Threat Advisory: Data leakage of multiple 0-days and tools

Update 16.04.2017: Added new tools and 0-days against Solaris, Redhat, Avaya Call Server and Samba.

Update 17.04.2017: Confirmed observations of ransomware distribution leveraging the leaked NSA exploits.

Update 20.04.2017: Added CVE details to exploits (where available), new exploits, updated descriptions, updated summary, added references.

Update 21.04.2017: Added update to summary that as of 20.04.2017, approximately 15 000 systems have been observed to be compromised with "DoublePulsar".

Update 25.04.2017: Added update that the number of compromised hosts with “DoublePulsar” installed is now reported to be more than 200 000 machines. Updated summary to reflect that Argus Continuous Vulnerability Monitoring (part of the Argus Managed Defence suite) customers will now receive notifications if any of their internal or external systems have “DoublePulsar” installed.

Update 15.05.2017: Added update to summary regarding the WannaCry ransomworm that spread across the Internet on Friday May 12th by leveraging the EternalBlue exploit.

Update 27.06.2017: Added update to summary regarding the Petya/ NotPetya/ GoldenEye ransomware spreading. For more information about this, please visit our latest advisory here.

Last year a group named “The Shadow Brokers” attempted to auction a data dump allegedly claimed to come from the NSA. The dump consisted of multiple tools and information about vulnerabilities for a wide range of applications and operating systems. At the time, the group was not able to sell the dumps at their desired price. The actor behind the tools and exploits has also been called “Equation Group”.

On April 8^th, 2017 The Shadow Brokers published the password for one of the encrypted dumps that was made public last year. This dump included several tools and vulnerabilities for attacking Linux and other Unix based operating systems and applications.

On the 14^th of April the group made available three more data dumps. These dumps include vulnerabilities, tools, operative notes from (allegedly) the NSA and a framework for running exploits and building malware. Amongst the dump are several vulnerabilities that can be used to target various Windows operating systems ranging from Windows XP to Windows 2016.

Most of the vulnerabilities in the published dumps were patched by Microsoft in March 2017. Argus Managed Defence – mnemonic’s Managed Detection and Response (MDR) service - detects most of the disclosed attacks and has contained signatures both in log analysis and network detection services for quite some time. The Argus Continuous Vulnerability Monitoring service (part of the Argus Managed Defence suite) also detects systems compromised by “DoublePulsar”.

The data from the dumps seem to be from 2013 and earlier and therefore does not appear to include any ready to use exploits against Windows 10 or Windows 2016.

While the exploits and attack tools are important to build detection capabilities and mitigation strategies for reducing the attack surface, of even more concern may be the additional data and tools in the dump.

The data includes a playbook on how an advanced attacker can comprise networks, maintain persistence and remain undetected. The tools include advanced capabilities for hiding backdoors, control channels and installed utilities, along with deleting single records within log files and changing timestamps. Although some of the techniques are not new, they are now gathered together and include documentation to enable any threat agents to attack with advanced capabilities.

Update 21.04.2017: Multiple reports are confirming that the leaked tools are being used to exploit and compromise machines and networks. Initial scanning with Shodan showed on Thursday April 20th around 15 000 systems compromised with "DoublePulsar".

Update 25.04.2017: The number of compromised hosts with “DoublePulsar” installed is now reported to be more than 200 000 machines. Note that customers of mnemonic's Argus Continuous Vulnerability Monitoring service (part of the Argus Managed Defence suite) will receive notifications if any of their internal or external systems have “DoublePulsar” installed.

Update 15.05.2017: On Friday May 12th, the WannaCry ransomware was distributed using a worm leveraging the EternalBlue SMB exploit. The worm exploits the SMB vulnerability patched by Microsoft in March 2017 (MS17-010) and spreads itself both on the local network and over the Internet on port 445. After successful exploitation, it installs the DoublePulsar backdoor and then proceeds to load the ransomware component. Numerous technical articles about this attack have been published, and the attack has been covered extensively by the mass media. The WannaCry attack also has a dedicated Wikipedia page. The only confirmed distribution vector is through the EternalBlue SMB exploit.

What is it?

“The Shadow Brokers” have released three data dumps:

Windows: A dump with tools and exploits for exploiting Windows operating systems and third-party applications running on Windows.
Oddjob: A framework for building and controlling malware running on compromised Windows machines.
SWIFT: Operative notes and data dumps from attacks against providers and financial institutions connected to the economic transactions in the Middle East.

How does this affect me/us?

The vulnerabilities and tools grant anyone the capabilities of an advanced attacker. While these capabilities already exist through Metasploit, the difference is now there are multiple vulnerabilities in widely distributed applications and operating systems affiliated with the tools. Several of the published exploits can also be used in Worms and other wide spread attacks.

It is expected that ransomware and other malware types from cybercriminals leveraging these vulnerabilities and tools will arise within days. Most of the vulnerabilities can be mitigated by updating the software with the latest patches. The actual malicious code currently has low to no detection. Some of the malicious code also run in the kernel of the operating system and once installed is difficult to detect both within the network and on the system itself.

Update: On April 16th we observed exploits from the Shadow Brokers dump being repurposed for the distribution of ransomware.

Technical details

Unfortunately for defenders this was published on the Friday during the Easter holidays, and the data dumps are large. There is currently limited information about the extent of the dump, but our initial investigations point towards this dump causing substantial damage towards multiple organizations.

We have added CVE details for the exploits where we have matched the vulnerabilities to existing vulnerabilities (or newly assigned CVE). The CVE descriptions can be helpful to identify if your organization has any of the vulnerable applications (and versions) installed and how to mitigate the vulnerabilities. Most of the exploits in the dumps are against old applications and versions. Most of these are no longer supported by the vendors or the vendors have patched the vulnerabilities. Some of them are within the 0-day category.

Some of the details we currently have available:

Exploits

List of codenames for various exploits and the current knowledge about them.

Catflap

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: Most likely CVE-2001-0797 / CVE-2002-1689

Description: An exploit for Solaris 6-9 telnetd daemon. Exploiting a known vulnerability in /bin/login.

Earlyshovel

CVE: Unknown/currently not assigned

Description: Contains an exploit against Linux RedHat Sendmail 8.11.x. Using SMTP for exploitation.

Easybee

MD5: 2dee8e8fccd2407677fbcde415fdf27e

SHA256: 59c17d6cb564edd32c770cd56b5026e4797cf9169ff549735021053268b31611

CVE: CVE-2007-1675

Description: Contains exploit code for attacking installations running MDaemon private mail server. This exploit the Webadmin GUI for MDaemon through HTTP/HTTPS. Valid for version 9.5.2-10.2.1. The vulnerability was 0-day at release.

Easypi

MD5: 7e1a081a93d07705bd5ed2d2919c4eea

SHA256: dc1ddad7e8801b5e37748ec40531a105ba359654ffe8bdb069bd29fb0b5afd94

CVE: Unknown/Currently not assigned

Description: Contains exploit code for attacking Lotus CC:mail servers.

Ebbisland/Ebbshave

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: CVE-2001-0236

Description: This exploits a vulnerability in Solaris RPCXDR. The vulnerability exists in Solaris 6-10.

Echowrecker

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: CVE-2003-0201

Description: This exploits a vulnerability in SAMBA running on Linux systems. The vulnerability exists in version 3.0.X.

Eclipsedwing

MD5: 195efb4a896e41fe49395c3c165a5d2e

SHA256: 48251fb89c510fb3efa14c4b5b546fbde918ed8bb25f041a801e3874bd4f60f8

CVE: CVE-2008-4250

Description: SMB/NBT exploit attacking Windows 2003 and earlier platforms. The vulnerability is found in the SERVER Service. This can be exploited both through SMB (TCP/445) and NBT (TCP/139). Microsoft patched this vulnerability in 2008 in the MS08-067 update.

Educatedscholar

MD5: 0bc136522423099f72dbf8f67f99e7d8

SHA256: 4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d

CVE: CVE-2009-3103

Description: SMB exploit targeting older Windows platforms. Microsoft patched the vulnerability used in this code in the MS09-0500 update.

Elatedmonkey

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: Unknown/Currently not assigned

Description: Exploits a vulnerability in cPanel Management for privilege escalation.

Eleganteagle/ToffeeHammer

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: Unknown/Currently not assigned

Description: Remote exploit against webmail-admin, such as mailman.

ELV

MD5: c716ad40c0aaef9b936595ba1e9365cd

SHA256: f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f

CVE: CVE-2006-3439

Description: Exploits a vulnerability in the Server service in Windows operating systems. Microsoft patched this vulnerability in 2006 in the MS06-040 update.

Emeraldthread

MD5: 52933e70e022054153aa37dfd44bcafa

SHA256: 7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5

CVE: Unknown/Currently not assigned

Description: This exploits a vulnerability in SMB and drops an implant. This can be exploited both through SMB (TCP/445) and NBT (TCP/139). Microsoft patched the vulnerability in 2010 in the update MS10-061.

Emphasismine

MD5: 76237984993d5bae7779a1c3fbe2aac2

SHA256: dcaf91bd4af7cc7d1fb24b5292be4e99c7adf4147892f6b3b909d1d84dd4e45b

CVE: Unknown/Currently not assigned

Description: This exploits vulnerabilities in IBM Lotus Domino services through the IMAP service. This vulnerability is currently described as a 0-day vulnerability without any known fixes. Recommended actions is to disable IMAP towards this service until further information is available.

Englishmansdentist

MD5: 305a1577298d2ca68918c3840fccc958

SHA256: 2a6ab28885ad7d5d64ac4c4fb8c619eca3b7fb3be883fc67c90f3ea9251f34c6

CVE: Unknown/Currently not assigned

Description: This may exploit an unknown vulnerability in Microsoft Exchange or Outlook. Currently it is still described as a 0-day attack, but Microsoft has stated that it will not work against any of the products currently supported.

EnvoyTomato

MD5: 8e7194010550332d9a14b6a3d25f8aa2

SHA256: 9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5

CVE: Unknown/Currently not assigned

Description: Linux Kernel exploit towards the Bluetooth interface.

Epichero

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: Unknown/Currently not assigned

Description: This exploits a vulnerability in Avaya Call Server.

EpoxyResin

MD5: 9317f8d751f6ac667940a0e65518f92a

SHA256: eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73

CVE: Unknown/Currently not assigned

Description: Linux kernel exploit towards ptrace.

Erraticgopher

MD5: b4cb23d33c82bb66a7edcfe85e9d5361

SHA256: 3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052

CVE: Unknown/Currently not assigned

Description: SMB exploit targeting Windows XP and Windows 2003. This vulnerability was fixed by Microsoft before the release of Windows Vista.

ESKE

MD5: 22b6f3ae1a645e7bdf2b20682a1cb55e

SHA256: 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556

CVE: CVE-2003-0352

Description: Exploits a vulnerability in Windows DCOM. Patched by Microsoft in 2003 in the MS03-026 update.

Eskimoroll

MD5: 91ab4b74e86e7db850d7c127eeb5d473

SHA256: 0989bfe351342a7a1150b676b5fd5cbdbc201b66abcb23137b1c4de77a8f61a6

CVE: CVE-2014-6324

Description: This exploits a vulnerability in Microsoft Kerberos implementation. The exploit targets Windows 2000 to Windows 2008. This vulnerability was fixed by Microsoft in 2014 in the update MS14-068.

EsteemAudit

MD5: 1d2db6d8d77c2e072db34ca7377722be

SHA256: 61f98b12c52739647326e219a1cf99b5440ca56db3b6177ea9db4e3b853c6ea6

CVE: Unknown/Currently not assigned

Description: This vulnerability targets a vulnerability in the RDP service. It uses a vulnerability in the SmartCard authentication method. The exploit works against Windows XP and Windows 2003. The vulnerability is currently described as a 0-day vulnerability, but Microsoft has stated that this does not target any supported platforms.

EternalBlue

MD5: 8c80dd97c37525927c1e549cb59bcbf3

SHA256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

CVE: Unknown/Currently not assigned

Description: This vulnerability targets the SMB implementation in Windows. The exploit works on Windows XP to Windows 2008. Microsoft released patches for this vulnerability in March this year in the update MS17-010.

EternalChampion

MD5: d2fb01629fa2a994fbd1b18e475c9f23

SHA256: ce734596c2b760aa4b3f340227dd9ec48204a96cf0464ad1a97ae648b0a40789

CVE: CVE-2017-0146

Description: Exploits vulnerabilities in Microsoft SMB implementation. The vulnerability is described in CVE-2017-0146 and CVE-2017-0147. Both vulnerabilities were patched in MS17-010 update from March this year.

EternalRomance

1.3.0

MD5: 8d3ffa58cb0dc684c9c1d059a154cf43

SHA256: f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d

1.4.0

MD5: 4420f8917dc320a78d2ef14136032f69

SHA256: b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b

CVE: Unknown/Currently not assigned

Description: This exploits a vulnerability in Windows SMB implementation. The vulnerability was fixed by Microsoft in March this year in the MS17-010 update.

EternalSynergy

MD5: 2a8d437f0b9ffac482750fe052223c3d

SHA256: 92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34

CVE: CVE-2017-0714

Description: This exploits a vulnerability in Microsoft SMB implementation. The vulnerability was fixed by Microsoft in March this year in the MS17-010 update.

