The Attack Chain Of A Nation-State (Equation Group) presented at bsideslasvegas 2017

by Tal Liberman, Omri Misgav,

Summary : In April 2017, The Shadow Brokers release a collection of hacking tools belonging to the Equation group, one of the more sophisticated nation-state threat actors known to date. This collection contained several zero-day exploits some of which targeted Windows OS.
The good thing is that Microsoft was able to patch its supported OSes before the tools were made available to the general public. The bad side is that some of these exploits also work on obsolete OSes such as Windows XP and Server 2003, and those will never be patched by Microsoft.
According to Bloomberg Businessweek, by April 27th nearly half a million computers were found to be infected by these tools. As a security vendor, this made us consider the need to patch also the legacy systems.
In this talk we’ll showcase the tradecraft of a nation-state threat actor and present our research of the April leak:
• Technical analysis of the SMB exploit, EternalBlue
• Description of the DoublePulsar backdoor - including bugs we found in this backdoor and how it differs from other backdoors.
• A patch for legacy OS that we made freely available to the public.