It’s been a very busy couple of days here at Hacker House and we wanted to post a summary of several high profile data leaks that appeared over the Easter weekend and in the week running up to the break. Whilst we sift through an impressive treasure trove of potentially nation-state developed tool kits we decided to share our thoughts and understanding. We have some advice for our clients and also some clarifications on the data and its purpose. We were amongst the first to analyse the files online and provide real time snippets and information on social media, much of our work was then shared by others.

UNIX Warez
The first data dump occurred on April 8th in a blog post on medium [0]. This post contained a password for an early encrypted data set released by the ShadowBrokers at the announcement of their auction. We had previously reviewed snippets of configuration data which suggested the contents of this earlier leak in a blog post [1]. It was dismissed as speculative by some in the security research community, however much of our predictions and analysis were in fact accurate. The most interesting vulnerabilities in Solaris had been predicted to impact any RPC service, this was proven to be correct alongside remote exploits in cPanel. The Linux/UNIX release by ShadowBrokers contained a treasure trove of legacy UNIX attacks for numerous commercial and opensource platforms, tools, implants and also previously unknown vulnerabilities. This included but is by no means limited to:

  • Sendmail 8.11.x RedHat 7.0 – 7.3 remote root exploit (EARLYSHOVEL)
  • Linux Kernel Exploits (ENVOYTOMATO / EPOXYRESIN) – (known PTRACE and bluetooth?)
  • Netscape Enterprise 4.1 – Solaris 8 remote exploit
  • Samba 3.0.x remote exploit (ECHOWRECKER)
  • An exploit for an old OpenSSH CRC32 attack.
  • Solaris 7-8 dtscpdx heap overflow remote root exploit
  • Solaris 6-9 telnetd exploit CATFLAP (a known /bin/login overflow)
  • Apache 1.3.x SSL remote exploits (openssl-too-open)
  • iPlanet Messaging Server 5.2 remote exploit
  • CVE-2006-0745 Linux privilege escalation attack in XOrg
  • Remote exploit for Exim MTA
  • cPanel cgiecho / cgiemail format string exploit (ELEGANTEAGLE / TOFFEEHAMMER – 0day) – CVE-2017-5613
  • cPanel privilege escalations (ELATEDMONKEY & ENDLESSDONUT) – fixed by cPanel
  • EBBSHAVE / EBBISLAND – Solaris 6-10 remote XDR RPC overflows (previously unknown exploits, 0day) CVE-2017-3623
  • EXTREMEPARR – Solaris 7 – 10 local root vulnerability in CDE dtappgather (a previously unknown exploit, 0day) CVE-2017-3622

Additional exploits for packages such as wu-ftpd and phpBB were also seen in the data dump, as many of the exploits were in very old software packages a complete list has not been put here. cPanel had already identified the vulnerabilities in their products from the earlier Shadow Brokers release in December and fixed them in a January update [9]. In addition to a collection of pre-compiled binary exploits, designed to be executed by operatives in the wild – there were also a number of additional utilities and tools. Several of which we have already dissected and found to be very useful for network infrastructure analysts.

  • ri – RPCINFO tool, probe RPC services for information leaks (very useful)
  • scanner -a really handy network scanning tool binary (probes common services for info leaks)

Many of the exploits were targeted against known vulnerabilities and so we analysed the most interesting first, the two Solaris attacks which were previously not found in the wild. We discovered that these attacks made use of anti-forensic techniques (string obfuscation etc.) as well as more advanced payloads not typically seen in academic proof-of-concepts. It was very apparent that these tools had been written to be used in real world cyber attacks, displaying a large array of targets and extensive documentation on use. We successfully used these attacks to compromise a number of our test bed Solaris systems and notified the vendor to determine the patch status of the flaw. This has resulted in two new CVE being issued CVE-2017-3622 and CVE-2017-3623 alongside a statement that the flaws impacted Solaris 10, the remote attack was patched in 2012 but not publicly known about and the local root binary CDE component was not distributed in 11 (the leaked data supports an 11 target mysteriously) – older unsupported systems will remain vulnerable as no patch has been released. We reverse engineered some of these exploits to determine how they worked and you can download a PoC for the Solaris “dtappgather” exploit at [2]. As a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump, even though the bug was a trivial path traversal for “dtappgather” extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included. The following two screen shots show both the previously unseen local root exploit and remote RPC overflow compromising our test Solaris hosts.

