A Halloween leak from Shadow Brokers has surfaced today. Previous leaks from Shadow Brokers have contained 0day exploits and security vulnerabilities in major Internet software. A review of this recent leak has been performed by Hacker House to determine its impact on our clients. We have identified that the leak contains configuration data for an as-yet-undisclosed toolkit for a variety of UNIX platforms and also a number of IP addresses and hosts which may have been targeted by the tools.
We found the leak to contain references to undisclosed tools DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK and STOICSURGEON. The directory structure used includes references to “intonation” and “pitchimpair”. The original post references “pitchimpair” as being a “redirector” tool, likely a backdoor/implant used for tunneling additional attacks. These as-yet-undisclosed software projects could be implants, tools or exploits used by the notorious Equation APT group. We have provided a break down of the tools and the impacted software versions they abuse here by reviewing the configuration data in the leak.
In addition to the leak of software details used by this threat actor it appears that a number of previously compromised hosts are included. In total 352 IP addresses are provided alongside 306 domain names which these tools may have been run on. These addresses include timestamps which begin on 22nd August 2000 at 13:50:45 and finish 18th August 2010 at 11:43:46. If this data is believed then it may contain a list of computers which were targeted during this time period. A brief shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software. These hosts may still contain forensic artifacts of the Equation Group APT group and should be subject to incident response handling procedures.
The hosts include 32 .edu domains and 9 .gov associated domains. The geographic distribution of attacked hosts appears to be global impacting 49 countries. However the top 10 impacted countries are China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy & Russia. The top three, China, Japan and Korea make up a substantial number of attacked hosts.
We graphed the distribution of impacted countries and it shows clearly that hosts targeted predominantly are within the ASIAPAC region. This is likely to hinder attribution and may have been used as a staging ground for further attacks.
As the toolkits are as-yet-undisclosed and it is likely that these attackers may still be using these attacks in the wild. It is strongly advised that if you or your organization are amongst the impacted parties, you perform incident response on identified hosts, and contact security professionals to help determine impact on your network. You may have inadvertently been hosting Equation Group APT cyber attacks from your environment. The Shadow Brokers previously leaked a data dump which contained exploits for various appliances and this leak is intended to show that still more UNIX related toolkits could surface. You can view a list of all the affected hostnames contained in the leak on pastebin here or by downloading the original encrypted leak.