Shadow Brokers: what do we know and what can we do?

The DanderSpiritz software receiving a connection from a client

Recently the Shadow Brokers group leaked a second round of tools and exploits used by the NSA. The first round was released on April 8th in a blog post by the hacking group and was mainly targeting old Linux software. This new round of exploits released on April 14 is more upsetting as it includes exploits targeting Windows NT up to 2012.

After the leak, Microsoft released a statement mentioning that most of the vulnerabilities released by the Shadow Brokers were fixed in an update on March 14.

However, not all vulnerabilities exploitable by what the Shadow Brokers released, were previously patched. Oracle patched a flaw in Solaris 10 along with 298 bugs after the leak and just end of April fixed a flaw in its popular cPanel software.

Here are the most critical Windows exploits found in the leak, these all exploit vulnerabilities in the SMB and NBT protocols used for file sharing and network communications:

  • ETERNALROMANCE – SMBv1, Windows XP, 2003, Vista, 7 & 2008
  • ETERNALBLUE – SMBv2, Windows XP, 2003, Vista, 7 & 2008
  • ETERNALCHAMPION – SMBv1, Windows XP, 2003, Vista, 7 & 2008
  • ETERNALSYNERGY – SMBv3, Windows 8 SP0 & Windows 2012 SP0
  • ENGLISHMANDENTIST – Targeting Outlook/Exchange leveraging OLE in TNEF email

Here is a list of exploits and tools that were identified by researchers.

In addition to the exploits, the following malicious tools were found:

  • ‘TOUCH’ scripts which are used to verify if a target is vulnerable.
  • DANDERSPITIZ/PEEBLECHEAP, a GUI tool and Trojan (‘implant’) to interact with Windows systems. After the trojan infects the system, it will look for software such as antimalware, gather passwords & other information about the system and use the ‘TOUCH’ modules to find other vulnerable hosts on the same network. The GUI helps the user with several tasks like taking screenshots, monitor processes and logs…
  • Several Windows driver “implants” (Trojans).
  • Ripper, a tool to retrieve information from Google Chrome, Firefox and Skype.
  • YAK, a driver module that can record keystrokes (key logger).
  • Tools to dump emails from Exchange servers, detect and kill antiviruses, edit or delete event logs…
The DanderSpiritz software receiving a connection from a client

The DanderSpiritz software receiving a connection from a client.

Unfortunately, 0-days are a fact of life we have to face. We also see that these vulnerabilities are already actively being exploited in the wild to spread ransomware. Researchers have shared several IoC’s (indicators of compromise) that can be used to determinate if your systems have been compromised using forensic techniques.

Antivirus companies also started to update their malware signatures databases so the NSA trojans should be detected by now. However, it’s been shown that it’s trivial to bypass these detections and neither EMET 5.5 (Enhanced Mitigation Experience Toolkit from Microsoft)  or Applocker would stop the infection.

Exploiting ETERNABLUE on a Windows 7 target running EMET 5.5

Exploiting ETERNABLUE on a Windows 7 target running EMET 5.5.

Therefore, we recommend running an (updated) IDS (Intrusion Detection System) such as Snort or Suricata or others. CISCO recently published new Snort rules that you can use to detect malicious traffic generated by these exploits on your network. This however won’t detect ‘sleeping’ trojan. Researchers have also published tools to detect and decrypt traffic generated by the NSA trojan. Additionally, if you use “YARA” for malware detection, new rules have been released too.

Hardening is another practice we want to put emphasis on. These exploits are a perfect example of why you should harden your systems. As Windows 7 enables SMB by default, any new installation is vulnerable to ETERNALBLUE. Disabling services that aren’t used is a step often overlooked and can greatly reduce the attack surface.

If you’re still using Windows Server 2003 or XP and for some reason upgrading is not an option, we recommend separating this servers from the corporate network.

Do not reuse passwords on any server and put strong access control on TCP port 139 and 445. Only the clients who really need to use SMB/NBT should be able to reach these ports. This can be done using either a firewall on the host itself or a perimeter firewall.

There are several security controls to be considered. Therefore, a resilient security architecture with several layers of defence, combined with detection and reaction capabilities helps you to not only handle these 0-days efficiently, but also future vulnerabilities.


  • Decommission obsolete, unsupported operating system (such as Windows XP & windows 2003 servers), they are vulnerable and won’t receive patches anymore.
  • Apply critical security patches as soon as possible on Windows systems (don’t forget MS17-010).
  • If you are running any of the vulnerable software, verify that these are patched and/or running the latest version.
  • Immediately apply any update for SWIFT software as it’s been shown that SWIFT got compromised.
  • Design and implement a layered security architecture with a combination of preventive, detective and reactive security controls.
  • If you need help to identify vulnerable systems or want more information about a layered security approach, contact us.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *