A lot of press has been given to the release of several hacking tools from the NSA by the Shadow Brokers, the hacking group responsible for the leak. The main focus in the press has been with Windows Hacking Tools, some of which allow backdoors into the most widely used desktop operating system. This is a legitimate bonafide set of serious tools, that can cause serious destruction, damage, and theft of corporate assets and custom information.Unfortunately, many of us have become numb to hearing these warnings, (and the subsequent breaches), over and over again.
The good news is that Microsoft has patches available to fix the vulnerabilities associated with tools that exploit them. The bad news.is the:
1) patches are for Windows 7 and greater, and
2) a lot of organizations take their time patching.their systems.
The Shadow Brokers had originally put the toolset up for auction, but in a rather cryptic article on Medium, offered the tools zipped with an unlocking password for free.
I think it’s necessary, in addition to the exploit kits for Windows, we explore the implications of the Linux tools that were released as part of this breach.
While the focus has been on Windows tools, the Shadow Brokers stolen tools cache, located on GitHub, shows a significant quantity of tools for the ‘Nix’s – Linux, Unix, and their cousin OSX. Since the “Nix family is arguably dominant on the web, these tools have the potential of being more disruptive than their Windows brethren.
These tools exploit all manners of vulnerabilities, providing several ways to execute remote shells, escalate privileges, and gain command control of Linux servers through vulnerable applications and files. There are also a set of tools to hide the tracks of the hacker.
If your organization is running a number of Linux servers (healthcare, finance, utilities) it makes sense to evaluate tools that look at memory integrity in addition to those tools you have that perform file integrity management functions. A properly executed exploit could leave tools running in active memory while it appears that file integrity has not been compromised. This could be done by evading inspection times for file integrity, or injecting a rouge application right into memory through tools that already reside there.
My company, Forcepoint, offers a tool, Forcepoint Linux Threat Protection for Linux which resides in memory to catch rogue applications running in memory, alerting your security team quickly to the problem. This product is ideal for clients who run mission critical servers, whether on premises, in the cloud, or hybrid.
There’s some great information on Forcepoint Threat Protection for Linux online. If you are interested in this technology, I’d encourage you to take a look at both the datasheet for the product, as well as the whitepaper Finding Threats in Linux® Memory – The Value of Memory Integrity Verification.
If you think you need the protections of Forcepoint Threat Protection for Linux, and you want further information, give me a call at 1-410-740-3490 or send me an to me at firstname.lastname@example.org.
In the interest of full disclosure, I am a salesperson for Forcepoint. This article was written by myself, with no editorial comments from my employer. I have a technical background, but I know enough to be dangerous. Please let me know if there is anything I need to amend to be more factually correct.
Please share if you think this article merits it.