Windows Warez

The Easter Egg hunt didn’t stop there and there was speculation online that the Windows exploits might still see the light of day. There had previously been posts in January which implied those leaks contain remote server side exploits, the likes of which the security community has not seen for several years. Many did not take this threat by ShadowBrokers seriously. The ShadowBrokers then released the Windows exploits and tagged our Co-Founder in a post “Lost in Translation” on the morning of April 14th. We do not know why they tagged Matthew in the release and will not speculate on the motive. This new dump contained something we had feared since January, a huge data dump of several Windows exploits and tools of a similar calibre and quality to the UNIX and Firewall leaks. The ShadowBrokers came good on their promise and released powerful attack tools of an alleged nation state group to the world. These attacks could now be co-opted for any purpose by anyone who wanted to misuse them. We set about analysing them. Here is a brief summary of the main tools within the leak.

  • FUZZBUNCH – An exploit framework containing 15 exploits and advanced kernel-mode backdoors.
  • ODDJOB – A HTTP C2 implant for installation on compromised hosts
  • DANDERSPRITZ – A GUI driven implant for interacting with a compromised host and controlling Windows systems.

The tools claimed target support from Windows NT upto 2012 with exploits for every variant in-between. We successfully tested several of the attacks and four exploits stood out immediately. These attacks all worked remotely against relatively up-to-date Windows hosts (including a 2008 R2 SP1 domain controller). Wrongly or rightly we raised the alarm on these exploits as potential 0day attacks as we had with the Solaris vulnerabilities and alerted people through our social media channels that there was now weaponized attacks for a previously unseen Windows vulnerability affecting all versions of Microsoft’s desktop and server OS. These attacks appear to function perfectly (reliable, multi-shot, not a single blue-screen of death in testing) and are so-called “god mode” exploits as they result in remote SYSTEM privileges allowing an attacker full control over the impacted host. These exploits work over NBT and SMB services and exploit several different flaws.

  • ETERNALROMANCE – Windows XP, 2003, Vista, 7 & 2008
  • ETERNALBLUE – Windows XP, 2003, Vista, 7 & 2008
  • ETERNALCHAMPION – Windows XP, 2003, Vista, 7 & 2008
  • ETERNALSYNERGY – Windows 8 SP0 & Windows 2012 SP0

It transpired that these vulnerabilities were addressed in an update released on March 14th 2017 (MS17-010) – although further research suggests this patch maybe insufficient [4]. Our lab environment was not running the latest March patches which is not uncommon when researching on vulnerabilities/attacks. Several other respected researchers [5] missed that same MS17-010 patch. We also stated during our initial analysis that Microsoft would need to provide a response on the issues identified. The Microsoft blog [6] also identified that Windows 10 and 2016 were impacted by the same attacks, we had confirmed that the exploits did not function on those OS’s and so would require modification for use. We could not be expected in the first few hours to identify all possible configurations of a multi-generational attack toolkit and triage it for fixes and were absolutely correct to sound the alarm on a powerful nation-state attack toolkit being released into the wild. Several of the vulnerabilities in this toolkit impact on older versions of Windows such as XP and 2003, Microsoft will not be releasing fixes for those issues leaving the platforms vulnerable to attack for the foreseeable future. This will be of especially grave concern for anyone working with ICS equipment and for environments such as the healthcare sector who do not apply updates in a timely fashion.

