The United States Computer Emergency Readiness Team (US-CERT) posted a warning about the Shadow Brokers and their new SMB Zero-Day exploit which is offered for sale.
US-CERT Has Issued A Warning About The SMB Zero-Day Exploit By The Shadow Brokers
The United States Computer Emergency Readiness Team (US-CERT) has issued a statement of warning after the dangerous hacker collective known as Shadow Brokers posted news of a dangerous SMB Zero-Day exploit which is offered on sale on the hacker underground markets.
The contents of the warning shows the following message:
In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems.
US-CERT recommends that users and administrators consider:
disabling SMB v1 and
blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 and 204279.
The 2696547 advisory is titled “How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012” and 204279 is known as “Direct hosting of SMB over TCP/IP”.
The hackers are offering a dangerous SMB Zero-Day exploit for the price of 250 bitcoins. They explain the exploit as a remote code execution vulnerability which targets the SMB protocol. Its designated name is dubbed SMB cloaked backdoor. The complete package includes a collection of IIS, RDP RPC and SMB exploits.
According to the security tam all users and administrators should disable SMB protocol version 1 and block all versions of the internal network. To access the alert click here.