Shadow Brokers SMB exploits use complex code, suggest significant resources and backing
Shadow Brokers SMB exploits use complex code, suggest significant resources and backing

Cylance researchers reviewed all the SMB exploits leaked by “The Shadow Brokers” earlier this year including the Eternal exploits and found the malware is very well crafted and will likely remain exploitable for some time as systems remain unpatched.

The threat actors claim the malware was written by the NSA and while it's difficult to attribute malware, researcher said the malware has a level of exploit complexity not usually found without significant resources and backing.

Researchers said the modular composition of the exploits, ease of use, reliable robust nature and near guaranteed success meant malware authors were quick to leverage the exploits in their code, resulting in several widespread global outbreaks such as WannaCry, Adylkuzz, and Petya-like malware campaigns, according to an Aug. 15 blog post.

The most dangerous of the exploits was EternalBlue which targets a buffer overflow vulnerability in non-paged kernel pool memory that exists due to the way in which the SMBv1 protocol handles File Extended Attributes (FEA) conversion and ultimately allows the attacker to execute remote code on Windows 7 machines.

Even after the widespread WannaCry attacks which leveraged EternalBlue, researchers found 60,000 hosts were still vulnerable nearly two weeks after the attacks. It's unclear how many of these have been patched but researchers speculate it will remain a popular exploit.

The Shadow Brokers also leaked exploits such as EternalRomance which is similar to EternalBlue but targets Windows 7 SP1 machines using SMBv2 and targets a vulnerability in the process of handling SMBv1 transactions, EternalSynergy which uses a packet type confusion vulnerability, and EternalChampion which takes advantage of a race condition in transaction hand.

 

The Eternal exploits all focused on shellcode and rely on the DoublePulsar backdoor installed by each exploit for remotely executing an arbitrary payload DLL.

“The security community, over the last few months, has been witness to the impact of the Eternal exploits and the efforts being made to prevent them,” a spokesperson from the Cylance Threat Guidance Team told SC Media. “Moving forward, we will probably still see attempts being made to use the Eternal exploits, most likely Eternal Romance and Eternal Blue, in an effort to target any unpatched machines.”

The spokesperson added that overall, the susceptibility of machines to fall victim to these exploits has been staggering and that cyber criminals will always want to permeate to as many systems as they can. Researchers said that even with increased awareness and the availability of patches, the vulnerabilities are unlikely to disappear soon and will be employed successfully by future malware.