SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Shadowbroker releases alleged NSA EquationGroup Exploit Code Dump (Easter Egg) on Good Friday, 4/14/2017. (posted: April 20, 2017)



Description


The Sonicwall Threats Research team is actively researching the exploit and malware code released on Good Friday, (4/14/2017), by an anonymous group calling itself "Shadowbroker", which claim to have stolen the cache of code and documents from a hacking team within the United States National Security Agency (NSA). We are creating this SonicAlert to update our customers about the security measures we are putting into place to protect against these newly disclosed threats.

On the same day as the Shadowbroker release, Microsoft published a blog to reassure Microsoft customers that:
"Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date." (Microsoft Security Response Center)

FuzzBunch Exploitation Framework

Included in the released files are a set of executables and scripts that together form a custom-built, exploitation framework called "fuzzbunch". The framework is launched from 'fb.py' and looks like the following below.

This particular exploit being shown is the "EternalBlue" exploit that exploits SMB protocol, and uses Doublepulsar payload. It requires that the attacker can reach the target at TCP/445. In practice this means that the attacker is already on the same LAN, or the target's LAN is reachable through open ports from the attacking machine. As mentioned in the Microsoft blog (above) this attack is already patched by MS17-010.

1. Running and configuring the exploit framework:

2. Loading with Eternalblue Module, and Executing the SMB exploit:

3. Loading Doublepulsar payload and sending Pinging the installed backdoor:

4. This is the Windows 7 target process (PID 4) that has been compromised:

SonicWALL Intrusion Prevention Service (IPS) provides protection against the following threats:

  • EternalBlue,EternalSynergy,EternalRomance: (IPS:12700,12700,12792,12794,12786,12787,12801,12800, 12795, 12796 )
  • EmeraldThread (IPS:5691)
  • EducatedScholar (IPS:4555,2032)
  • EclipsedWing (IPS:5777,1250)
  • EternalChampion (IPS :12786,12787)
  • EsteemAudit (GAV: CVE-2017-9073)

SonicWALL Gateway Anti-Virus (GAV) provides the following protections:

  • GAV: Shadowbrokers.D (Trojan)
  • GAV: Shadowbrokers.D_2 (Trojan)
  • GAV: Shadowbrokers.A (Hacktool)
  • GAV: Shadowbrokers.A_2 (Hacktool)
  • GAV: Shadowbrokers.G (Hacktool)
  • GAV: Shadowbrokers.EG
  • GAV: Shadowbrokers.D_6
  • GAV: Shadowbrokers.D_5
  • GAV: Shadowbrokers.E
  • GAV: Shadowbrokers.C1_3
  • GAV: Shadowbrokers.C1
  • GAV: Shadowbrokers.DZ
  • GAV: Shadowbrokers.A_4
  • GAV: Shadowbrokers.D_4



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.3 | S2MSW02