Kaspersky Lab’s Notice to Customers about the Shadow Brokers’ Publication from April 14

 

Kaspersky Lab’s Notice to Customers about the Shadow Brokers’ Publication from April 14

Kaspersky Lab has been reviewing the new archive released by the Shadow Brokers group on April 14. Our analysis indicates that the archive contains malicious programs, many of them detected proactively by Kaspersky Lab’s products. These include the Equation group’s EQUATIONDRUG and GRAYFISH platforms, which were first discovered in 2015 by Kaspersky Lab. In addition, the archive also contains documentation and exploits that appear to target several Microsoft products and platforms.

Based on our analysis, we can assure our customers that Kaspersky Lab’s solutions currently detect all the threats included in the published materials. We would also like to point out that many of them have been detected since 2015 through heuristic and generic methods.

According to a technical blogpost published by Microsoft, officially supported versions of Microsoft products and platforms with the latest security patches installed are safe from the vulnerabilities mentioned in the published package. Microsoft users are recommended to install the latest patches form the vendor, most notably the patches released on March 14, 2017.

Kaspersky Lab’s experts will continue working on advanced detection algorithms to ensure our products provide our customers with the maximum level of protection.

The detection names that Kaspersky Lab has added for the threats associated with this release are listed below.

Exploit Name MS Bulletin Detection Signatures Notes
1. “EternalBlue” MS17-010

Exploit.Win32/64.ShadowBrokers.*

UDS:DangerousObject.Multi.Generic

SMBv1 Exploitation Tool, RCE.

The vulnerability was fixed by Microsoft on March 14, 2017.

We detect the exploitation tools and are investigating this vulnerability further to create generic defense mechanisms against similar attacks in the future.

2. “EmeraldThread” MS10-061

Trojan.Win32/64.EquationDrug.*

Exploit.Win32.RPC.*

Intrusion.Win.CVE‑2010‑2729.a.exploit

UDS:DangerousObject.Multi.Generic

Printer Spooler vulnerability.

This vulnerability was used by the well-known Stuxnet worm; the first exploit for this vulnerability was published in 2010, so this is a well-known issue. This vulnerability was addressed by MS10-061 on September 14, 2010.

We have been detecting the exploitation of this vulnerability since 2010.

3. “EternalChampion”

CVE‑2017‑0146

CVE‑2017‑0147

Exploit.Win32/64.ShadowBrokers.*

UDS:DangerousObject.Multi.Generic

(CVE-2017-0146) This SMBv1 server exploit allows remote attackers to execute arbitrary code via specially crafted packets, aka "Windows SMB Remote Code Execution Vulnerability".

(CVE-2017-0147) This SMBv1 server exploit allows remote attackers to obtain sensitive information from the process memory via crafted packets, aka "Windows SMB Information Disclosure Vulnerability".

We detect the exploitation tools and are investigating these vulnerabilities further to create generic defense mechanisms against similar attacks in the future.

4. “ErraticGopher” Addressed prior to the release of Windows Vista

Trojan.Win32/64.EquationDrug.*

Trojan.Win32/64.ShadowBrokers.*

UDS:DangerousObject.Multi.Generic

SMBv1 exploit targeting Windows XP and Server 2003.

We detect the exploitation tools and are investigating this vulnerability.

5. “EsikmoRoll” MS14-068 UDS:DangerousObject.Multi.Generic

Kerberos exploit targeting Windows 2000, 2003, 2008 and 2008 R2 domain controllers.

This is well-known vulnerability, It was addressed by MS14-068 on 11/18/2014.
We detect exploitation tools and we are deeply investigating this vulnerability to create generic defense mechanisms against similar attacks in the future.

6. “EternalRomance” MS17-010

Trojan.Win32/64.ShadowBrokers.*

UDS:DangerousObject.Multi.Generic

SMBv1 exploit over TCP port 445 which targets Windows XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2 and gives SYSTEM privileges.

The vulnerability was fixed by Microsoft on March 14, 2017.

We detect the exploitation tools and are further investigating this vulnerability.

7. “EducatedScholar” MS09-050

Exploit.Win32.CVE-2009-3103.*

Trojan.Win32/64.EquationDrug.*

Intrusion.Win.SMB.CVE-2009-3103.exploit

UDS:DangerousObject.Multi.Generic

Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service.

This is a well-known vulnerability; it was addressed by the MS09-050 bulletin on 10/14/2009.

We have been detecting the exploitation of this vulnerability since 2009.

8. “EternalSynergy” MS17-010

Trojan.Win32/64.ShadowBrokers.*

UDS:DangerousObject.Multi.Generic

SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0.

The vulnerability was fixed by Microsoft on March 14, 2017.

We detect the exploitation tools and are further investigating this vulnerability.

9. “EclipsedWing” MS08-067

Exploit.Win32/64.ShadowBrokers.*

Trojan.Win32/64.EquationDrug.*

UDS:DangerousObject.Multi.Generic

This is the well-known vulnerability (CVE-2008-4250) server service RCE.

It was addressed by the MS08-067 bulletin on 10/23/2008.

We detect the exploitation tools and are further investigating this vulnerability.

10. “Englishmansdentist” - Trojan.Win32/64.ShadowBrokers.*

Sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users.

We detect the exploitation tools and are investigating this further.

11. “EsteemAudit” - Trojan.Win32/64.ShadowBrokers.*

Microsoft RDP exploit and backdoor for Windows Server 2003.

We detect the exploitation tools and are further investigating this vulnerability.

12. “ExplodingCan” - Trojan.Win32/64.ShadowBrokers.*

Microsoft IIS 6.0 exploit that creates a remote backdoor.

We detect the exploit tools and are further investigating this vulnerability.


Other malicious samples from this published materials are detected with the following verdicts:

  • Trojan.Win32/64.EquationDrug.*
  • Trojan.Win32/64.ShadowBrokers.*
  • UDS:DangerousObject.Multi.Generic

 
 

Have you found what you were looking for?

Please let us know how we can make this website more comfortable for you

Send feedback Send feedback

Thank you!

Thank you for submitting your feedback.
We will review your feedback shortly.