Friday April 21, 2017

The Shadow Brokers Make Patching a Thing

The cold light from the terminal cast an eerie glow over the insipid brew my handlers call "coffee". My eyes were tired and my carpal tunnel was flaring. Suddenly, I sensed something. At first I thought the sensation was one of guilt, as moments before I had absolutely butchered a lemon bar for breakfast. No... This was something much more sinister. I felt as though a million digital voices suddenly cried out in terror, and were suddenly silenced. I stood up from the desk in my cubicle and heard a faint cry from the back office. As I cautiously made my way to the door, I could hear a panda cub sobbing while repeating the phrase. "Shadow Brokers".

In this day and age, Server Message Block (SMB) traffic should probably not be allowed egress from your network. This is a fact that is known even in the darkest and most archiac regions of Information Technology. Unfortunately there are always outliers.

News Image

Enter EternalBlue and it's spawn, DoublePulsar. These tools are part of a nasty piece of kit recently released by the Shadow Brokers, giving Nation State power to cyber criminals around the globe. Essentially, this kit enables attackers to exploit ancient vulnerabilities present in operating systems from Windows XP to Server 2008. EternalBlue works by exploiting a remote code-execution bug in the latest version of Windows 2008 R2 (and everything prior) using the server message block and NetBT protocols. Once EternalBlue's handywork is complete, DoublePulsar steps in and establishes a comand and control (C2) channel using previously obscure features built in to SMB. Once a C2 channel is established an attacker is free to wreak as much havoc as they can handle.

Kevin Beaumont, a security researcher based out of the UK, states that thousands upon thousands of devices have already been infected. He also predicts that ransomware distribution is coming next.

With the advent of nation-state level cyber warfare tech being freely given to the masses, things will become much worse before they get better. If you wish to defend your network from this attack you must simply block SMB traffic outbound and update / patch your systems. If you run SMB exposed to the open internet on a device that is vulnerable, may the odds forever be in your favor. They won't be though. Not at this rate.