Etre

MD5: ea147f8bf6e4fc490b8a92478ea247e4

SHA256: e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2

CVE: Unknown/Currently not assigned

Description: This exploits a vulnerability in IMAIL versions 8.10-8.22. The vulnerability was described as a 0-day at the time of release.

EVFR

MD5: f09f7c0818c61d11e80dfa4c519f75d3

SHA256: c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674

CVE: CVE-2003-0109

Description: This exploits a vulnerability in ntdll.dll. Microsoft patched this vulnerability in 2003 in the update MS03-007.

Ewokfrenzy

MD5: 84986365e9dfbde4fdd80c0e7481354f

SHA256: 348eb0a6592fcf9da816f4f7fc134bcae1b61c880d7574f4e19398c4ea467f26

CVE: CVE-2007-1675

Description: This exploits a vulnerability in Lotus Domino 6 and Lotus Domino 7.

Excelberwick

CVE: Unknown/Currently not assigned

Description: This exploits a vulnerability in xmlrpc.php on Unix platforms. The XML-RPC is used by multiple web-packages on Unix platforms, such as Drupal, b2evolution and Tikiwiki.

Explodingcan

MD5: dc53bd258f6debef8604d441c85cb539

SHA256: 97af543cf1fb59d21ba5ec6cb2f88c8c79c835f19c8f659057d2f58c321a0ad4

CVE: CVE-2017-7269

Description: This exploits a vulnerability in Microsoft Internet Information Service version 6. This is currently considered as a 0-day, but Microsoft has stated that this does not work on any supported platforms.

Extremeparr

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: Unknown/Currently not assigned

Description: This exploits a 0-day vulnerability in Solaris “dtappgather”. This vulnerability is available on Solaris 7-11.

PassFreely

MD5:

13031e736ee4698b8c4813a8f2ae1848

3a63d2a31f60db565c61ee5307076980

SHA256:

c68f420b5a5e085a508a2529ac001284a255090920a0236df1b5656d010966e8

fe42139748c8e9ba27a812466d9395b3a0818b0cd7b41d6769cb7239e57219fb

CVE: Unknown/Currently not assigned

Description: PassFreely is an exploit for patching Oracle in memory. The exploit supports 386 versions of Oracle (7.2 -> 11.2). The exploit patches the Oracle binary in memory to allow unauthenticated access to the data stored in Oracle databases. SWIFT uses Oracle to store financial transactions.

Zippybeer:

SHA256/MD5: Descriptions on how to exploit. Hash not usable.

CVE: Unknown/Currently not assigned

Description: Python framework for exploiting a authenticated Windows Domain Controller.

Although none of the exploits work against Windows 10 and Windows 2016, Microsoft update MS17-010 also includes patches for these platforms with impact of remote code execution. This means that you should make sure that all systems are running with the latest patches.

The dumps also include old exploits against SSH, Netscape Enterprise, dtscpdx (Solaris), Linux Xorg, Exim MTA, iPlanet and more.

Tools/Utilities

The dump from “the Shadow Brokers” contains multiple tools and utilities for exploiting, controlling, exfiltration of data and conducting post-exploitation tasks. This part of the release perhaps represent the elements that will have the most severe impact in the long-run.

It contains detailed documentation on how an advanced attacker avoids detection, removes deployed tools and protect their control over the compromised environment. The tools show advanced encryptions tools used, how to create hidden channels in/out of compromised networks and how to work with environments in various operating systems.

List of codenames for tools and malware installed at compromised machines.

DanderSpritz

GUI-based framework for conducting post-exploitation tasks. The frontend interacts with an exploited machine and can perform multiple tasks related to post-exploitation and controlling of the host. Supports retrieving data, cleaning logs, changing timestamps and more.

Doublepulsar

Kernel based backdoor, which can be reached by “portknocking” RDP/SMB. Since the backdoor is installed in kernel level it is difficult to detect. Some tools have been released which can scan machines from the network to detect installed DoublePulsar.

FuzzBunch

Python based framework for running exploits and tools against target machines and applications. The framework is built for running on Windows machines. The version within the data dump from “the Shadow Brokers” contains 13 exploits and various additional tools for running on compromised machines. The framework is similar to the open source project Metasploit.

GROK

Framework for keylogging first described in the Snowden release. Now released as part of the Windows-dump by Shadow Brokers.

Oddjob

Tool for building and controlling backdoors/Trojans/malware on Windows platform. The command and control for controlling compromised machines uses HTTP for communication.