Microsoft says it has fixed exploits leaked by Shadow Brokers in March

Pierluigi Paganini April 15, 2017

Microsoft determined that most of the flaws exploited by the tools in the dump released by Shadow Brokers yesterday were patched in March.

Yesterday the Shadow Brokers hacker group has released a new portion of the alleged archive of the NSA containing hacking tools and exploits. The group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.

Some of the codenames for the hacking tools in the dump are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.

The tools work against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

Security experts at Microsoft explained most of the Windows vulnerabilities exploited by the above hacking tools have been already patched in the last month’s Patch Tuesday update.

“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Microsoft Security Team said in a blog post published today.


Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.

“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.

The SWIFT folder in the dump contains a PowerPoint document that contains credentials and data on the internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.

Shadow Brokers Windows exploits

The folder includes SQL scripts that could be used to query Oracle Database to obtain a wide range of information, including the list of users and the SWIFT message queries.Giving a look at the list of exploits in the archive we can find

Giving a look at the list of exploits in the archive we can find

  • Eternalromance that implements a Weaponized #0day Metasploit with an efficient GUI interfaces.
  • Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could trigger a RCE in older versions of Windows. The security expert Matthew Hickey published a video that demonstrates how to use the Eternalblue exploit against a server running Windows Server 2008 R2 SP1 and chaining the hack with the FuzzBunch exploit, which is being used to compromise a virtual machine running Windows Server 2008.

The experts noticed that the attack also works against Windows PCs without installing the latest updates.

“The patches were released in last month’s update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable – if you apply MS17-010 it should protect hosts against the attacks,” Matthew added.

According to The Intercept, Microsoft had not been contacted by the US Government in relation to the Shadow Brokers data leak.

“A Microsoft spokesperson told The Intercept “We are reviewing the report and will take the necessary actions to protect our customers.” We asked Microsoft if the NSA at any point offered to provide information that would help protect Windows users from these attacks, given that the leak has been threatened since August 2016, to which they replied “our focus at this time is reviewing the current report.” The company later clarified that “At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers.” reported The Intercept.

If you want to stay safe from attacks exploiting the above hacking tools keep your Windows machines and servers up-to-date.

Pierluigi Paganini talk to RT International

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shadow Brokers, Windows)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment