Shadowbroker releases alleged NSA EquationGroup Exploit Code Dump on Good Friday, 4/14/2017.

April 20, 2017

The Sonicwall Threats Research team is actively researching the exploit and malware code released on Good Friday, (4/14/2017), by an anonymous group calling itself “Shadowbroker”, which claim to have stolen the cache of code and documents from a hacking team within the United States National Security Agency (NSA). We are creating this SonicAlert to update our customers about the security measures we are putting into place to protect against these newly disclosed threats.

On the same day as the Shadowbroker release, Microsoft published a blog to reassure Microsoft customers that:
“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.” (Microsoft Security Response Center)

FuzzBunch Exploitation Framework

Included in the released files are a set of executables and scripts that together form a custom-built, exploitation framework called “fuzzbunch”. The framework is launched from ‘fb.py’ and looks like the following below.

This particular exploit being shown is the “EternalBlue” exploit that exploits SMB protocol, and uses Doublepulsar payload. It requires that the attacker can reach the target at TCP/445. In practice this means that the attacker is already on the same LAN, or the target’s LAN is reachable through open ports from the attacking machine. As mentioned in the Microsoft blog (above) this attack is already patched by MS17-010.

1. Running and configuring the exploit framework:

2. Loading with Eternalblue Module, and Executing the SMB exploit:

3. Loading Doublepulsar payload and sending Pinging the installed backdoor:

4. This is the Windows 7 target process (PID 4) that has been compromised:

SonicWALL Intrusion Prevention Service (IPS) provides protection against the following threats:

  • EternalBlue,EternalSynergy,EternalRomance: (IPS:12700,12700,12792,12794,12786,12787,12801,12800, 12795, 12796 )
  • EmeraldThread (IPS:5691)
  • EducatedScholar (IPS:4555,2032)
  • EclipsedWing (IPS:5777,1250)
  • EternalChampion (IPS :12786,12787)
  • EsteemAudit (GAV: CVE-2017-9073)

SonicWALL Gateway Anti-Virus (GAV) provides the following protections:

  • GAV: Shadowbrokers.D (Trojan)
  • GAV: Shadowbrokers.D_2 (Trojan)
  • GAV: Shadowbrokers.A (Hacktool)
  • GAV: Shadowbrokers.A_2 (Hacktool)
  • GAV: Shadowbrokers.G (Hacktool)
  • GAV: Shadowbrokers.EG
  • GAV: Shadowbrokers.D_6
  • GAV: Shadowbrokers.D_5
  • GAV: Shadowbrokers.E
  • GAV: Shadowbrokers.C1_3
  • GAV: Shadowbrokers.C1
  • GAV: Shadowbrokers.DZ
  • GAV: Shadowbrokers.A_4
  • GAV: Shadowbrokers.D_4