Pierluigi Paganini
April 15, 2017
Yesterday the Shadow Brokers hacker group has released a new portion of the alleged archive of the NSA containing hacking tools and exploits. The group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.
Some of the codenames for the hacking tools in the dump are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.
The tools work against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.
Security experts at Microsoft explained most of the Windows vulnerabilities exploited by the above hacking tools have been already patched in the last month’s Patch Tuesday update.
“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Microsoft Security Team said in a blog post published today.
date.
| Code Name | Solution |
| “EternalBlue” | Addressed by MS17-010 |
| “EmeraldThread” | Addressed by MS10-061 |
| “EternalChampion” | Addressed by CVE-2017-0146 & CVE-2017-0147 |
| “ErraticGopher” | Addressed prior to the release of Windows Vista |
| “EsikmoRoll” | Addressed by MS14-068 |
| “EternalRomance” | Addressed by MS17-010 |
| “EducatedScholar” | Addressed by MS09-050 |
| “EternalSynergy” | Addressed by MS17-010 |
| “EclipsedWing” | Addressed by MS08-067 |
The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.
“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.
The SWIFT folder in the dump contains a PowerPoint document that contains credentials and data on the internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.
The folder includes SQL scripts that could be used to query Oracle Database to obtain a wide range of information, including the list of users and the SWIFT message queries.Giving a look at the list of exploits in the archive we can find
Giving a look at the list of exploits in the archive we can find
The experts noticed that the attack also works against Windows PCs without installing the latest updates.
“The patches were released in last month’s update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable – if you apply MS17-010 it should protect hosts against the attacks,” Matthew added.
According to The Intercept, Microsoft had not been contacted by the US Government in relation to the Shadow Brokers data leak.
“A Microsoft spokesperson told The Intercept “We are reviewing the report and will take the necessary actions to protect our customers.” We asked Microsoft if the NSA at any point offered to provide information that would help protect Windows users from these attacks, given that the leak has been threatened since August 2016, to which they replied “our focus at this time is reviewing the current report.” The company later clarified that “At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers.” reported The Intercept.
If you want to stay safe from attacks exploiting the above hacking tools keep your Windows machines and servers up-to-date.
Pierluigi Paganini talk to RT International
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Shadow Brokers, Windows)
[adrotate banner=”5″]
[adrotate banner=”13″]
