the stream

Airbus Cybersecurity: Playing defence against the Equation Group

Alexander Bochmann Saturday 25 of February, 2017
I missed this back in October: Airbus Cybersecurity has a long post examining specifically the documentation files from the Equation Group data leaked by Shadow Brokers...

Seems like quite a good summary on that part of the information.

These tools and exploits do not change the path of a normal killchain. What we see here is reconnaissance (command sets), lateral movement (RCEs on admin interfaces), privilege escalation [..], persistence [..]. This leak contains no initial intrusion material. This means that regular detection and defence strategies still apply. Even if we assume the worst-case scenario of a remote code execution on the public interface of a border firewall, it still takes us back to a defence-in-depth doctrine. [..]
What the exploits, tools and procedures contained in the package show is that Equation Group is actively pursuing admin networks and infrastructures. In this respect, the fact that they abort if logs are sent to separate equipment unless they “own” this equipment is a tell-tale sign of their operational tactics. [..]
What stand out are the professionalism, the organisation given to this task, and their focus on retaining stealth. As Rob Lee of SANS says, “It’s an army set-up to hack your organization”. That makes them a formidable opponent.