Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

US-CERT Issues Warning After Hackers Offer SMB Zero-Day

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning after the threat group calling itself Shadow Brokers has offered to sell what it claims to be a zero-day exploit targeting the Server Message Block (SMB) network file sharing protocol.

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning after the threat group calling itself Shadow Brokers has offered to sell what it claims to be a zero-day exploit targeting the Server Message Block (SMB) network file sharing protocol.

“In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems,” US-CERT said.

The agency is likely referring to a recent announcement from Shadow Brokers. After several failed attempts to monetize exploits and hacking tools allegedly stolen from the NSA-linked Equation Group, Shadow Brokers recently decided to retire.

While the hackers claim to have quit the business, their exploits are still up for sale for an indefinite period of time for the price of 10,000 bitcoins, currently worth roughly $8.7 million.

A few days before announcing its retirement, Shadow Brokers had offered to sell Windows exploits and anti-malware bypass tools. One of the exploits, available for 250 bitcoins, was described as a remote code execution zero-day targeting SMB. The group has also advertised an “SMB cloaked backdoor” for 50 bitcoins and a package that includes IIS, RDP RPC and SMB exploits for 250 bitcoins.

In order to prevent potential attacks, US-CERT has advised users and administrators to consider disabling SMB v1, and block all versions of SMB at the network boundary. SMB typically uses port 445 (TCP/UDP), ports 137 and 138 (UDP), and port 139 (TCP).

However, US-CERT has cautioned users that blocking or disabling SMB could prevent access to files or devices, and that the benefits should be weighed against potential disruptions.

While some of the exploits leaked by Shadow Brokers have turned out to be valid, it’s unclear if the remaining tools are as valuable as claimed. It is unlikely that we will find out too soon given their price tag, unless the hackers decide to leak the files for free.

This is not the first time US-CERT has issued an alert following a Shadow Brokers announcement. In September, the agency warned organizations after the threat group released exploitation tools for old and new vulnerabilities affecting Cisco products.

Related: “Shadow Brokers” Put NSA Exploits Up for Direct Sale

Related: Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

Related: Industry Reactions to Shadow Brokers Leak

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.