Skip to content

April 15, 2017

‘Shadow Brokers’ dump of NSA tools includes new Windows exploits

by John_A

Earlier this year “The Shadow Brokers” — an entity claiming to have stolen hacking tools from the NSA then offering them for sale — seemed to pack up shop, but the group has continued on. Today, it made a new post that contained a number of working exploits for Windows machines running everything from XP up to at least Windows 8. As far as Windows 10, it appears that the stolen data is from 2013 and predates the latest OS. As such, it isn’t immediately apparent if it’s vulnerable, but early results indicate at least some of the tools aren’t working on it.

This is really bad, in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe.

— Hacker Fantastic (@hackerfantastic) April 14, 2017

WINDOWS 10 does not appear impacted by ETERNALBLUE or ETERNAL exploit series in my lab test.

— Hacker Fantastic (@hackerfantastic) April 14, 2017

Releasing this information ahead of a holiday weekend may make it harder for Microsoft and IT workers to respond, as anyone with bad intentions now has access to a number of previously unknown exploits. As security researchers like Matthew Hickey (aka @hackerfantastic) scan through tools with names like ETERNALBLUE (a remote exploit for XP and above) and FUZZBUNCH (a framework that helps control use of the other attacks), Marcy Wheeler notes that the NSA has known these tools were out there since January, when The Shadow Brokers listed them for sale.

Lost in Translation — Steemit https://t.co/OH5UexWJsG enjoy!

— theshadowbrokers (@shadowbrokerss) April 14, 2017

For now, the response from a Microsoft spokesperson is that “We are reviewing the report and will take the necessary actions to protect our customers.”

So what is there to do if you’re not a network admin and just use a Windows computer, whether at work or at home? In a quote to Motherboard, one hacker said to have formerly worked for the Department of Defense says plainly that “It’s not safe to run an internet-facing Windows box right now.”

Of course, your PC is — or should be — behind a router/firewall. I spoke to Travis Smith, a Senior Security Research Engineer at Tripwire, and he explained that for the tools released, they largely rely on local network protocols that attackers use to move from one compromised PC to others across a network. As he put it “even if you aren’t running the latest greatest operating system and you don’t have antivirus, if your Windows laptop isn’t plugged directly into the internet, then your risk profile greatly diminishes.” If you do have an antivirus, like Microsoft’s Windows Defender, or products from McAfee, Kaspersky and the like, they should update quickly to recognize these executables now that they’re known.

Contacted via email, Matthew Hickey expressed a similar outlook, saying that “most home users will not be directly impacted by these vulnerabilities as an attacker needs to connect to services on their computer. The risk is much bigger to enterprise and businesses who rely on these services to connect online.”

Now that these 0days are public, disabling SMB might work as a workaround security patch on #Windows https://t.co/m13iFZdVTF #EquationGroup

— x0rz (@x0rz) April 14, 2017

@GossiTheDog You are people, Kev!

Worth noting that every version of Windows since Vista has SMB server svc blocked inbound by firewall by default also

— Ned Pyle (@NerdPyle) April 14, 2017

For folks at home, this isn’t a big deal. Install the Windows Updates when Windows Update says “install me!”. But you should do that anyway.

— Pwn All The Things (@pwnallthethings) April 14, 2017

@JukesSitus No SMB, no remote desktop, and not sure if that’s enough. These should not be reachable from Internet, but could rip through institutions.

— Nicholas Weaver (@ncweaver) April 14, 2017

No matter what software you’re running though, making sure you’re up to date with the latest patches will be one of the best things you can do to defend yourself. Also, as Travis explains, it’s possible the code could eventually be modified to attack newer systems including Windows 10 and Windows Server 2016, but that will likely take more than a couple of days. Even if remote exploits or a worm don’t arise from the use of these tools, now that they’re out in the wild they could still be delivered by the web, email or even a USB stick. Matthew closed out his email by noting that “Microsoft will need to release fixes for several of the ETERNAL exploits and customers should ensure they apply them as soon as available.”

Here is a video showing ETERNALBLUE being used to compromise a Windows 2008 R2 SP1 x64 host in under 120 seconds with FUZZBUNCH #0day 😉 pic.twitter.com/I9aUF530fU

— Hacker Fantastic (@hackerfantastic) April 14, 2017

Source: The Shadow Brokers

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: