Directory domain controllers on Windows Server 2000, 2003, 2008 and 2008 R2. Microsoft indicates this was patched several years ago by MS14–068, and Alert Logic is examining telemetry to verify existing detection logic remains effective.

Frameworks and C2 management

Beyond specific exploits, the Equation Group toolset included some framework tools for managing and coordinating activity. These are a targeting, queueing, and maintenance tools, often used for hard targets or sustained campaigns. Finding these tools on an internal network after seeing lateral movement, or seeing a pattern of inbound activity that indicates they are being used by an adversary; these are both very bad signs.

  • FuzzBunch is an exploit framework, similar in concept to MetaSploit, written in Python 2.6. Early research shows it has inbuilt fingerprinting functions as well as the ability to load RCE exploits such as the SMB exploit in ZippyBeer. In rare cases, this tool might be brought into a network for lateral movement and extended persistence in a large enterprise. However, Alert Logic is focused on investigating both the distinctive inbound network signatures of the inbuilt functions, as well as detectable attack behaviors stemming from the patterns the control code make available to operators. 
  • OddJob is an implant builder and C2 server that can deliver exploits for Windows 2000 and later.  Similar in response to FuzzBunch, Alert Logic is focused on investigating both the distinctive inbound network signatures of the implant creation functions, as well as detectable overt or covert C2 traffic provided by the tool.

In the queue

The collection of challenges includes some which are best addressed after examining others that appear to be their components, while others require a combination of resources. Alert Logic is evaluating approaches to the following:

  • EternalChampion is another SMB exploit, and we expect it will join the collection noted above. It works against recent platforms not yet patched with CVE-2017–0147.  An early investigation indicated the C2 component DoublePulsar presented a more expedient opportunity for detection and is listed above. Alert Logic is investigating the larger tool in the context of the other SMB exploits and expects to expand recent coverage to include this.
  • EnglishmansDentist is a remote exploit against clients running Outlook Web Access (OWA) and SMTP, designed to inject and trigger a redirection rule to send mail to another person.  It appears this could be leveraged successfully against cloud-based services; Alert Logic is working with Intelligence partners to examine broader telemetry and develop a course of action to best use our network visibility.
  • EchoWrecker is a remote exploit against Samba 3.0.x running on Linux platforms.  Samba 3.0.x went out of support in 2009, and the last 3.x version was deprecated two years ago. There are no plans to patch this exploit. However, some Linux server platforms continue to support this older Samba version for application compatibility, and Alert Logic is investigating.

Further back

Many other components of the Equation Group toolset appear to be too old for immediate concern, or don’t pose a risk to our customers’ profile. Some of these include:

  • ExpiredPaycheck and ExplodingCan are IIS6 exploits, long since out of support.  It’s worth noting that external researchers have reviewed the code and found the WebDav exploit elegantly done, and it is possible this code or framework will resurface in another form. 
  • Emeraldthread is a remote SMB exploit for XP and 2003 that delivers a payload similar in form to Stuxnet. Microsoft patched this with MS10–061 in 2010.
  • Educatedscholar is another SMB exploit, patched by Microsoft with MS09–050 in 2009.
  • EclipsedWing is an RCE exploit for SMB in Windows Server 2000, 2003 and XP, but Microsoft patched this with MS08-067 in 2008.

The long game

Regarding a timeline of where this current wave will go, we expect it will settle out within a few weeks. However, much is subject to change: Shadow Brokers have indicated they have another collection they are preparing to drop, online activity and hard telemetry tells us that the volume of uptake by new actors is just beginning, and the situation will evolve. We keep evaluating the current threat landscape and activity around these exploits so that we can quickly re-asses our priority as new information emerges. In the interim:

  • Patch systems regularly and follow vendor advice for mitigation
  • Follow client-side hygiene practices, and follow OS vendor advice for baseline security
  • Keep current with Alert Logic and our network, web application, scan, and log alerts

The Alert Logic Threat Intelligence team continues to monitor the situation, comparing how this situation continues to develop against knowledge and prior analysis of technical, behavioral, and other observable patterns. Updates will be posted at AlertLogic.com and for more information contact ThreatIntel@AlertLogic.com

About the Author

Jon Espenschied - Threat Intelligence Manager, Experience & Interface

Jon Espenschied

Jon Espenschied manages the Threat Intelligence group at Alert Logic, and splits his time between operational security and response, and threat modeling research and automation to improve security defense capabilities. Prior to Alert Logic, Jon spent five years in Microsoft’s network security and threat intelligence groups, about ten years with @Stake, Symantec, and other consultancies, and led groups at AT&T Wireless and a United Nations agency in the Middle East. Jon holds a B.A. from Occidental College and graduate certificates in technical management from UCLA..

Email Me | Articles: 2