Shadow Brokers EternalPulsar malware: All you need to know about the leaked NSA SMB exploits

The scale of global cyberattacks this year was massive, especially after the Shadow Brokers leaked several of the NSA's hacking tools in April. Two of the largest global ransomware attacks, the WannaCry and the NotPetya attacks, saw hackers exploit the leaked NSA cyberweapons to create widespread chaos across the globe. These attacks, however, only leveraged a portion of the leaked SMB exploits. Security experts believe that although the patches for these hacking tools have already been issued, hackers may still find other ways to launch new attacks using the leaked NSA hacking tools.

The WannaCry attacks trained the spotlight on the EternalBlue SMB exploit, which in this case provided hackers with the ability to rapidly spread the malware, given that the exploit possessed wormable features. However, EternalBlue is not the only dangerous exploit leaked by the Shadow Brokers. Other SMB exploits include EternalRomance, EternalChampion and EternalSynergy, all of which were made even more potent by the DoublePulsar backdoor, which was designed to be incorporated within the SMB exploits, to scale up the attacks.

Security experts at Cylance have since analysed all of the Shadow Brokers' leaked NSA SMB exploits, detailing their capabilities and the vulnerabilities that these hacking tools target. The researchers said the hacking tools could be considered as the "Holy Grail" for any hacker, given their ease of use and effectiveness. According to the researchers, the leaked exploits have proved to be "an unmitigated success among malware authors", especially given how "there is nearly no skill required to leverage these tools and gain unauthorized access to vulnerable systems".

When asked which of the exploits could be considered most dangerous, Cylance researchers told IBTimes UK that each of the SMB tools is designed to target a specific vulnerability, making the entire Eternal bundle highly potent as a whole, rather than as stand-alone exploits.

Eternal exploits stronger as one

"Each of the Eternal exploits is a different method of invoking a vulnerability in the SMB protocol. While WannaCry caused widespread panic utilising EternalBlue, the Shadow Brokers' own documentation suggested that it would only target Windows 7 SP 1. Eternal Romance, however, was reported to target XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2. We were able to confirm this in different test scenarios," Cylance researchers told us. "More importantly, Eternal Romance exploited the SMBv1 protocol which, unless specifically disabled, is available on each of those machines. What you find though is that the test for vulnerability is the same for each of these exploits. In order to increase the possibility of success, the Eternal suit is bundled together as opposed to just a single exploit."

Cylance researchers said the DoublePulsar backdoor, which experts previously said had successfully infected around 100,000 computers shortly after the exploit was leaked in April, functions as a backdoor providing hackers with secret access to Windows systems.

DoublePulsar backdoor can be used with other exploits

"The DoublePulsar exploit is an alteration to the machines' kernel. It is not specifically tied to the Eternal exploits. Any exploit that will allow system-level access could in theory make use of Double Pulsar. In the case of Eternal exploits, it overwrote one of the SMB registers allowing communication over SMB to interact with the payload," the Cylance researchers told us. In other words, the backdoor could also be teamed with any exploit, apart from the SMB tools leaked by the Shadow Brokers, to allow hackers unfettered access to targets' systems.

"Nothing is impossible,"the researchers responded, when asked whether it was likely that the leaked exploits could be used in new attacks, despite Microsoft already having issued patches. "The patches that have been deployed handle the specific messages in a way that prevent them from being able to cause the buffer overflow," Cylance told us. "In the case of Windows 10, SMBv1 is now no longer available. Most likely, we will see other exploits being explored as the cost to value ratio for researching a patched exploit may prove to be less beneficial. That isn't to say that others won't keep looking. However, cyber criminals will always tend to go for easy wins with very little investment required on their part."

Shadow Brokers may have more cyberweapons

Meanwhile, it is possible that the Shadow Brokers possess more of the NSA's hacking tools, which they have not yet released publicly. Cylance researchers also suggested that the NSA may not have been the Shadow Brokers' only target and may have tried stealing custom hacking tools from other nations as well.

"The full extent of the NSA breach has, for obvious reasons, never been fully disclosed. You should therefore always assume that there are undisclosed exploits ready to be used," the Cylance researchers added. "Although the quantity of exploits, may not be as numerous as we have seen with Eternal. What we need to assume though is that the NSA are not the only targets of the group, since certain nation states invest heavily in exploit development, it would be best to assume that they are likewise trying to compromise their systems as well in order to obtain more."

You can read more about Cylance's detailed blog on the Shadow Brokers' Eternal exploits here.