Christmas has come early for hackers around the world as they pour through the treasure trove of previously unseen exploits released by The Shadow Brokers (TSB). The tools were reportedly developed and utilized by the National Security Agency and are currently permeating underground criminal online forums. While the hackers are working to reverse engineer and better understand the tools, security firms and technology vendors are scrambling to develop ways to mitigate the corresponding threats they present.
The affected platforms are prolific and span the IT infrastructure spectrum, including:
- Private email servers and web-based email clients
- Business collaboration software
- Windows Operating Systems:
- 2000, XP, 2003, Vista 7, 8, 2008, 2008 R2
- Unix-based operating systems:
- Firewall Software:
- Juniper- and Cisco-based
While notably, some vendors such as Microsoft and Oracle have released updates that have already closed critical product vulnerabilities that some of these tools could exploit, administrators and users are warned that software no longer supported by Microsoft (end-of-life) is at risk.
It is imperative that all organizations refocus efforts towards maintaining fully-patched software. Patch management is a critical component of security and compliance, yet it remains a challenge year-after-year. Poor patch management is one of the primary reasons why nation-state hackers can successfully utilize tools developed more than two-decades-old, as in the case of the recent Moonlight Maze malware resurfacing.
Although it is not uncommon for zero-days and exploits to be released into the “wild,” this usually occurs sporadically throughout the course of the year. Unfortunately, TSB opened the floodgates with this huge dump of new tools and exploits never before seen. We can expect a large surge in activity as attackers attempt to take advantage of these newfound resources before potential targets can be patched. Time is of the essence, so it is important to spread the word about updating all affected systems before criminal cyber operations swing into full gear.
The following steps should be taken immediately to minimize the possibility of systems being compromised:
- Scan and review environments ASAP to identify all potentially vulnerable systems
- If unpatched software affected by these tools is being utilized, change passwords for all admin/root accounts and conduct software updates
- Consider isolating or retiring end-of-life systems from all environments
- Disable unnecessary or outdated protocols and components, i.e. SMB1, unless otherwise needed
- Enable two-factor authentication
- Audit recent administrative activity
And, most importantly, it is critical to validate patch management processes. Consider the following best practices:
- Detection – Using an up-to-date inventory of systems, identify missing patches and updates
- Assessment – Make sure that patches address issues that could potentially affect your environment
- Acquisition – Download all applicable patches
- Testing – Prior to deploying patches to production environments, test for potential issues
- Deployment – Once testing is complete, deploy to production environment
- Maintenance – Make adjustments to the process as needed to ensure patches are being deployed correctly and in a timely manner. Ensure that there is a holistic view of the state of your security.
Inaction in an unprecedented situation such as TSB dump can be catastrophic and cause significant ripple effects adversely impacting organizations for years to come. This development warrants immediate prioritization for any IT infrastructure regardless of size. By acting now and continuing to follow strict processes that institute regular patching, system monitoring, etc. negative fallout can be avoided, and an improved security posture can ultimately result.
Realizing the severity of this situation and responding accordingly, dramatically improves the odds that systems can be protected.