NSA Tools vs. enSilo

nsa-vs-ensilo-mgmt-alert-b&w.jpg

See enSilo take down a nation-state quality attack tool, and stop it from stealing information on a compromised victim machine.

Watch the demo

The Hacking Tools vs enSilo: Walk-Through

The demo provides two scenarios:

  1. Attack without enSilo installed on the victim’s device. In this case, the attack setup is as follows:
    • Victim machine: Windows XP, default firewall configuration, with an open network share.
    • Attacker machine, running Fuzzbunch (the hacking framework) and Danderspritz (attacker’s C&C).

    The attacker compromises the attacker’s device, installs a trojan and sends back information to the attacker’s C&C. Information includes initial survey data which beyond information on the target device, also allows for attacker configuration parameters such providing persistence on the targeted device, running additional plugins, performing network reconnaissance and retrieving all OS passwords.

    Once under the attacker’s control, the attacker can perform various activities such as taking screenshots of the victim’s device.

  2. Attack with enSilo installed on the victim’s devices (as earlier before, victim’s machine is a Windows XP). In this example, the unpatched endpoint allows an attacker to gain a foothold on the target machine. However, enSilo’s post infection protection capabilities isolate the malware, shut down its communications, and prevent it from moving laterally.

    After instantly eliminating the malware threat, the enSilo management server delivers a single, high-fidelity alert that reports the details of the attack. Keep in mind, enSilo protects this device, an endpoint running an unpatched version of one of the most well-known legacy OS in the world completely out of the box. There were no signatures that needed to be updated, no software patches to be applied, and enSilo blocked the threat without creating any performance latency on the host machine.

Incident response doesn’t get any better than this. Instantaneous protection, and the security team receives just one alert per blocked attack - not thousands of indicators that take the team on a wild goose chase.

Background

Less than two weeks ago, The Shadow Brokers published their trove of stolen data from The Equation Group – the group considered to be the hacking arm of the NSA. The stolen data included a host of powerful Windows’ exploits, tools and trojans that The Equation Group had been using.

The exploitable vulnerabilities affected systems across various versions of Windows – from Windows XP to Windows 8, and possibly affecting also Windows 10. Most of these vulnerabilities are still dangerous for organizations because patching takes time. In fact, it’s not rare to find organizations running 6-9 months late on their patching cycle.

In particular, unsupported end-of-life Windows versions such as Windows XP and Windows Server 2003 will never be patched. However, it’s not rare to find these legacy systems in organizations across various verticals such as financials (running ATMs, for instance), healthcare and manufacturing where costs and downtime are too pricey to allow upgrading these systems.

The Hacking Tools

The recipe for a compromised endpoint: Mix these nation state quality attack tools and target the device of your choice. Once you’ve compromised the system, take complete control of the device and steal information:

  • EternalBlue. An SMB exploit that compromises the endpoint and installs a backdoor in the kernel. SMB is the Windows file-sharing protocol. Common throughout virtually every enterprise, this protocol can be exploited by EternalBlue, which leeches on to the protocol allowing it to move throughout an organization.
  • DoublePulsar. This program communicates with the backdoor created by EternalBlue to install a trojan on the victim device. If EternalBlue can be viewed as a socket, DoublePulsar acts as the actual plug. Once installed, it acts as the vehicle to install malicious code on the victim’s device. The payload is a user-mode dll, the trojan, PeddleCheap
  • Fuzzbunch. A self-built hacking framework which manages the attack process: exploiting vulnerabilities and injecting payloads onto vulnerable systems.
  • PeddleCheap. The actual trojan. The trojan has full control of the victim’s device and carries out commands on behalf of the attacker. PeddleCheap capabilities include: retrieving passwords, logging victim’s activities, take screenshots of the victim’s machine, recording all the victim’s keystrokes. Peddlecheap then sends all this sensitive data back to the attacker.
  • Danderspritz. The attacker’s Command and Control (C&C) server. From the DanderSpritz dashboard, the attacker sends out commands to PeddleCheap, and retrieves all stolen info. Using Danderspritz, the attacker can reside in a remote location, and through just a few keystrokes garners full visibility and control of the victim’s computer
danderspritz.png

Figure 1: The DanderSpritz dashboard is configured to start listening or connecting to a remote target.

fuzzbunch-eternalblue.png

Figure 2: Using the FuzzBunch hacking framework, the attacker runs the EternalBlue exploit which installs the backdoor on the victim’s machine.

danderspritz-process.png

Figure 3: After the attacker uses the backdoor to execute his payload and run the trojan, the attacker gains full visibility into the processes running on the victim’s device. The attacker can use this info, for instance, to know which security products are installed on the victim’s machine or which services can be hijacked to conduct further nefarious behavior under the cloak of a legitimate service.

Nation States Tools in Hands of Attackers

The leak of these attack tools could be catastrophic. Putting nation state quality tools in the hands of cyber-criminals allows them to lower the bar of difficulty they face when trying to target hardened targets. They can use these exploits for targeted attacks to disrupt business operations, or perform widespread ransomware attacks.

We’re already seeing signs of this behavior in underground forums, where ransomware authors are bragging that they’re including EternalBlue, the SMB exploit, into their ransomware. This has the potential to be a serious escalation in the weaponization of traditional ransomware. Most ransomware is capable of only affecting only a handful of devices within an organization, but with EternalBlue we might now witness attacks that propagate throughout an organization, “walking” from share to share, compromising mission critical servers and bringing an entire enterprise to its knees.

(Update Apr. 28: Fixed readability issues.)

Learn more about enSilo’s complete endpoint security solution.

Sign Up for a Demo Today

Related Blog Posts