Shadow Brokers Release: Microsoft Exploits and Your Business
By Jason Graf
It seems like something out of a spy novel: A covert band of cybercriminals releases details of extraordinary weaknesses in unsupported versions of Windows that could be used to wreak havoc on businesses and individuals worldwide. The Shadow Brokers release is real, and it has the potential to cause serious damage.
On April 14, the Shadow Brokers, a hacker group originating in 2016, published a trove of National Security Agency secrets that revealed dangerous vulnerabilities in the Windows operating system used by millions of computers.
The information on the exploits is coupled with a technical framework that can allow the average cybercriminal to start hacking quickly using this knowledge. Although Microsoft has already released updates to remove the vulnerabilities in currently supported operating systems, many businesses remain threatened as they race to patch their networks or use antiquated software than cannot be updated.
For the purpose of this article, we will focus on what IT staff, managers, and business leaders can do to keep systems online and businesses running. We will discuss why you should care about the data released and what impact it could have on your business. We will also discuss what you need to be doing to discover potentially vulnerable systems in your business and how to protect them.
The released exploits mainly target Server Message Bock (SMB), NetBIOS over TCP/IP (NetBT), and the Remote Desktop Protocol (RDP). You may not be familiar with these applications by their technical names, but you more than likely use them every day. SMB and NetBT are used for transferring files. RDP is used to provide remote access to a Window’s desktop.
The questions you should be asking to ensure you are protected from these exploits:
Is my business vulnerable to the Shadow Brokers release?
1. Does your business have Windows systems exposed to the Internet providing access to SMB, NetBT, and RDP services?
2. Are those Window’s systems exposed to the Internet fully patched with the latest updates from Microsoft?
3. Does your business still utilize unsupported Window’s operating systems such as Windows Server 2003 and Windows XP?
Exposing SMB, NetBT, and RDP to Internet
Exposing SMB, NetBT, and RDP to the internet has long been a risky scenario for businesses. Our assessment team commonly consults with our customers on filtering or disabling these services from being Internet accessible. By simply disabling or filtering these services, you mitigate the risk greatly by forcing the attacker to get inside the network before they can exploit. The recently released exploits are just the latest. There will surely be more. The reason for these services being available to the internet should be closely scrutinized and avoided, if possible. There could also be solutions such as Virtual Private Network (VPN) that could mitigate this risk while still providing the needed functionality.
Patch Status of Systems
Understanding your assets and their current update status is extremely important. Microsoft has already released updates that address the vulnerabilities released by the Shadow Brokers. While Microsoft’s quick action to provide a fix for the vulnerabilities is encouraging, it does not mean the work is over. Businesses must now ensure the associated patches are applied. Assuming you have everything patched, you now need to turn your attention to unsupported operating systems.
Unsupported Operating Systems
Many unsupported operating systems and applications are still in use in the business world that will never be patched to withstand the dangerous vulnerabilities revealed by the Shadow Brokers. If your business still relies on Windows Server 2003 or Windows XP, you are playing with fire. Business leaders and management should push hard to understand why these operating systems still exist in their environment. The risk of maintaining these outdated and unsupported operating systems has grown critical.
The worst thing you can do is assume it will not happen to you, or believe that is it being taken care of by somebody else. Your IT staff might be smart, good at what they do, and have years of great experience, but, they also have the burden of keeping everything running and fixing what is broken. This means many times updating systems and removing unsupported operating systems is not a priority.
What should I do with this information?
First, makes sure your IT staff and leadership is aware of the recent vulnerabilities and exploits released. Priority should be placed on ensuring all systems are patched with the latest Microsoft Windows updates. Next, careful attention should be paid to discovering any unsupported operating systems in your environment. Once discovered, management should understand the reason the systems are still in place and make decisions on mitigating the risk. Finally, evaluate all services, especially SMB and RDP, that are accessible via the internet, and ensure none of them expose your business to compromise.
What if I need help understanding the security posture of my business?
Performing a Network Vulnerability Assessment (NVA) will provide IT staff and management the information they need to understand their current security posture. The assessment will analyze your systems to identify areas that are not secure with information on steps to resolve. The delivered report of findings will not only give your IT staff the information needed to resolve the problems and provide management the needed resource to be confident in the status of their environment. Typically combined with a NVA, a Penetration Test (PT) uses the information gathered in the NVA to exploit the assessed systems. Exploiting the systems documents the level of access an attacker could obtain in a compromise. Documentation of compromise provides excellent information to management so that the appropriate level of risk can be assigned. The NVA tells you something is wrong. The PT shows you what happens when something wrong is not fixed. The PT provides the proof that a high level of risk has been identified.
In short, the key to protecting yourself against the Shadow Brokers release is to know your systems and update them regularly. Evaluate what is exposed to the internet, especially SMB and RDP. Don’t keep old unsupported operating systems alive in your network. The days of using outdated systems until “the wheels fall off” are gone. The threat of exploit is here.