The attack toolkit FUZZBUNCH is an impressive metasploit-esque framework for exploiting hosts and uploading a payload known as DOUBLEPULSAR. This kernel mode payload can then be used as a stager to upload additional payloads, one of which can be generated with DanderSpritz. What we found was that these tools were stealth in nature, made use of anti-forensic techniques and bare all the hallmarks of a sophisticated and well developed attack toolkit for Microsoft platforms. The exploits have been compared to MS08-067, a widely exploited Windows vulnerability that has resulted in many compromises and was also exploited by the damaging Conficker worm. The comparison is well founded and that is just four of the known exploits, FUZZBUNCH contains a total of 15 exploits for the likes of Terminal Services, IIS 6.0, Lotus Domino, Exchange 2007 and MDaemon software. The Exchange vulnerability has been identified as another previously unknown exploit alongside Remote Desktop and further SMB attacks. Analysts will be releasing new information about how these tools work and were designed over the coming few weeks and months. We have only begun to scratch the surface on these tools and now that they are out there its important we can analyse them to determine servers that are impacted as well as what steps can be taken to protect against them. The tools are released in binary format and as reverse engineering efforts are underway we will likely discover more interesting features about the attacks. We are providing a video here showing how the exploit framework and implants can work together to provide an attacker with a very powerful tool for performing attacks against Microsoft Windows environments. As patches are not applied immediately in environments it is important to stress that this toolkit allows for point & click type operation, allowing anyone to use them with ease.

There are undoubtedly more discoveries to be made from the ShadowBrokers disclosures as we review a (possible) nation-states cyber capabilities. Aside from the 15 exploits contained in FUZZBUNCH there are also several other “legacy” exploits and a mix of still un-reviewed scripts and binaries in the UNIX data dump. There are also some Oracle database specific attack tools which may also result in further discoveries as more analysis takes place. We are under no illusion that such a huge data trove will not be completely analysed in its first few days of discovery and neither should you. As people begin to downplay the risk despite evidence supporting that several advanced nation state attack toolkit’s are now available for all and sundry here is our recommendations on what you should be doing.

  • Apply MS17-010 immediately to any mission critical servers and scan for vulnerable hosts in your domain [7] & [8]
  • Consumers should check that the personal firewall is enabled and auto-updates ran on Windows desktops last month
  • Businesses need to check legacy Oracle installations to ensure they were not compromised by Solaris exploits. Oracle DB’s should also be reviewed.
  • Evidence supports that these tools were used to target SWIFT environments – ensure you check and patch these flaws immediately.
  • Eensure that any legacy servers or desktops running NT4, 2000, XP & 2003 are removed from production environments.
  • Do not expose Terminal Services, Server Message Block and Common Internet File System (445/tcp, 139/tcp and 3389/tcp) to the Internet where possible.
  • Upgrade your legacy Microsoft Exchange servers to a supported system.
  • Ensure cPanel installations are updated with the latest patches.
  • If you need support or assistance in identification of systems at risk from these attacks, contact the team at Hacker House.

We referred to this as a Microsoft apocalypse and it certainly is shaping upto be a very bad forthcoming few months for DFIR and incident response teams as attackers begin co-opting these tools into their own attacks. As experience has shown here many of these attacks will not be patched and legacy systems will continue to be vulnerable for some time. These attacks can assist attackers trying to gain a foothold in organisations for many years to come. Ensure you are doing everything you can to prevent these impacting on your ICT assets. On the matter of disclosure we ask a simple question, what is better? a tool that everyone including your adversary knows about or one that only your adversaries and possibly others have? We believe that in the long run it is beneficial that these tools are out there and can be protected against however it also comes with a negative side – there is now a blue print on how to roll your own nation state level attacks for anyone to study. We hope to include some of our analysis on these attacks in our future training courses. Happy Egg Hunting!

[0] Don’t Forget Your Base
[1] Merry Haxmas! Shadow Brokers strike again!
[2] Proof-of-concept for “dtappgather” exploit
[3] Lost in translation – ShadowBrokers tweet
[4] ETERNALBLUE analysis
[5] TrustedSec RCE Win7
[6] Microsoft blog post on risk to customers
[7] Countercept – scan for doublepulsar infection
[8] Metasploit MS17-010 patch scanner
[9] cPanel security team blog post

Comments are closed.