The Attack Chain Of A Nation-State (Equation Group)

BSidesLV 2017

Presented by: Tal Liberman, Omri Misgav
Date: Tuesday July 25, 2017
Time: 19:00 - 19:25
Location: Underground

In April 2017, The Shadow Brokers release a collection of hacking tools belonging to the Equation group, one of the more sophisticated nation-state threat actors known to date. This collection contained several zero-day exploits some of which targeted Windows OS.
The good thing is that Microsoft was able to patch its supported OSes before the tools were made available to the general public. The bad side is that some of these exploits also work on obsolete OSes such as Windows XP and Server 2003, and those will never be patched by Microsoft.
According to Bloomberg Businessweek, by April 27th nearly half a million computers were found to be infected by these tools. As a security vendor, this made us consider the need to patch also the legacy systems.
In this talk we’ll showcase the tradecraft of a nation-state threat actor and present our research of the April leak:
• Technical analysis of the SMB exploit, EternalBlue
• Description of the DoublePulsar backdoor - including bugs we found in this backdoor and how it differs from other backdoors.
• A patch for legacy OS that we made freely available to the public.

Tal Liberman

Tal has a strong interest in cyber-security, mainly focusing around OS- internals, reverse-engineering and low-level research. As a cyber security research team lead at enSilo, Tal’s team is responsible for reverse engineering OS internals, exploits, and malware and integrating their findings into enSilo’s core platform. In particular, Tal is keen on “documenting the undocumented” in the Windows OS including CFG and other mitigation technologies, and code injection techniques such as AtomBombing. Tal holds a BSc. in Computer Sciences from University of Haifa, Israel.

Omri Misgav

Omri has participated in R&D; of large-scale defensive security solutions and did low-level research while taking part of an incident response team. As a security researcher at enSilo he digs into OS internals and exploits, as well as reverse engineering of malware. Omri is intrigued by TLA-related incidents and campaigns.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats