Shadowbroker releases alleged NSA EquationGroup Exploit Code Dump (Easter Egg) on Good Friday, 4/14/2017.

By

The Sonicwall Threats Research team is actively researching the exploit and malware code released on Good Friday, (4/14/2017), by an anonymous group calling itself “Shadowbroker”, which claim to have stolen the cache of code and documents from a hacking team within the United States National Security Agency (NSA). We are creating this SonicAlert to update our customers about the security measures we are putting into place to protect against these newly disclosed threats.

On the same day as the Shadowbroker release, Microsoft published a blog to reassure Microsoft customers that:
“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.” (Microsoft Security Response Center)

FuzzBunch Exploitation Framework

Included in the released files are a set of executables and scripts that together form a custom-built, exploitation framework called “fuzzbunch”. The framework is launched from ‘fb.py’ and looks like the following below.

This particular exploit being shown is the “EternalBlue” exploit that exploits SMB protocol, and uses Doublepulsar payload. It requires that the attacker can reach the target at TCP/445. In practice this means that the attacker is already on the same LAN, or the target’s LAN is reachable through open ports from the attacking machine. As mentioned in the Microsoft blog (above) this attack is already patched by MS17-010.

1. Running and configuring the exploit framework:

2. Loading with Eternalblue Module, and Executing the SMB exploit:

3. Loading Doublepulsar payload and sending Pinging the installed backdoor:

4. This is the Windows 7 target process (PID 4) that has been compromised:

SonicWALL Intrusion Prevention Service (IPS) provides protection against the following threats:

  • EternalBlue,EternalSynergy,EternalRomance: (IPS:12700,12700,12792,12794,12786,12787,12801,12800, 12795, 12796 )
  • EmeraldThread (IPS:5691)
  • EducatedScholar (IPS:4555,2032)
  • EclipsedWing (IPS:5777,1250)
  • EternalChampion (IPS :12786,12787)
  • EsteemAudit (GAV: CVE-2017-9073)

SonicWALL Gateway Anti-Virus (GAV) provides the following protections:

  • GAV: Shadowbrokers.D (Trojan)
  • GAV: Shadowbrokers.D_2 (Trojan)
  • GAV: Shadowbrokers.A (Hacktool)
  • GAV: Shadowbrokers.A_2 (Hacktool)
  • GAV: Shadowbrokers.G (Hacktool)
  • GAV: Shadowbrokers.EG
  • GAV: Shadowbrokers.D_6
  • GAV: Shadowbrokers.D_5
  • GAV: Shadowbrokers.E
  • GAV: Shadowbrokers.C1_3
  • GAV: Shadowbrokers.C1
  • GAV: Shadowbrokers.DZ
  • GAV: Shadowbrokers.A_4
  • GAV: Shadowbrokers.D_4
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.