On April 15th, a group of threat actors, known as the “Shadow Brokers” released a large collection of offensive security tools and data to the world. Threat actors used the deadly combo to infect thousands of computers with WannaCry ransomware in close to 100 countries, including the UK’s National Health Service (NHS), Spain’s Telefonica and FedEx. Learn more here: http://blog.talosintelligence.com/2017/05/wannacry.html.

These tools, allegedly originating from the NSA, include multiple exploits and post-exploitation tools targeting a variety of software and hardware. The most notable of these tools are EternalBlue, DoublePulsar, and Fuzzbunch. Using Fuzzbunch, a framework for launching many of the released exploits, a threat actor can easily launch exploits, such as EternalBlue at a variety of unpatched Windows targets, deploy backdoors, such as DoublePulsar, and have unadulterated remote access to the victim machines.

The good news in all of this is that these vulnerabilities are not 0-days. Patches for these vulnerabilities were released prior to “Shadow Brokers” releasing these tools and are available to apply to any potentially affected system.

At time of the release of the “Shadow Brokers” collection, Armor had already taken multiple steps to ensure the best security posture possible.

To protect your systems, we suggest you take the following steps

  1. Block ports 139 and 445 TCP from public access ASAP.
  2. All Windows-based systems need to be patched. Reference Microsoft bulletin MS17-010 for critical vulnerabilities and updates: https://technet.microsoft.com/library/security/MS17-010
  3. If SMBv1 is not required, reference this article to disable it: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
  4. Isolate all legacy systems, e.g., Windows Server 2003, Windows XP, Vista.
  5. If possible, look for the following files within your system, and block suspicious IPs.

Indicators of Compromise

File names

  • d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa b.wnry
  • 055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622 c.wnry
  • 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry
  • e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 taskdl.exe
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d taskse.exe
  • 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 t.wnry
  • b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 u.wnry

CnC IPs

  • 188[.]166[.]23[.]127:443
  • 193[.]23[.]244[.]244:443
  • 2[.]3[.]69[.]209:9001
  • 146[.]0[.]32[.]144:9001
  • 50[.]7[.]161[.]218:9001
  • 217.79.179[.]77
  • 128.31.0[.]39
  • 213.61.66[.]116
  • 212.47.232[.]237
  • 81.30.158[.]223
  • 79.172.193[.]32
  • 89.45.235[.]21
  • 38.229.72[.]16
  • 188.138.33[.]220

Observed hash values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

Snort Rule: 42329-42332, 42340, 41978

References/Sources