Tuesday, April 18, 2017

Windows exploits dump by "TheShadowBrokers" - What you need to know/do

Background


This past weekend, a hacker group calling themselves “TheShadowBrokers” dumped a large amount of content which allegedly relates to the US Government’s cyber espionage activities.

Included in the dump were a number of previously unreleased vulnerability exploits, mostly targeting Windows systems. Some of these exploits provide the ability for an attacker to remotely execute code on a target system with zero client interaction using the SMB service running on port 445. This type of “wormable” vulnerability in Windows (i.e. a vulnerability that can remotely take control of a system and then use the infected system to attack other systems) is very rare. The last notable example where a working exploit was released was the “MS08-067” vulnerability which was used in the Conficker Worm in 2008.

Whilst there was initially a great deal of speculation and panic that these Windows exploits were “0 days”, i.e. unpatched vulnerabilities, Microsoft published a comprehensive blog-post indicating that all relevant exploits in the dump had already been patched in supported Operating Systems. 

Key Issues


It is important to note the following:
  1. These vulnerabilities still exist in unsupported Operating Systems such as Windows Server 2003 which will not receive patches.
  2. Some of the most critical vulnerabilities were only fixed in the March 2017 “Patch Tuesday” release.
As such, organisations running older Windows Operating Systems or which have not applied the latest patches to their newer Windows Operating Systems may still be at risk from these vulnerabilities.

Our Recommendations


We would therefore recommend that organisations take the following immediate actions:
  • Scan for Windows machines where port 445 is externally exposed to incoming traffic from the Internet and block this at the firewall.
  • Where servers were found with this port open, review server logs to look for evidence of malicious activity.
  • Prepare a plan to patch all Windows machines with the key patch (MS17-010) and any of the other patches from the Microsoft blog-post above which have not yet been applied.
  • Prepare a mitigation plan for any Windows machines which are unsupported or cannot be patched in a timely fashion.
  • Review the list of exploits to look for non-Windows exploits which may directly affect you.

We would also recommend the following, mid to long term actions:
  • Ensure that you have a robust Patch Management process in place to allow timely application of updates.
  • Ensure all non-vital ports are inaccessible externally across the technology environment.
  • Prepare a plan to upgrade unsupported OSes as soon as possible.


Closing thoughts


This incident also shows the importance of being prepared for a case when an attacker gains internal network access (be it through a “0 day” vulnerability or through social engineering. 

Organisations should ensure that strong detection controls are in place to discover unexpected or malicious activity in the internal network and design the network to make it harder for an attacker to move laterally from one part of the network to another without detection.

Josh Grossman
Senior Information Security Consultant and Team Leader
@JoshCGrossman