NSA EsteemAudit exploit could trigger a new WannaCry-like attack

Pierluigi Paganini May 25, 2017

Security experts from enSilo firm released a free patch for Windows systems vulnerable to the NSA-linked ESTEEMAUDIT Exploit.

The WannaCry emergency could not be ended because the NSA dump leaked by the Shadow Brokers team included many other dangerous exploits.

Last months the Shadow Brokers group released another batch of data containing exploit codes still unpatched by Microsoft such as the “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan.”

The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.

“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.

Let’s start with the EsteemAudit exploit, it is a hacking tool that targets RDP service (port 3389) on machines running no longer supported Microsoft Windows Server 2003 / Windows XP.

It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit.

Even one infected machine opens your enterprise to greater exploitation,” explained the security researchers Omri Misgav and Tal Liberman who works for the Ensilo cyber security firm and that developed an unofficial patch for EsteemAudit exploit.

“In the trove of stolen exploits published by the Shadow Group appears ESTEEMAUDIT, an RDP exploit which can allow malware to move laterally within the organization, similar to what we had seen with WannaCry.” reads a blog post from Ensilo.

“enSilo is giving away its patch against ESTEEMAUDIT for free with the intention of helping organizations around the world to better improve their security posture in one easy, but critical step.

It is important to note that patching this exploit will not make these XP systems fully secure. There are still many unpatched vulnerabilities in Windows XP, and we urge organizations to update their systems accordingly.

Until that happens, we believe that in-the-wild critical exploits like ESTEEMAUDIT and ETERNALBLUE must be patched.”

NSA EsteemAudit

Experts warn of possible exploitation of EsteemAudit exploit in network wormable threats. threat actors in the wild can develop malware that is able to propagate itself in target’s networks without user’s interaction.

“Years later, there continue to be hundreds of millions of machines relying on XP and Server 2003 operating systems in use around the world. Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today and the cybersecurity industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of global market share.” continues the blog post from Ensilo.

There are many malware in the wild that already infects systems using as attack vector the RDP protocol, (CrySiS, Dharma, and SamSam), the EsteemAudit exploit can potentially make these threats very aggressive and dangerous.

Users and enterprises running the vulnerable systems are advised to upgrade them to the higher versions to secure themselves from EsteenAudit attacks.

When it is impossible to upgrade the systems it is necessary to secure them, for example disabling RDP port or putting it behind the firewall.

You can also deploy the unofficial patch developed by Ensilo to secure your systems.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – EsteemAudit ,  hacking)

[adrotate banner=”13″]

you might also like

leave a comment