Over the Easter Holiday weekend, the Shadow Brokers, a hacking group that came to light over the summer of 2016, released a list of exploits and zero-day attacks targeting Microsoft Windows operating systems and applications among other technologies. These exploits and zero-day vulnerabilities are purported to be part of a leaked list of NSA tools used for covert surveillance. This is the fifth release of information by the Shadow Brokers since August 2016. Speculation as to the motives behind this group of hackers ranges from the possibility of an internal NSA whistle blower to potential Russian hacking and propaganda. Regardless of the motivation, these exploits and vulnerabilities pose a significant threat to many organizations and should be addressed immediately.
On Friday, April 14, 2017, Microsoft’s Security Response Center (MSRC) published a response to the list of exploits detailed in the Shadow Brokers release (MSRC Response can be found here). Fortunately, most of the exploits listed have been addressed and patched by Microsoft prior to April 2017. Three remaining exploits are not actionable on currently supported Microsoft platforms (Windows 7 / Exchange 2010 and forward), but are threats to unsupported, legacy Microsoft operating systems and applications. Microsoft is actively encouraging all users to upgrade to a supporting platform or offering as soon as possible.
As a Microsoft user or admin, what should you do to address these threats in your environment? The following are several important steps to consider:
Make sure that all your systems are properly patched with the most current Microsoft critical and security related updates. Use Microsoft’s WSUS (Windows Server Update Services) or other third party tools in your patching process to ensure you have a reporting mechanism in place so that no systems are missed.
Have a process in place to monitor the existence of legacy, unsupported operating systems and applications and have a plan to upgrade these systems to supported platforms before they become a risk. If you have Windows XP, Windows Vista, Windows 2003 Server, or Exchange 2003 in your environment, you are at risk.
Strengthen your perimeter defenses by using mature firewalls and content filtering solutions to limit the amount of malicious traffic entering your network. Consider DNS-based content filtering and advanced malware protection as layers to protect against intrusions, viruses and malware that can leverage these released exploits and harm your network/computer environments.
Do not ignore third party applications in your patching process. Patching Windows updates alone is not enough. There are many other exploits and zero-day vulnerabilities in the wild for third party applications that can threaten your network. There are strong 3rd party tools that can address other applications like Adobe Flash, Adobe Acrobat Reader, Java and web browsers along with your Microsoft operating systems and applications to ensure all your systems are fully patched and monitored.
Train your users and share threat information as it becomes available. Do not shy away from making users aware of the threats they face. Decent, focused training and timely awareness emails can make a difference. An aware user will hesitate before clicking on a suspicious link or opening an email from an unknown source, and that hesitation can and will keep malicious content off your network.