- EASYBEE appears to be an MDaemon email server vulnerability
- EASYPI is an IBM Lotus Notes exploit [source, source] that gets detected as Stuxnet
- EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2
- EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
- ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges
- EDUCATEDSCHOLAR is a SMB exploit
- EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003
- EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino
- ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users
- ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
- ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012
- ETERNALBLUE is a SMBv2 exploit that also works on Windows 10, even if it wasn't designed to
- ETERNALCHAMPION is a SMBv1 exploit
- ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
- ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
- ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later
- ETRE is an exploit for IMail 8.10 to 8.22
- FUZZBUNCH is an exploit framework, similar to MetaSploit , which was also part of the December-January "Windows Tools" Shadow Brokers auction
- DOUBLEPULSAR is a RING-0 multi-version kernel mode payload
- EquationGroup had scripts that could scrape Oracle databases for SWIFT data
- ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later , also not detected by any AV vendors
- Metadata [possibly faked, possibly real] links NSA to Equation Group
- NSA used TrueCrypt for storing operation notes
- Some of the Windows exploits released today were undetectable on VirusTotal
- Some EquationGroup humor in the oddjob instructions manual
- JEEPFLEA_MARKET appears to be an operation for collecting data from several banks around the world [source], previously linked to the NSA by Snowden
- The Equation Group targeted EastNets, a SWIFT connectivity provider
复制代码北京时间4月14号晚,TheShadowBrokers在steemit.com博客上放出第二波方程式组织Equation Group(为NSA提供服务专门对国外进行间谍活动的组织)的黑客工具包,这是继上周4月8号第一波放出EQGRP-Auction-Files 文件解密密码(http://bobao.360.cn/news/detail/4107.html )之后,又一次的大规模公开的放出解密密码,现在任何感兴趣的人员都可以直接下载解密。
原文件下载地址:
https://yadi.sk/d/NJqzpqo_3GxZA4
解密密码:
Reeeeeeeeeeeeeee
sha256 hashes
原文件:
7c19a67d728bc700d18d2ed389a80de495681b7097222d9b8f1d696f0986f9a2 odd.tar.xz.gpg
78b89b2c4b129400150c7b60a426ff469aaea31da1588d2abc4180feaa9c41d3 swift.tar.xz.gpg
c28d5c10ec78bc66d3868e4862c7f801ffd561e2116b529e0782bf78f3ef3255 windows.tar.xz.gpg
解密后的文件
85e03866ae7eaaedd9462054b62a10f2180983bdfd086b29631173ae4422f524 odd.tar.xz
df468f01e65f3f1bc18f844d7f7bac8f8eec3664a131e2fb67ae3a55f8523004 swift.tar.xz
5bb9ddfbcefb75d017a9e745b83729390617b16f4079356579ef00e5e6b5fbd0 windows.tar.xz
简要分析
有网友在github上传了相关的解密后的文件,通过简单的分析所有的解密后的文件,发现其中包括新的23个黑客工具。具体请参考:https://github.com/misterch0c/shadowbroker/blob/master/file-listing
这些黑客工具被命名为OddJob,EasyBee,EternalRomance,FuzzBunch,EducatedScholar,EskimoRoll,EclipsedWing,EsteemAudit,EnglishMansDentist,MofConfig,ErraticGopher,EmphasisMine,EmeraldThread,EternalSynergy,EwokFrenzy,ZippyBeer,ExplodingCan,DoublePulsar等
第二波解密的黑客工具包内容包括odd.tar.xz.gpg, swift.tar.xz.gpg and windows.tar.xz.gpg
windows: 包括 Windows利用工具, 植入式的恶意软件 和一些攻击代码
swift: 包括 银行攻击的一些内容
oddjob: 包括与ODDJOB 后门相关的doc
据相关研究人员称:
Windows文件夹包含对Windows操作系统的许多黑客工具,但主要针对的是较旧版本的Windows(Windows XP中)和Server 2003。
其中“ETERNALBLUE是一个0day RCE漏洞利用,影响最新和更新的Windows 2008 R2 SERVER VIA SMB和NBT!”一位名叫Hacker Fantastic在推特上称。
OddJob文件夹包含基于Windows的植入软件,并包括所指定的配置文件和有效载荷。虽然目前这种植入软件的细节很少,但OddJob适用于Windows Server 2003 Enterprise(甚至Windows XP Professional)。
SWIFT文件夹包含PowerPoint演示文稿,证据,凭证和EastNets的内部架构,EastNets是中东最大的SWIFT服务商之一。
SWIFT(全球银行间电信协会)是一个全球性的金融信息系统,全球数千家银行和组织每天都在转移数十亿美元。
该文件夹包括从Oracle数据库查询信息的sql脚本,如查询数据库用户列表和SWIFT消息。
此外,该文件夹还包含Excel文件,表明国安队的精英网络攻击单位方程组织已经入侵,并获得了世界各地许多银行的访问权,其中大多数位于中东,如阿联酋,科威特,卡塔尔,巴勒斯坦,也门。
更新: EastNets否认SWIFT受黑客影响
在今天发表的官方声明中,EastNets否认其SWIFT受到影响,并表示黑客的报道是“完全虚假和毫无根据的”。
“所谓的黑客入侵的EastNets服务商(ENSB)网络的报告是完全虚假的,毫无根据的,EastNets网络内部安全部门对其服务器进行了全面检查,发现没有黑客的足迹或任何漏洞。
缓解方法
用户可以临时关闭135、137、445端口和3389远程登录。360正在密切监测和响应此次网络世界的重大灾难级危机。
参考
https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
https://github.com/misterch0c/
https://github.com/x0rz/EQGRP_Lost_in_Translation/
http://thehackernews.com/2017/04/swift-banking-hacking-tool.html