Marian Novotny received his PhD in Computer Science from Faculty of Sciences of Pavol Jozef Šafárik University in Košice. In his PhD thesis he focused on design and analysis of security protocols. He is currently working as a Specialized software engineer at ESET, where he is responsible for design, analysis and implementation of network intrusion detection systems. These detection systems are integrated in ESET products under names Network Attack Protection, Botnet Protection, Home Network Protection.
PRESENTATION: Analysis and Detection of Shadow Brokers Exploits
A group of hackers named Shadow Brokers leaked alleged U.S. National Security Agency exploits on Good Friday, April, 2017. The exploits abused the vulnerabilities in implementation of Server Massage Protocol (SMB) protocol in main versions of MS Windows OS. The most famous exploit called EternalBlue provides reliable kernel mode remote code execution in the SMB service without the need of authentication. Microsoft patched the vulnerabilities in March 2017 in the cumulative security update: MS 2017-10. However, Windows XP – still used by millions of users worldwide – had remained unpatched. Therefore, it brings the opportunities to cybercriminals to use the exploits for spreading malware. On Friday, May 12, 2017, a ransomware attack known as WannaCry began to spread across the globe at unprecedented scale and speed.
In the lecture we will explain the particular exploits along with their components and related vulnerabilities focusing on EternalBlue. We will show the network communication during the exploitation and we will discuss the possibilities of detection of the exploits on network level. We will try to explain in more details how WannaCry and NotPetya ransomware spread worldwide.