ShadowBrokers, Doublepulsar and everything you need to know about the latest NSA leak
The main goal for nation-state actors working for intelligence purposes is to establish a consistent and reliable digital presence. Whether or not they have an active operation, they need to be ready to launch a campaign at any time. To do so, they need to be deployed all the time.
During the USENIX Enigma 2016 Conference, NSA TAO Chief Rob Joyce said, in regards to disrupting nation-state hackers, that the NSA doesn’t need to use zero-days extensively for their hacking activities. The link for his talk:
https://www.youtube.com/watch?v=bDJb8WOJYdA
Let’s try to simplify the connected parties in this alleged case:
According to Kaspersky report in 2015:
Source - https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
How did the Shadow Brokers get their hands on this hacked data? It could be as simple as having a mole inside the NSA:
A reality check—regardless of nation state actors, every application facing the Internet is exploitable. So if you publish your SMB/RDP service to the world, you are at risk.
Even Amazon AWS with their great best practice configuration is allowing, by default, a security group with default RDP, open from everywhere for a virtual Windows machine. And obviously people don’t change it immediately, which makes their environment exposed:
So the minimum you should do is whitelist source IPs, and if your Webapp must be public, make sure you don’t connect your backend to your entire environment – ASSUME IT WILL GET BREACHED!!!
Some of the latest, massive Internet IPv4 scans indicate that there are thousands of computers connected to the Internet with the latest vulnerabilities that can be exploited using the released binaries from Shadow Brokers:
So why after the notoriousms08-67 Conficker are people still surprised that someone can make remote code execution again to SMB?
Both SMB and RDP services are, by default, active in most Windows environments; therefore, the ROI is very high, and there is easy access to any Windows OS without knowing the credentials.
When it comes to internal threats and lateral movement, these exploits make the attacker’s job easier because once he has local presence on an end-point, he can access all the resources internally.
IMHO, it’s still a very noisy attack vector for two reasons:
1. The application or the OS can crash, which would make the security team suspicious.
2. If you are using it for more than a few end-points, it’s highly noticeable. It will be considered suspicious traffic, like a NMAP scan.
So for sophisticated attackers, once they use this RCE and get access to any end-point with powerful credentials, they can stop using it and move laterally, red-team style.
We also know that the Equation Group hacking is intended for Active Directory since they are using AD LDAP reconnaissance in their code:
And from the Kaspersky report, we see that this specific group is very Windows OS oriented:
Who should be worried?
In general, anyone who has data a nation state might want for espionage purposes should be worried. Review the most recent case by the FBI against the Chinese military. Alcoa, US Steel, USW Union, and many more were targets of espionage.
Now that these exploits are public, every company needs to be worried and must act accordingly. Protect these services and patch your systems ASAP. And most of all, instrument yourself to detect credential theft, lateral movement, and reconnaissance activity.