Views:

Technical Information

Microsoft has released a technical blog outlining the known information around the exploits that were made publicly available by Shadow Brokers:

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

According to the article, most of the exploits that were made publicly available have already been patched in Microsoft's currently supported platforms for customers that have applied the most recent security patches. 

In addition, Microsoft reports that their security team has not been able to successfully reproduce the three (3) remaining exploits on their currently supported platforms - specifically called out as Windows 7 and above, as well as Exchange 2010 and above.

 
Please note that in light of the recent WannaCry (WCRY) ransomware attack, Microsoft has released limited MS17-010 patches for some older operating systems (e.g. XP) that have already officially reached End-of-support (EOS) status. Please visit this page for more information on obtaining the necessary patches.

Trend Micro has also released a blog with more background information: Shadow Brokers Leaks Hacking Tools: What it Means for Enterprises.

Trend Micro Products and Protection

Since these are specific exploits to Microsoft products and platforms, customers are always strongly advised to have current and officially supported versions of Microsoft products and platforms deployed with the latest security patches installed. 

However, we recognize that many enterprise and business customers have legacy platforms still in production for various reasons.  Fortunately, Trend Micro already has some solutions available that provide some level of protection.

The table below lists available solutions for the following products:

  • Trend Micro Deep Security and Trend Micro Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest rules have an updated layer of protection. 
  • Trend Micro TippingPoint customers with the following filters have updated protection.
Viewing note:  certain browsers may not show the entire table on the screen - in this case please use the scrollbar located at the bottom of the table to see the remaining columns.
Exploit MS BulletinTippingPoint Filter(s)Deep Security & Vulnerability Protection IPS Rule(s)
"EternalBlue"MS17-01027433, 27711, 27928
  • 1008225 - Windows SMB RCE Vulnerability (CVE-2017-0145)
  • 1008306 - Windows SMB RCE Vulnerability (MS-17-010)
  • 1008327 - Identified Server Suspicious SMB Session
  • 1008328 - Identified Client Suspicious SMB Session
"EmeraldThread"MS10-06110458, 27939
  • 1004401 - Print Spooler Service Impersonation Vulnerability
"EternalChampion"MS17-010
27433, 27711, 27929
  • 1008224 - Windows SMB RCE Vulnerabilities (CVE-2017-0144 & CVE-2017-0146)
  • 1008227 - Windows SMB RCE Vulnerability (CVE-2017-0147)
"ErraticGopher"Prior to Vista27932
  • 1008305 - Windows SMBv1 RCE Vulnerability
"EskimoRoll"MS14-06827940
  • 1006397 - Windows Kerberos Checksum Vulnerability
"EternalRomance"MS17-010 
  • 1008227 - Windows SMB RCE Vulnerability (CVE-2017-0147)
  • 1008306 - Windows SMB RCE Vulnerability (MS17-010)
"EducatedScholar"MS09-0508465
  • 1003671 - SMBv2 Infinite Loop Vulnerability
  • 1003712 - Windows Vista SMB 2.0 Negotiate Protocol Request RCE
"EternalSynergy"MS17-010
27937
  • 1008227 - Windows SMB RCE Vulnerability (CVE-2017-0147)
"EclipsedWing"MS08-0676515
  • 1003292 - Block Conficker.B++ Worm Incoming Named Pipe Connection
  • 1003293 - Block Conficker.B++ Worm Outgoing Named Pipe Connection
  • 1003080 - Server Service Vulnerability (srvsvc)
  • 1002975 - Server Service Vulnerability (wkssvc)
"EnglishmanDentist"*Under Investigation

Under Investigation

Emphasismine-3.4.0.exe  
  • 1008307 - Windows RDP RCE Vulnerability
Esteemaudit-2.1.0.exe  27933
  • 1008307 - Windows RDP RCE Vulnerability
Ewokfrenzy  4033
  • 1000977 - IBM Lotus Domino IMAP Server CRAM-MD5 Authenication Buffer Overflow
Explodingcan-2.0.2.exe 27643
  • 1008266 - IIS WebDAV ScStoragePathFromUrl Buffer Overflow Vulnerability
ECWI.exe  
  • 1003080 - Server Service Vulnerability (srvsvc)
ELV.EXEMS06-040  9317
  • 1000735 - Windows Server Service RCE
EarlyShovel  27938
  •  100368 - Sendmail SMTP Header and Command Buffer Overflow
EbbisLand  621, 622, 3512, 3791
  •  1008314 - Oracle Solaris RCE Vulnerability (CVE-2017-3623)
EchoWrecker  1676
  •  1004160 - Samba Multiple DOS Vulnerability
EVFR  1612
  •  1008312 - IIS WebDAV RCE Vulnerability
DoublePulsar (Payload)  27935
  •  1008327 - Identified Server Suspicious SMB Session
  • 1008328 - Identified Client Suspicious SMB Session

 * Microsoft has stated that these vulnerabilities cannot be reproduced on currently supported platforms, so the status of a Microsoft patch for older operating systems is uncertain at this time.


The next table addresses the following product:

  • Trend Micro Deep Discovery Inspector customers with the latest rules have protection against specific exploits listed below. 
ExploitDeep Discovery Inspector Rule
Eclipsedwing-1.5.2.exeDDI Rule ID 0: OPS_MS08-067_Server_Service_Path_Canonicalization_Exploit
Educatedscholar-1.0.0.exeDDI Rule ID 0: MS09-050_SMB2_DENIAL_OF_SERVICE and OCS_CVE-2009
Explodingcan-2.0.2.exeDDI Rule ID 2357: CVE-2017-7269 - WebDAV Buffer Overflow - HTTP (Request)
Eskimoroll-1.1.1.exeDDI Rule ID 1791: Possible MS14-068_KERBEROS Checksum Vulnerability
Emphasisismine-3.4.0.exeDDI Rule ID 2378: EXAMINE Buffer Overflow - IMAP4 (Response) 
Ewokfrenzy-2.0.0.exe
DDI Rule ID 2379: CRAM-MD5 Authentication Buffer Overflow - IMAP4 (Response)
Esteemaudit-2.1.0.exe
DDI Rule ID 2377: RDP RCE Vulnerability
Emeraldthread-3.0.0.exeDDI Rule ID 0: MS10-061 - Print Spooler Service Impersonation Exploit
Eternalromance-1.3.0.exeDDI Rule ID 2380: CVE-2017-0147 - Information Disclosure Exploit - SMB (Request)
Eternalromance-1.4.0.exe
DDI Rule ID 2382: CVE-2017-0145 - RCE - SMB (Request)
Eternalsynergy-1.0.1.exe
DDI Rule ID 2380: CVE-2017-0147 - Information Disclosure Exploit - SMB (Request)
Eternalchampion-2.0.0.exe
DDI Rule ID 2380: CVE-2017-0147 - Information Disclosure Exploit - SMB (Request)
Eternalblue-2.2.0.exe
DDI Rule ID 2383: CVE-2017-0144 - RCE - SMB (Request)
Erraticgopher-1.0.1.exe
DDI Rule ID 2384: Possible EQUATED - RCE - SMB (Request)
Easybee-1.0.1.exe
DDI Rule ID 2389: EASYBEE - Email Server Exploit - HTTP (Request)


Please note that Trend Micro is still investigating the recently released information for other exploits and will provides updates if/as necessary.

Trend Micro always highly recommends that vendor critical patches are applied as soon as possible upon release. Customers and partners who may need some additional information or have questions are encouraged to contact their authorized Trend Micro technical support representative for further assistance.

Keywords: shadowbroker,shadow broker tools