BROKERS IN THE SHADOWS:
Rarely does the release of an exploit have such a large impact across the world. With the recent leak of the NSA exploit methods, we saw the effects of powerful tools in the wrong hands. On April 14, 2017, a group known as the Shadow Brokers released a large portion of the stolen cyber weapons in a leak titled, “Lost in Translation.” This leak contained many exploits, some of which were already patched a month earlier in the Microsoft SMB critical security update (MS17-010). However, many users were unable to update their systems. Even before WannaCry hit, more than 400,000 computers in approximately 150 countries were infected with one of the tools, called DoublePulsar. It is unknown if this wave of infections was carried out by a single or multiple attackers. What is known is that this paved the way for the delivery, in May 2017, of the ransomware attack known as WannaCry.
There has not been such a large scale exploit on a Server Message Block (SMB) since Conficker in 2008. Often turned on by default, SMB is a widely used system for transferring files. In our Brokers in the Shadows report, we will explore the SMB protocol and dive into the mechanisms through which these cyber tools were able to launch their attack. We will also detail many of the tools in the release such as SMBTouch, EternalBlue, and DoublePulsar, along with EternalRocks which wraps these tools into a singular exploit suite.
Finally, we will demonstrate how IPS protected our customers on day zero.
Windows Client systems use the Common Internet File System Protocol (CIFS) to request file and print services from server systems over a network.
The CIFS Protocol extends the Server Message Block (SMB) Protocol with additional security, file, and disk management support. These extensions introduce new flags, extended requests and responses, and new information levels. All of these extensions follow a request/response pattern in which the client initiates all of the requests. The exception to this pattern is oplock break.
There are three SMB protocol versions, all of which are run over TCP ports 139 and 445. On a given connection, the SMB version used is decided in the following manner: