ShadowGroup Reveals All? Initial Analysis of the Equation Group Dump
On Good Friday, April 14, The Shadow Brokers released to the public a bunch of powerful Windows’ exploits, tools and exploit kits used by The Equation Group – the group supposedly behind the NSA.
We’re currently analyzing the data, and would like to share some initial analyses and recommendations. Understanding the impact will allow security professionals to prioritize and fortify their systems in their race to defend them.
The stolen data is dated around 2013. Taking into consideration that year, it became clear that the vulnerabilities were very sophisticated. We saw there vulnerabilities that affected systems across various versions of Windows – from Windows XP to Windows 8. And at least one that affected Windows 10.
Fast forward four years - to now – most of these vulnerabilities are still very dangerous for organizations because patching takes time. In fact, it’s not rare to find organizations running 6-9 months late on their patching cycle. In particular, unsupported Windows version such as Windows XP and Windows Server 2003 will never be patched.
- A SMB flaw easily enables a threat actor to perform lateral movement. SMB is the Windows file-sharing protocol. It is used internally within the organizations as users place files in shared folders or even use the office printer. A threat actor exploiting the flaw can leach on to the protocol and hop around the organization. To recall, the old Conficker worm - which had similar lateral movement capabilities - existed years after initial patch release. Windows fixed the SMB vulnerability, but given Windows XP end of life and slow patching cycles, the vulnerable protocol still remains for this. Worse yet, a single vulnerable system can bring down the whole organization. The reason is that even if most of the organization is patched (or unaffected), it is typically enough to steal credentials from one vulnerable legacy system to be able to laterally move across the organization.
- A RDP flaw enables an attacker to remotely take control of the underlying system. Remote Desktop Protocol (RDP) allows users to connect to another computer, usually used to access one computer via another through a graphical interface. Windows Server 2003 is still affected by this, and unfortunately, many organizations have their RDP ports open to the Web and thus are publically exposed to this flaw.
Within the stolen data, there also appears a self-built hacking tool, named FuzzBunch. Similar to the publically-available Metasploit tool, this Equation Group tool also automates the process of exploiting vulnerabilities and injecting payloads onto vulnerable systems.
Does the Equation Group belong to the NSA? That we cannot know. Does the NSA tool have the capabilities and knowledge to conduct such attacks? It’s safe to assume that they can. After all, a few years ago, the former NSA Director Keith Alexandar admitted that the NSA hoards zero days. The thing is that if The Equation Group does in fact belong to the NSA, this means that nation-state tools and their security knowledge is now found also in the hands of cyber-criminals. Let it be criminals who can use these vulnerabilities for targeted attacks, disrupt business operations or perform widespread ransomware attacks.
For those running legacy systems, here are a few steps that you should do now:
- Ensure that the security controls for these systems are turned ON (they are not necessarily enabled by default or because of an IT decision)
- Discover your network! If you find there’s no need for a legacy system, remove it. As a start, run the nmap tool.
- If you have required legacy systems, understand that they are your weakest link. As such: remove their Internet access, isolate them and remove them from your Active Directory.
- Provide security for these systems through 3rd party solutions. Evaluation criteria for 3rd party solutions much include: embedded support, low footprint and provide a preventative solution. Disclaimer: enSilo’s endpoint security platform also supports legacy systems. That said, this also means that we’ve investigated, learned, tested and are deployed on these live systems to know what we’re talking about.
In the next upcoming weeks, we’ll continue to keep an eye out on any further advancements, as well as perform additional analyses of our own. We’ll make sure to continue updating as needed.