Microsoft says it has fixed exploits leaked by Shadow Brokers in March

Security experts at Microsoft explained most of the Windows vulnerabilities exploited by the above hacking tools have been already patched in the last month’s Patch Tuesday update.

“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Microsoft Security Team said in a blog post published today.

date.

Code Name	Solution
“EternalBlue”	Addressed by MS17-010
“EmeraldThread”	Addressed by MS10-061
“EternalChampion”	Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher”	Addressed prior to the release of Windows Vista
“EsikmoRoll”	Addressed by MS14-068
“EternalRomance”	Addressed by MS17-010
“EducatedScholar”	Addressed by MS09-050
“EternalSynergy”	Addressed by MS17-010
“EclipsedWing”	Addressed by MS08-067

The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.

“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.

The SWIFT folder in the dump contains a PowerPoint document that contains credentials and data on the internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.

• Eternalromance that implements a Weaponized #0day Metasploit with an efficient GUI interfaces.
• Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could trigger a RCE in older versions of Windows. The security expert Matthew Hickey published a video that demonstrates how to use the Eternalblue exploit against a server running Windows Server 2008 R2 SP1 and chaining the hack with the FuzzBunch exploit, which is being used to compromise a virtual machine running Windows Server 2008.

The experts noticed that the attack also works against Windows PCs without installing the latest updates.

“The patches were released in last month’s update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable – if you apply MS17-010 it should protect hosts against the attacks,” Matthew added.

According to The Intercept, Microsoft had not been contacted by the US Government in relation to the Shadow Brokers data leak.

“A Microsoft spokesperson told The Intercept “We are reviewing the report and will take the necessary actions to protect our customers.” We asked Microsoft if the NSA at any point offered to provide information that would help protect Windows users from these attacks, given that the leak has been threatened since August 2016, to which they replied “our focus at this time is reviewing the current report.” The company later clarified that “At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers.” reported The Intercept.

If you want to stay safe from attacks exploiting the above hacking tools keep your Windows machines and servers up-to-date.

Pierluigi Paganini talk to RT International

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shadow Brokers, Windows)

[adrotate banner=”5″]

[adrotate banner=”13″]