影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

  • A+
所属分类:业界关注

昨天,他们新披露了一批资料,称美国国家安全局NSA曾经入侵过环球银行间金融通信协会(SWIFT) 。这是有史以来,影子经纪人抛出的最激进的内容了,不仅仅包含了工具,来自外媒的消息如下。

一个国家用多0days攻击另一个国家的关键基础设施,最后一次是Stuxnet发起针对伊朗核浓缩项目。这次NSA也是使用多个0days,以便获取预期目标基础设施大范围的入侵。在这种情况下,如果 影子经纪人 的说法确实验证,看来,NSA试图完全占领国际金融体系的中坚力量,在SWIFT服务部门以及相关成员网络中安插一个上帝之眼。这种做法确实是隐蔽行动的标准程序,尽管从技术层面来说可能合法或不合法。如果美国在该地区的金融系统有一个特定的目标,NSA就会用其他手段,而不是仅仅依靠诚信合规程序、标准的外交要求,或与SWIFT服务部门合作。

几个小时之前 (4月14日) ShadowBrokers 又披露了一批新的文档,包括如下三个类别:

此披露的内容包括日志,Excel文件,甚至包含了绝密PPT文件。这种情况还是第一次,这意味着ShadowBrokers手里肯定不止只有工具。

SWIFT

IMHO,这是最吸引人的内容,其中提到两个程序

  • JEEPFLEA_MARKET

  • JEEPFLEA_POWDER

这是在不到两年的时间里发现的第二起重要的 swift 黑客攻击事件, 上一次据称是由北韩政府进行的 swift 黑客攻击。文件包含了swift 中东最大服务部门eastnets的若干证据、凭证、内部架构信息,该部门提供许多与 swift 交易相关的服务, 如法规遵从性、KYC、反洗钱等

据TreasuryAndRisk称,SWIFT 70%都会选择服务部门,以避免前期投入高,以及维持与SWIFT基础设施连接的运营成本。 
我们在官方合作伙伴网站上可以看到,在全球有74个SWIFT服务部门,包括eastnets及其在巴拿马/委内瑞拉的合作伙伴BCG。

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

swift 服务部门类似银行的云服务,当涉及到他们swift 交易和信息时, swift 服务局就会通过 oracle 数据库和 swift 软件来托管和管理银行交易。这就是为什么我们看到这些服务部门也为 KYC、合规、反洗钱服务提供服务, 因为他们可以访问服务客户的所有这些交易。

如下所示,每个主机代表一个银行或金融机构:

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

除了这些托管主机的证据外,披露文件还包含可重用的工具,以便从 oracle 数据库中抽取信息,例如数据库用户列表,及 swift 消息查询等。

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

JEEPFLEA 是斯诺登披露信息的一部分

JEEPFLEA_MARKET

这是 EastNets 2013 行动代号, 就像我上面所说的, 这也是第一次 ShadowBrokers 发布了PPT,并清晰呈现了 nsa 攻击目标的信息。迄今为止, 只有 snowden 文件才能看到 nsa 行动计划的信息。

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

根据档案中的 excel 文件来看,EastNets 在比利时、约旦、埃及和阿联酋均设有办事处。这些 excel 文件是通过 dsquery 命令生成的, 并包含来自公司及其成千上万被泄露的雇员帐户,以及来自这些不同办公室 (包括管理员帐户) 的计算机的凭据信息。

还记得吗?SWIFT总部设在比利时,所以说

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

JEEPFLEA_POWDER

根据BCG官方网站显示,bcg 商业计算机集团是 EastNets 在拉丁美洲服务巴拿马及委内瑞拉的战略合作伙伴。从文件撰写时间来看,bcg 分支机构尚未受到影响。

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

这样做会有很大的意义, nsa 入侵这个特定的 swift 服务部门反洗钱服务 (aml) 原因,是为了找到与恐怖分子集团的联系。但是, 鉴于 swift 服务部门成员的数量很少(120), 想要入侵他们很容易 (例如每家银行一个 ip),那我们要为这些服务部门中有多少已经被入侵了?

Also, does this actually represent a direct threat to SWIFT itself ? It does, because this is the first time to date that so much information had been published on how a SWIFT Service Bureau actually works and its internal infrastructure. All of that are very valuable information (such as infrastructure map, scripts, tools etc.) for an attacker.

It’s very valuable for an attack to know the relationship between Front-End/Middleware/Backend interfaces. Remember, CISCO had to release an emergency patches for ASA Firewalls last year in emergency after the initial ShadowBrokers exploit releases if EPICBANANA and EXTRABACON.

影子经纪人大规模披露Windows漏洞,ShadowBrokers工具包

Targets

Below we can see an example of target, Al Quds Bank for Development and Investment , a Bank based in Ramallah, Palestine as a target — its host was running Windows 2008 R2 which is vulnerable to the exploits catalog of the exploit framework FUZZBUNCH.

Al Quds Bank for Development and Investment vulnerable to FUZZBUNCH’s NSA exploit Framework

Windows

Those exploits have been used on the above targets at EastNets.

Keep in mind that Windows Vista/2008 is out of support since Monday , and Windows XP/2003 has been unsupported for more than 3 years. This means that security vulnerabilities found on those systems will never be corrected. Exploits on Windows 8 and Server 2012 are 0days.

As confirmed by @hackerfantastic on Twitter, here are the following working exploits:

  • ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445).

  • ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012.

  • ETERNALBLUE is Remote Exploit via SMB & NBT (Windows XP to Windows 2012)

Working remote exploit on Windows 2008 SP1 x64.

  • EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003

  • EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit

  • ETERNALSYNERGY — Windows 8 and Windows Server 2012

  • FUZZBUNCH — Exploit Framework (Similar to Metasploit) for the above exploits.

ODDJOB

TBA

ODDJOB Html ApplicationODDJOB Build used in the backend application

Alternative to SWIFTs?

China and Russia focused on SWIFT alternatives over the past few years such as China International Payments System (CIPS) ready since 2015 and last month Russia announced to have its alternative system for transfer of financial messages (SPFS) ready.

Although since as we just saw the exploitation of the SWIFT Service Bureau required Firewall and Windows remote exploits, having a SWIFT alternative would not be enough to stop attackers.

Unfortunately, as long as companies would not really understand the technical origins of cyber security issues — or worse deny them — those issues will still exist and potentially put critical nation infrastructure at risks.

What to do ?

If you are using a version of Windows equal or below Windows Vista, you are doomed forever because those version of Windows aren’t supported anymore. If you are using Windows 7 and above, you can disable SMB as mentioned on the MSDN until Microsoft issues official patches:

PS C:\WINDOWS\system32> Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
EnableSMB1Protocol EnableSMB2Protocol
------------------ ------------------
              True               True
PS C:\WINDOWS\system32> Set-SmbServerConfiguration -EnableSMB1Protocol $false
PS C:\WINDOWS\system32> Set-SmbServerConfiguration -EnableSMB2Protocol $false
PS C:\WINDOWS\system32> Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
EnableSMB1Protocol EnableSMB2Protocol
------------------ ------------------
             False              False

The above exploits failed on Windows 10, although the security bugs may still be present, it is considerably harder to exploits bugs on Windows 10 than it is on Windows 7. Microsoft did a really good job with security mitigations , if you didn’t yet you should upgrade your O.S. to Windows 10 ASAP.

本文由:安全加 发布,版权归属于原作者

下载地址:

https://github.com/hkylin/EQGRP_Lost_in_Translation


https://yadi.sk/d/NJqzpqo_3GxZA4
Password = Reeeeeeeeeeeeeee

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: