SentinelOne Detects Shadow Broker Binaries with Static AI

Waves of panic were sent through the cybersecurity community as suspected NSA spying tools were released by the Shadow Broker group. What appeared to be potentially one of the most damaging releases of nation-state tool, zero-day exploits was quickly neutralized. Microsoft came forward to announce that although the files contained about 20 different Windows-based exploits, previous patches to supported products rendered the attacks ineffective.

Behind the Leak: The Shadow Broker Coming to Light

Shadow Brokers, the group behind the leak, garnered attention back in August for releasing hacking tools for routers and firewall products that were supposedly from a leading, possibly NSA-based cyberespionage team called Equation Group. Since then, security experts have suspected that the hacking group may actually be foreign spies attempting to threaten the United States.

While the self-defined hacktivists position themselves against the wealthy elite, it appears they may be in the game for more than just bitcoin. Choosing interesting timing, the group resurfaced after the U.S. missile strike last week on a Syrian airfield. Then in a letter to the U.S. President Donald Trump, the group wrote in broken English that ‘Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.’ Combining this information with the retirement announcement the day before Trump’s inauguration has led to suspicions that the group has Russian links.

Dangers Remain, SentinelOne Can Help

Unpatched or outdated systems like Windows XP, Windows Server 2003, and IIS 6.0 are still vulnerable to the exploits since security updates are no longer supported. According to Microsoft, they are encouraging customers to ensure their computers are up-to-date for the following:

Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

For these unpatched and unsupported systems, SentinelOne’s Deep File Inspection (Static AI) engine protects by detecting binaries through static analysis built off of machine learning.

Understanding Binaries

What is a binary file? Binaries or binary files are commonly known as executables. These are ready-to-run programs that can be used by cybercriminals to complete an attack.

Why does it matter? In recent years cybersecurity threats have evolved and have moved from the network perimeter to the application layer. To find exploits, security tools must analyze an application starting from the inside, looking for code that tips off security vulnerabilities. This can be done through static analysis in three ways:

  1.      Analyze raw binaries of a compiled application
  2.      Analyze the source code
  3.      Analyze the byte code of an interpreted language

In the case of the latest Shadow Broker release, SentinelOne’s Static AI was able to work without source code to complete binary analysis, detecting the program’s behavior rather than the source code.

Don’t Wait to Protect Your Windows Machines

As threats continue to evolve and intensify, it’s imperative to not only stay current with patching, but also to adopt powerful signature-less static prevention driven by machine learning. With tools like SentinelOne’s Static AI engine, advanced file-based malware is blocked on access. To learn more about how we protect across user endpoints and servers, click here to read about our multi-layer endpoint protection technology.