A massive ransomware attack has hit companies and organizations in over 99 countries causing tremendous business and civil disruption. The attack appears to stem from the use of stolen hacking tools that have been published by a group called the Shadow Brokers. The ransomware attacks appear to be the latest fallout relating to the EquationGroup release, specifically the proliferation of Windows backdoors such as the Doublepulsar attack. The Doublepulsar backdoor targeted Windows SMB protocol, which runs on port 445.
How pervasive is the attack?
Approximately 2.5%+ of all internet connections exposing SMB/Port 445 are actively compromised, and the number appears to be holding steady. Although Microsoft released a fix for the vulnerability in March, users of legacy versions of Windows and those who have ignored updates are at still at risk for infection.
The massive uptick in global attacks are the direct result of script kiddies around the world gaining access to advanced, weaponized exploit frameworks that were previously leveraged only by top-tier intelligence agencies and/or state-sponsored attackers. The bar has been significantly lowered regarding the difficulty of exploitation, and the number of individuals now able to engage in advanced attack campaigns is limitless.
Who are the Shadow Brokers?
The Shadow Brokers refers to a hacking group that first publicly emerged around August 2016. The first public communication from the ShadowBrokers was when it was announced that they were auctioning off a suite of stolen hacking tools in exchange for 100 Bitcoins. An encrypted archive was made public, and the encryption password was promised in exchange for the auction.
The hacking tool suite is known as the EquationGroup, and subsequent public announcements from the group included screenshots of what they claimed to be directory structures and file names from the archive.
What is the EquationGroup?
The EquationGroup was first profiled by Kaspersky labs and classified as an Advanced Persistent Threat group, which is another term for a state sponsored hacking group. Additionally, Multiple researchers have published theories that claim the EquationGroup is linked with various branches of the NSA.
When did these tools get released?
On April 7, 2016, the ShadowBrokers released the encryption password to the public on social media, despite having not met the auction goal. The post on their social media account claimed the password was released with the motivation of hacktivism.
On April 14, the ShadowBrokers released an additional archive of hacking tools, posting a link to download the archive, as well as the archive password.
Where are these newly available tools?
The archives of hacking tools that were released by the ShadowBrokers contains a collection of over 13 years of attack campaigns (ranging from the years 2000 – 2013). Various advanced forms of malware were made public, such as persistent firmware malware and other advanced methods of maintaining stealth persistent access.
Perhaps some of the most intriguing tools were an assortment of weaponized exploits which appear to have been custom made for use in the EquationGroup. Researchers on Twitter discovered a comprehensive custom exploitation framework, similar in concept to Metasploit, which was being leveraged by the attackers.
The exploits being used in the attacks were reverse engineered by information security researchers, and many of their findings were published on Twitter.
It was discovered that there were multiple weaponized attacks that took advantage of vulnerabilities within Samba shares (on Linux and Windows), as well as exploits that took advantage of vulnerable routers, mail servers, and various sample of post-exploitation malware.
How did the releases from the EquationGroup impact scores within the SecurityScorecard platform?
The biggest impact of the EquationGroup release seems to have been the proliferation of the DoublePulsar backdoor which impacts SMB and RDP protocols on Windows machines. It seems that hackers are now leveraging this attack vector in this attack.
Customers who have been making use of the SecurityScorecard platform have the ability to see which companies they are associated with are at risk of a Doublepulsar infection, and remediation action could be taken in the appropriate amount of time.