04/21/17: EMERGING THREAT - Shadow Brokers Release of Equation Group Toolset | Security Bulletin


The hacker group Shadow Brokers has released exploits and hacking tools originally stolen from cyber attack group Equation Group, who is believed to be tied to the United States National Security Agency. These exploits and tools apply to a range of products, most notably including Windows. The released information can help attackers, from script kiddies to advanced hackers, use the tools to exploit security flaws in various environments, such as Windows, Linux machines, Directory and Identity services, firewalls, and routers. Alert Logic® is assessing the threat of these tools to our customer base and will provide detection updates as necessary.

Alert Logic Coverage

Alert Logic ActiveWatch™ researchers started investigating the released exploits immediately and Alert Logic assessment and detection services were quickly updated. Updates include vulnerability scanning and network-based intrusion detection that provide detection coverage for all of the MS advisories pertinent to the exploits released by Shadow Brokers.

Alert Logic Intelligence and Research teams have identified key components of the Shadow Brokers release that pose a high risk to Alert Logic customers. These areas of high risk and high importance include Windows Server Message Block (SMB), Directory and authentication, and frameworks and C2 management.

Windows Server Message Block

The exploit tools that run against Windows SMB protocols, and that Alert Logic has in the pipeline for coverage, include:

  • ErraticGopher

    ErraticGopher targets Windows SMBv1 on Windows XP and Server 2003. ErraticGopher, with the help of ErraticGopherTouch, probes for vulnerabilities on the targeted system. Typical firewall security should block these tools.

  • DoublePulsar & EternalChampion

    DoublePulsar, with the help of EternalChampion, targets SMBv1 by dropping a C2 payload after successful exploit. DoublePulsar establishes a covert channel for C2 control of the exploited system. Alert Logic has detection logic for the DoublePulsar C2 channel in testing and will have it fully deployed soon to protect customers and inform our Security Operations Center of attempts.

  • EternalRomance

    EternalRomance targets Windows SMBv1 by providing remote code execution (RCE) to the tool's operator with a refined user interface. This is applied as a one-and-done tool and would be used against different targets where persistence was not required. Alert Logic is continuing to investigate.

  • EternalBlue

    EternalBlue provides operators of Windows SMBv2 exploit capabilities on Windows 7 SP1. Microsoft has indicated that SMBv1 patches work to cover this vulnerability. EternalBlue is also used to drop payloads for covert C2, and Alert Logic is deploying detection logic to customers for this.

  • EternalSynergy

    EternalSynergy uses a SMBv3 vulnerability to provide RCE that is hard coded against Windows 8 and Server 2012 SP0. Alert Logic is investigating logic for detecting this variant of RCE network exploit attempt.

Typical firewall configurations already block SMB from the Internet. Further, Alert Logic scanning provides notice to customers of exposures to ErraticGopher, EternalRomance, EternalBlue, and EternalSynergy.

Directory & Authentication

The exploit tools that target directories and authentication, and that Alert Logic has in the pipeline for coverage, include:

  • ZippyBeer

    ZippyBeer is an exploit against Kerberos services in a Windows Domain Controller. It leverages an authenticated connection via SMB. Because it is written as a Python script, options for detection include intrusion detection systems recognizing network activity in SMB between unusual platform combinations and Windows log-based detection of .py scripts that open the distinctive pattern of connections. Alert Logic is continuing to investigate.

  • EsteemAudit

    EsteemAudit is a Remote Desktop Protocol (RDP) exploit. EsteemAudit installs an implant for Windows Server 2003 and XP, which exploits SmartCard authentication. Microsoft has indicated that it will not patch this exploit, as it is too old. Alert Logic has detection logic available for anomalous RDP connections, as well as scanning services that alert customers to exposure.

    NOTE: Due to the age of the target systems and the relatively high noise from false detection, customers should contact Alert Logic to consider options for detection or blocking.

  • EskimoRoll

    EskimoRoll is a Kerberos exploit against Active Directory domain controllers on Windows Server 2000, 2003, 2008, and 2008 R2. Microsoft has indicated that this was patched several years ago. Alert Logic is examining telemetry to verify that existing detection logic remains effective.

Frameworks & C2 Management

The exploit tools that target frameworks and C2 management, and that Alert Logic has in the pipeline for coverage, include:

  • FuzzBunch

    FuzzBunch is an exploit framework written in Python 2.6. Early research shows that it has inbuilt fingerprinting functions, as well as the ability to load RCE exploits. Alert Logic is focused on investigating both the distinctive inbound network signatures of the inbound functions and the detectable attack behaviors stemming from the patterns the control code make available to operators.

  • OddJob

    OddJob is an implant builder and C&C server that can deliver exploits for Windows 2000 and later. Alert Logic is focused on investigating both the distinctive inbound network signatures of the implant creation functions and the detectable overt or covert C2 traffic provided by the tool.

Other exploit tools are in the queue for Alert Logic investigation, as they may be best addressed after examining others that appear to be their components or that require a combination of resources. These include:

  • EternalChampion, an SMB exploit which works against recent platforms not yet patched.

  • EnglishmansDentist, a remote exploit against clients running Outlook Web Access and Simple Mail Transfer Protocol designed to inject and trigger a redirection rule to send mail to another person.

  • EchoWrecker, a remote exploit against Samba 3.0.x running on Linux platforms.

Lastly, Microsoft has confirmed that security patches are available for the known Microsoft exploits and tools released by Shadow Brokers. You can find these patches here.

Recommendations for Mitigation

While Alert Logic investigates the threats associated with the released exploits and tools, it is recommended that you take action to stay secure. These include:

  • Patching systems regularly and following vendor advice for mitigation
  • Following client-side hygiene practices and following OS vendor advice for baseline security
  • Keeping current with Alert Logic and our network, web application, scan, and log alerts

Contacting Alert Logic

With questions, contact Alert Logic Support using the following contact information:

US: 877.484.8383 (Option 2)

UK: +44 (0) 203 011 5533 (Option 1)


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.