影子黑客再次泄露NSA 方程式windows 0day

admin

1. EASYBEE appears to be an MDaemon email server vulnerability
   
2. EASYPI is an IBM Lotus Notes exploit [source, source] that gets detected as Stuxnet
   
3. EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2
   
4. EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
   
5. ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges
   
6. EDUCATEDSCHOLAR is a SMB exploit
   
7. EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003
   
8. EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino
   
9. ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users
   
10. ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
    
11. ETERNALSYNERGY is a SMBv3 remote code execution flaw  for Windows 8 and Server 2012
    
12. ETERNALBLUE is a SMBv2 exploit  that also works on Windows 10, even if it wasn't designed to
    
13. ETERNALCHAMPION is a SMBv1 exploit
    
14. ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
    
15. ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
    
16. ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later
    
17. ETRE is an exploit for IMail 8.10 to 8.22
    
18. FUZZBUNCH is an exploit framework, similar to MetaSploit , which was also part of the December-January "Windows Tools" Shadow Brokers auction
    
19. DOUBLEPULSAR is a RING-0 multi-version kernel mode payload
    
20. EquationGroup had scripts that could scrape Oracle databases for SWIFT data
    
21. ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later , also not detected by any AV vendors
    
22. Metadata [possibly faked, possibly real] links NSA to Equation Group
    
23. NSA used TrueCrypt for storing operation notes
    
24. Some of the Windows exploits released today were undetectable on VirusTotal
    
25. Some EquationGroup humor in the oddjob instructions manual
    
26. JEEPFLEA_MARKET appears to be an operation for collecting data from several banks around the world [source], previously linked to the NSA by Snowden
    
27. The Equation Group targeted EastNets, a SWIFT connectivity provider

复制代码

北京时间4月14号晚，TheShadowBrokers在steemit.com博客上放出第二波方程式组织Equation Group（为NSA提供服务专门对国外进行间谍活动的组织）的黑客工具包，这是继上周4月8号第一波放出EQGRP-Auction-Files 文件解密密码（http://bobao.360.cn/news/detail/4107.html ）之后，又一次的大规模公开的放出解密密码，现在任何感兴趣的人员都可以直接下载解密。

原文件下载地址：

https://yadi.sk/d/NJqzpqo_3GxZA4

解密密码：

Reeeeeeeeeeeeeee

sha256 hashes

原文件：

7c19a67d728bc700d18d2ed389a80de495681b7097222d9b8f1d696f0986f9a2 odd.tar.xz.gpg

78b89b2c4b129400150c7b60a426ff469aaea31da1588d2abc4180feaa9c41d3 swift.tar.xz.gpg

c28d5c10ec78bc66d3868e4862c7f801ffd561e2116b529e0782bf78f3ef3255 windows.tar.xz.gpg

解密后的文件

85e03866ae7eaaedd9462054b62a10f2180983bdfd086b29631173ae4422f524 odd.tar.xz

df468f01e65f3f1bc18f844d7f7bac8f8eec3664a131e2fb67ae3a55f8523004 swift.tar.xz

5bb9ddfbcefb75d017a9e745b83729390617b16f4079356579ef00e5e6b5fbd0 windows.tar.xz

简要分析

---

有网友在github上传了相关的解密后的文件，通过简单的分析所有的解密后的文件，发现其中包括新的23个黑客工具。具体请参考：https://github.com/misterch0c/shadowbroker/blob/master/file-listing

这些黑客工具被命名为OddJob，EasyBee，EternalRomance，FuzzBunch，EducatedScholar，EskimoRoll，EclipsedWing，EsteemAudit，EnglishMansDentist，MofConfig，ErraticGopher，EmphasisMine，EmeraldThread，EternalSynergy，EwokFrenzy，ZippyBeer，ExplodingCan，DoublePulsar等

第二波解密的黑客工具包内容包括odd.tar.xz.gpg, swift.tar.xz.gpg and windows.tar.xz.gpg

windows: 包括 Windows利用工具, 植入式的恶意软件 和一些攻击代码

swift: 包括 银行攻击的一些内容

oddjob: 包括与ODDJOB 后门相关的doc

据相关研究人员称：

Windows文件夹包含对Windows操作系统的许多黑客工具，但主要针对的是较旧版本的Windows（Windows XP中）和Server 2003。

其中“ETERNALBLUE是一个0day RCE漏洞利用，影响最新和更新的Windows 2008 R2 SERVER VIA SMB和NBT！”一位名叫Hacker Fantastic在推特上称。

OddJob文件夹包含基于Windows的植入软件，并包括所指定的配置文件和有效载荷。虽然目前这种植入软件的细节很少，但OddJob适用于Windows Server 2003 Enterprise（甚至Windows XP Professional）。

SWIFT文件夹包含PowerPoint演示文稿，证据，凭证和EastNets的内部架构，EastNets是中东最大的SWIFT服务商之一。

SWIFT（全球银行间电信协会）是一个全球性的金融信息系统，全球数千家银行和组织每天都在转移数十亿美元。

该文件夹包括从Oracle数据库查询信息的sql脚本，如查询数据库用户列表和SWIFT消息。

此外，该文件夹还包含Excel文件，表明国安队的精英网络攻击单位方程组织已经入侵，并获得了世界各地许多银行的访问权，其中大多数位于中东，如阿联酋，科威特，卡塔尔，巴勒斯坦，也门。

更新：  EastNets否认SWIFT受黑客影响

---

在今天发表的官方声明中，EastNets否认其SWIFT受到影响，并表示黑客的报道是“完全虚假和毫无根据的”。

“所谓的黑客入侵的EastNets服务商（ENSB）网络的报告是完全虚假的，毫无根据的，EastNets网络内部安全部门对其服务器进行了全面检查，发现没有黑客的足迹或任何漏洞。

缓解方法

---

用户可以临时关闭135、137、445端口和3389远程登录。360正在密切监测和响应此次网络世界的重大灾难级危机。

参考

---

https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation  

https://github.com/misterch0c/

https://github.com/x0rz/EQGRP_Lost_in_Translation/

http://thehackernews.com/2017/04/swift-banking-hacking-tool.html