Security Experts:

US-CERT Issues Warning After Hackers Offer SMB Zero-Day

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning after the threat group calling itself Shadow Brokers has offered to sell what it claims to be a zero-day exploit targeting the Server Message Block (SMB) network file sharing protocol.

“In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems,” US-CERT said.

The agency is likely referring to a recent announcement from Shadow Brokers. After several failed attempts to monetize exploits and hacking tools allegedly stolen from the NSA-linked Equation Group, Shadow Brokers recently decided to retire.

While the hackers claim to have quit the business, their exploits are still up for sale for an indefinite period of time for the price of 10,000 bitcoins, currently worth roughly $8.7 million.

A few days before announcing its retirement, Shadow Brokers had offered to sell Windows exploits and anti-malware bypass tools. One of the exploits, available for 250 bitcoins, was described as a remote code execution zero-day targeting SMB. The group has also advertised an “SMB cloaked backdoor” for 50 bitcoins and a package that includes IIS, RDP RPC and SMB exploits for 250 bitcoins.

In order to prevent potential attacks, US-CERT has advised users and administrators to consider disabling SMB v1, and block all versions of SMB at the network boundary. SMB typically uses port 445 (TCP/UDP), ports 137 and 138 (UDP), and port 139 (TCP).

However, US-CERT has cautioned users that blocking or disabling SMB could prevent access to files or devices, and that the benefits should be weighed against potential disruptions.

While some of the exploits leaked by Shadow Brokers have turned out to be valid, it’s unclear if the remaining tools are as valuable as claimed. It is unlikely that we will find out too soon given their price tag, unless the hackers decide to leak the files for free.

This is not the first time US-CERT has issued an alert following a Shadow Brokers announcement. In September, the agency warned organizations after the threat group released exploitation tools for old and new vulnerabilities affecting Cisco products.

Related: "Shadow Brokers" Put NSA Exploits Up for Direct Sale

Related: Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

Related: Industry Reactions to Shadow Brokers Leak

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.