Last year, hacking group Shadow Brokers leaked a series of tools used by "an elite team" inside of the US's National Security Agency. Since, by their own admission, the hacker group has not been paid by anyone to "shutup [sic] and going [sic] away", they have released another cache of tools, this time targeted at Windows systems.
According to ZDNet and Hacker Fantastic on Twitter, the tools and exploits affect Windows 2000, Windows XP, Windows 7, Windows 8, as well as their server-side variants like Server 2000, 2003, 2008, 2008 R2 and 2012.
These exploits have been allegedly used by the NSA to target several banks and the SWIFT banking system. What's more, according to security researcher Kevin Beaumont, the hacking tools belonging to the Agency's so-called Equation Group even give it the ability to infiltrate deep inside networks by exploiting VPN and firewall systems:
Among the leaked arsenal there is ExplodingCan, which creates a remote backdoor by exploiting the Windows web server Internet Information Services on older versions of the OS. Then, there is EternalSynergy, a remote SMB exploit for Windows 8 and Server 2012. From the same "family", there is also EternalRomance, a remote SMB1 exploit targeting Windows XP, Vista, 7, 8 and their server counterparts, Server 2003 plus 2008 and 2008 R2.
Even more so, info has been revealed about EsteemAudit, a Remote Desktop Protocol exploit targeted at Windows Server 2003. This one exploits SmartCard authentication at login, and works on a patched version of the server OS.
A Microsoft spokesman declared for ZDNet that "We are reviewing the report and will take the necessary actions to protect our customers".
Many of the exploits described by these researchers appear to be zero-day, but have not been confirmed as of yet.
Source: ZDNet, Kevin Beaumont (Twitter)
Update: Microsoft has put up a blog post, stating that the majority of the vulnerabilities exposed by this leak have been patched. They are, as follows:
| Codename | Patch / Solution |
|---|---|
| EternalBlue | MS17-010 |
| EmeraldThread | MS10-061 |
| EternalChampion | CVE-2017-0146 and CVE-2017-0147 |
| ErraticGopher | Addressed prior to the release of Vista |
| EskimoRoll | MS14-068 |
| EternalRomance | MS17-010 |
| EducatedScholar | MS09-050 |
| EternalSynergy | MS17-010 |
| EclipsedWing | MS08-067 |
The firm goes on to state that the three remaining vulnerabilities, EnglishmanDentist, EsteemAudit, and ExplodingCan are not able to be reproduced on any of the operating systems it still supports. This means that "customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk". Naturally, the software giant encourages people to upgrade to the latest versions to keep safe.
What is interesting is that although most of these patches do show up in the acknowledgements section on TechNet, MS17-010 does not, as noticed by the grugq on Twitter. The researcher goes on to state that it may be due to the NSA themselves reporting the exploit to Microsoft.
92 Comments - Add comment