Ken Mizota

Vulnerability Management Tips for the Shadow Brokers Leaked Exploits

Blog Post created by Ken Mizota Employee on May 9, 2017

Rebekah Brown and the Rapid7 team have delivered a spot-on breakdown of the recent Shadow Brokers exploit and tool release. Before you read any further, if you haven’t done so already, please read her post. It’s probably not the only post you’ve read on this topic, but it is cogent, well-constructed and worth the 5 minutes.

 

Back with me? With all of the media attention and discussion in the infosec community, it would not surprise me to hear that a security team still wondered aloud: “Nation-state intrigue makes for scintillating reading, but what do I do with this news?”

 

So long as there are attackers and defenders in infosec, the Rapid7 community continues to be on the front lines of the struggle. But, in such a position, which action is prudent? Purchasing an underground bunker outright may not be a sound decision for you.  However, there are practical actions you can take.

 

Don't waste a learning moment

You invest in building and maintaining your vulnerability management program. This includes making sure you have visibility to the latest threats and perhaps automating your response. The exploits thrust onto the world stage by the Shadow Brokers, while newsworthy, distill down to a seemingly normal set of patches and updates. As Rebekah's post states:

If you are unsure if you are up to date on these patches, we have checks for all of them in Rapid7 Nexpose and Rapid7 InsightVM. These checks are all included in the Microsoft Hotfix scan template.

It turns out, if you’re maintaining your vulnerability scans, and getting the visibility to your Windows assets, you already have the visibility you need. But that doesn’t mean you have to treat this event as business as usual.  Perhaps you’d like to see how your security program fares when up against vaunted Shadow Brokers trove?

 

Here are a few ideas you can try based on a mix of newer and long-standing capabilities.

 

Look for what you need

If you want to efficiently identify the presence of Shadow Brokers’ leaked vulnerabilities, and you don’t want to change your existing Scan regime, create a new Scan template.

 

You’ll find creating a new Scan Template in the Administration tab. Start off by naming your template:

Next, configure your Scan Template for specific vulnerability checks. Tailor your template by looking only for the checks associated with the CVEs exploited by the Shadow Brokers leak.

 

EternalBlue

EternalSynergy

EternalRomance

EternalChampion

MS17-010

msft-cve-2017-0143

msft-cve-2017-0144

msft-cve-2017-0145

msft-cve-2017-0146

msft-cve-2017-0147

msft-cve-2017-0148

EmeraldThread

MS10-061

WINDOWS-HOTFIX-MS10-061

EskimoRoll

MS14-068

WINDOWS-HOTFIX-MS14-068

EducatedScholar

MS09-050

WINDOWS-HOTFIX-MS09-050

EclipsedWing

MS08-067

WINDOWS-HOTFIX-MS08-067

Use the CVEs to search for the checks and add to your template. Here, I’ve added CVE-2017-0144.

 

Now that you’ve got one template squared away, you can take your new Scan Template out for a spin on an entire Site, or an ad hoc scan, or you might want to check out improvements to Scan Configuration to target a scan for just the subset of a Site.

 

If you don’t have time for manual scans, create an Automated Action to scan an asset when it is discovered on your network. Whether you’ve discovered the asset via DHCP discovery connection or just by a regular discovery scan, you can use Automated Actions to scan the Asset when it appears.

 

Give your stakeholders a view

I couldn’t leave you without one final tried and true tip for satisfying demanding executive stakeholders: You can always create a new dashboard!

 

I’ve created a custom Shadow Brokers Leak dashboard to house all the cards and analysis I’ll need.

Next, I’ll start adding Cards that I’d like to work with. Let’s use the Newly Discovered Assets card as a starting point. I’ve added this card to my Dashboard and I’ll click Expand Card to drill in.

Next, I’ll create a new filter to look only for Assets that are affected by CVE and hotfixes identified above. I’ll paste this into the Filter field:

*UPDATE: Corrected May 24,2017: Changed "ms10-068" to "ms14-068"*

asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0146" OR asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148" OR asset.vulnerability.title CONTAINS "ms10-061" OR asset.vulnerability.title CONTAINS "ms14-068" OR asset.vulnerability.title CONTAINS "ms09-050" OR asset.vulnerability.title CONTAINS "ms08-067" OR asset.vulnerability.title CONTAINS "ms17-010"

It’ll look something like this:

I’ve saved this filter so I can use it across any number of cards I wish. Since I’ve done the work of creating the filter once, it is straightforward to add cards, apply the filter, and then save the Cards to my dashboard. I’ve built a tailored view, showing the impact of the Shadow Brokers leaked exploits on my organization.

 

 

If you’re feeling comfortable with this approach, take a step futher! Try out an Actionable Remediation Project from here and get started taking down these risks on your turf.

 

Not a customer of ours? Try a free 30-day trial of InsightVM here.

Outcomes