This is a fantastic read for anyone who has followed the saga of the NSA and The Shadow Brokers. Mr. Krebs is doing a tremendous job running these leads to ground.
This is a nice recap of where the NSA vs. ShadowBrokers stands at the moment. I do find it mildly intriguing how damaged the NSA finds itself amidst this constant trickle feed of compromised data and formerly secret exploits. One telling line in the article references the NSA (and I am paraphrasing) as one of the premier world wide agencies for breaking into computer systems and yet they could not protect their own house.
I do have to agree with Bruce Schneier and others who point to a whistleblower or other insider theory on the breach. ShadowBrokers wants the NSA to suffer, both functionally and in terms of reputation.
Given the recent Equifax breach and this leak by ShadowBrokers, the cyber bad guys now have a huge list of new targets and a new tool to use against them.
Over the Easter Holiday weekend, the Shadow Brokers, a hacking group that came to light over the summer of 2016, released a list of exploits and zero-day attacks targeting Microsoft Windows operating systems and applications among other technologies. These exploits and zero-day vulnerabilities are purported to be part of a leaked list of NSA tools used for covert surveillance. This is the fifth release of information by the Shadow Brokers since August 2016. Speculation as to the motives behind this group of hackers ranges from the possibility of an internal NSA whistle blower to potential Russian hacking and propaganda. Regardless of the motivation, these exploits and vulnerabilities pose a significant threat to many organizations and should be addressed immediately.
On Friday, April 14, 2017, Microsoft’s Security Response Center (MSRC) published a response to the list of exploits detailed in the Shadow Brokers release (MSRC Response can be found here). Fortunately, most of the exploits listed have been addressed and patched by Microsoft prior to April 2017. Three remaining exploits are not actionable on currently supported Microsoft platforms (Windows 7 / Exchange 2010 and forward), but are threats to unsupported, legacy Microsoft operating systems and applications. Microsoft is actively encouraging all users to upgrade to a supporting platform or offering as soon as possible.
As a Microsoft user or admin, what should you do to address these threats in your environment? The following are several important steps to consider:
- Make sure that all your systems are properly patched with the most current Microsoft critical and security related updates. Use Microsoft’s WSUS (Windows Server Update Services) or other third party tools in your patching process to ensure you have a reporting mechanism in place so that no systems are missed.
- Have a process in place to monitor the existence of legacy, unsupported operating systems and applications and have a plan to upgrade these systems to supported platforms before they become a risk. If you have Windows XP, Windows Vista, Windows 2003 Server, or Exchange 2003 in your environment, you are at risk.
- Strengthen your perimeter defenses by using mature firewalls and content filtering solutions to limit the amount of malicious traffic entering your network. Consider DNS-based content filtering and advanced malware protection as layers to protect against intrusions, viruses and malware that can leverage these released exploits and harm your network/computer environments.
- Do not ignore third party applications in your patching process. Patching Windows updates alone is not enough. There are many other exploits and zero-day vulnerabilities in the wild for third party applications that can threaten your network. There are strong 3rd party tools that can address other applications like Adobe Flash, Adobe Acrobat Reader, Java and web browsers along with your Microsoft operating systems and applications to ensure all your systems are fully patched and monitored.
- Train your users and share threat information as it becomes available. Do not shy away from making users aware of the threats they face. Decent, focused training and timely awareness emails can make a difference. An aware user will hesitate before clicking on a suspicious link or opening an email from an unknown source, and that hesitation can and will keep malicious content off your network.
Shadow Brokers has released a new set of NSA-related tools in the last 24 hours that have the potential to impact a large footprint of devices and users. These tools are specific to multiple Windows operating systems and server functions. Many of these exploits are considered zero-day exploits in that there are no known patches to address these vulnerabilities. Take the time to review your perimeter defenses and educate your users to take caution when interacting online or with external resources.