On August 13, 2016, a group of hackers called The Shadow Brokers leaked exploits that they had apparently stolen from another hacker group, The Equation Group. This was first mentioned by Kapersky; it was assumed that there was a connection to the US intelligence agency NSA. News of the leak was posted in various places, including on Twitter, GitHub, Tumblr and Imgur.

These announcements mainly served as an incentive for the auction of further exploits that began at the same time. The group which sent the largest amount of Bitcoin (BTC) to the address 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK would receive the password to decrypt the collection of exploits; the other bidders would not be refunded. If the sum of BTC 1 million were exceeded, the exploits would be released and freely accessible to everyone. The auction was not time-limited; the end was determined arbitrarily by the Shadow Brokers themselves.

The auction itself was not a success. The overview of all transactions shows that the biggest contribution was BTC 1.5, and as of August 2016, only BTC 2.006074 had been credited to the account. On January 12, 2017, the Shadow Brokers ended the auction, declaring it unsuccessful, and disappeared with one final message. The chronological course of the auction is detailed in an article entitled The Shadow Brokers: Lifting the Shadows of the NSA’s Equation Group?, published by the company Risk Based Security.

Published exploits

Two files were published: the file eqgrp-free-file.tar.xz.gpg, meant as a teaser for the auction, and the file eqgrp-auction-file.tar.xz.gpg, for which the password was auctioned. Both files were encrypted; the password for the teaser file was theequationgroup. This file included the following exploits, among others:

• EGREGIOUSBLUNDER: Fortinet FortiOS (details)
• ELIGIBLEBACHELOR: WatchGuard Firewalls
• ELIGIBLEBOMBSHELL: TOPSEC Firewalls
• ELIGIBLECANDIDATE: TOPSEC Firewalls
• ELIGIBLECONTESTANT: TOPSEC Firewalls
• EPICBANANA: Cisco PIX Firewalls and Cisco ASA (details)
• ESCALATEPLOWMAN: TOPSEC Firewalls
• EXTRABACON: Cisco ASA (details)

Unexpected comeback and new exploits

The Shadow Brokers returned on April 8, 2017. In a message to the US President Donald Trump entitled Don’t Forget Your Base, they provided a password, CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN, for the auction file eqgrp-auction-file.tar.xz.gpg. This file again contained tools and exploits, this time for the operating systems Windows, Linux and Solaris. Some of the following exploits can be used to allow an unauthenticated user to obtain the highest local privileges on the system under attack:

• EARLYSHOVEL: Sendmail 8.11.x on RedHat 7.0 – 7.1
• EBBISLAND: RPC of Solaris 6, 7, 8, 9 & 10
• EXPLODINGCAN: Microsoft IIS 6
• ETERNALROMANCE: SMB vulnerability in Microsoft Windows XP, Server 2003, Vista, 7, 8, Server 2008, and Server 2008 R2 (MS17-010)
• EDUCATEDSCHOLAR: SMB vulnerability in Microsoft Windows (MS09-050, details)
• EMERALDTHREAD: SMB vulnerability in Microsoft Windows XP and Server 2003 (MS10-061, details)
• ERRATICGOPHER: SMB vulnerability in Microsoft Windows XP and Server 2003
• ETERNALSYNERGY: SMB vulnerability in Microsoft Windows 8 and Server 2012 (MS17-010)
• ETERNALBLUE: SMB vulnerability in Microsoft Windows XP, Server 2003, Vista, 7, 8, 10, Server 2008, and Server 2008 R2, Server 2012, and Server 2016 (MS17-010)
• ETERNALCHAMPION: SMB vulnerability in Microsoft Windows (details)
• ESKIMOROLL: Vulnerability in Kerberos in Microsoft Windows Server 2000, 2003, 2008, and 2008 R2 (details)
• ESTEEMAUDIT: RDP vulnerability in Windows Server 2003
• ECLIPSEDWING: Vulnerability in server service in Windows XP and Server 2003 (MS08-067, details)
• EXPIREDPAYCHECK: Vulnerability in Microsoft IIS 6
• EAGERLEVER: SMB vulnerability in Windows XP and Server 2003

On April 14, 2017, Microsoft published the statement Protecting customers and evaluating risk, which discussed the published exploits. On Patch Tuesday in March, Microsoft released the update Microsoft Security Bulletin MS17-010, which fixed most of the vulnerabilities, without any special announcement. Microsoft did not comment on when and by whom they were informed about the existence of these vulnerabilities.

Consequences

The MS17-010 update was distributed in March via Windows Update. Companies and private users who regularly install updates are therefore now protected against these exploits. However, many systems are still vulnerable to such attacks. Systems are attacked using the exploit ETERNALBLUE. After its successful completion, the backdoor DOUBLEPULSAR is installed. The tool FUZZBUNCH can also be used to simplify the configuration and launch of the exploit. The execution of ETERNALBLUE occurs as follows:

Module: Eternalblue

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (52 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
0x00000030  6b 20 31 00                                      k 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
    ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
    [+] Sending SMBv2 buffers
        ..............DONE.
    [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
    DONE.
[*] Receiving response from exploit packet
    [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x64 (64-bit)
    [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 00                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

A system infected with DOUBLEPULSAR can be identified by the response to a specific ping on port 445/tcp. In the blog post Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique, the company Countercept gave a detailed analysis of the backdoor and also published a tool called doublepulsar-detection-script in order to detect infected systems. However, an analysis by the company BinaryEdge shows that on April 21, 2017, there were already 106,410 internet-accessible systems infected. A few days later, on April 27, 2017, that number had risen to 428,827. It can be assumed that the number of infected systems will increase even further in the near future.

Conclusion

This example clearly demonstrates the importance of continually keeping systems up to date. A system’s attack surface should also be reduced as much as possible. For example, the SMB should not be accessible in systems that are directly connected to the internet. Anyone who has delayed installing security updates should see the release of these exploits as a wake-up call.

About the Author

Michael Schneider has been in IT since 2000. Since 2010 he is focused on information security. He is an expert at penetration testing, hardening and the detection of vulnerabilities in operating systems. He is well-known for a variety of tools written in PowerShell to find, exploit, and mitigate weaknesses. (ORCID 0000-0003-0772-9761)

Links

• https://bit.surf:43110/theshadowbrokers.bit/post/messagefinale/
• https://blockchain.info/address/19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK
• https://blog.binaryedge.io/2017/04/21/doublepulsar/
• https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
• https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/EGBL
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/ELBA
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/ELBO
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/ELCA
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/ELCO
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/EPBA
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/ESPL
• https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/EXPLOITS/EXBA
• https://github.com/countercept/doublepulsar-detection-script
• https://github.com/misterch0c/shadowbroker
• https://github.com/theshadowbrokers/EQGRP-AUCTION
• https://imgur.com/a/sYpyn
• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• https://theshadowbrokers.tumblr.com/
• https://twitter.com/shadowbrokerss
• https://twitter.com/shadowbrokerss/status/764370347231764480
• https://vuldb.com/?id.3860
• https://vuldb.com/?id.50449
• https://vuldb.com/?id.54718
• https://vuldb.com/?id.68239
• https://vuldb.com/?id.90832
• https://vuldb.com/?id.90833
• https://vuldb.com/?id.90929
• https://vuldb.com/?id.98021