*UPDATED* Shadow Brokers dumps most severe NSA exploits yet

[2FA]

According to Ars Technica,

 

Quote

The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits—just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.

 

 

 

The exploits included in Friday's data dump are probably some of the most severe exploits discovered, most of which result in remote data execution. 

 

Several included:

Quote

• ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
• ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012
• ETERNALBLUE — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
• EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003
• EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit
• ETERNALSYNERGY — Windows 8 and Windows Server 2012
• FUZZBUNCH — Exploit Framework (Similar to Metasploit) for the exploits.

 

 

 

 

 

The exploit codenamed ETERNALBLUE also appears to be even more severe than originally reported. According to several security specialists on Twitter, it also successfully affects Windows 10 systems.

 

That's not all either, there are also tools for hacking into financial institutions such as banks.

 

UPDATE: Windows 10 has been patched to prevent these vulnerablilties as of April 15th.

 

Quote

Friday's dump also contains code for hacking into banks, particularly those in the Middle East. According to this analysis by Matt Suiche, a researcher and cofounder of Cloud Volumes, Jeepflea_Market is the code name for a 2013 mission that accessed EastNets, the largest SWIFT service bureau in the Middle East. EastNets provides anti-money laundering oversight and related services for SWIFT transactions in the region. Besides specific data concerning specific servers, the archive also includes reusable tools to extract the information from Oracle databases such as a list of database users and SWIFT message queries.

 

 

 

Quote

The release also contains the software for "Oddjob", an implant tool and backdoor for controlling hacked computers through an HTTP-based command server. Other implants have names such as Darkpulsar-1.1.0.exe, Mofconfig-1.0.0.exe, and PluginHelper.py. With the exception of minor generic detections for engines related to a "packer" that conceals Oddjob, none of the implants were detected by antivirus programs at the time this update was going live. AV companies are almost certainly in the process of pushing out updates.

 

 

 

 

Personal Opinion: Let this dump be a lesson to those that think that having government exclusive backdoors is safe and secure. Both the CIA and NSA managed to have their secret arsenals stolen while supposedly being the most secure agencies on Earth. Strong security can only work if it's strong for everyone.

 

UPDATE

 

Quote

Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.

 

FURTHER READING

That's because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-0147—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained in Friday's leak.

Microsoft provided the following table showing when various vulnerabilities were patched:

 

Code Name    Solution
“EternalBlue”    Addressed by MS17-010
“EmeraldThread”    Addressed by MS10-061
“EternalChampion”    Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher”    Addressed prior to the release of Windows Vista
“EsikmoRoll”    Addressed by MS14-068
“EternalRomance”    Addressed by MS17-010
“EducatedScholar”    Addressed by MS09-050
“EternalSynergy”    Addressed by MS17-010
“EclipsedWing”    Addressed by MS08-067

1

 

1

 

[Tech_Dreamer]

Nice!

[Prysin]

10/10 would leak it again

[Kierlan]

Well.. this is going to be something else. Thanks for the update

[AnonymousGuy]

...the article says most of these exploits are blocked by firewalls anyways?  Is this a case of you'd have to turn off the Windows firewall which no one does?

[2FA]

1 minute ago, AnonymousGuy said:

...the article says most of these exploits are blocked by firewalls anyways?  Is this a case of you'd have to turn off the Windows firewall which no one does?

By themselves, they are blocked. Use an attack vector such as some Javascript exploit that's not blocked to setup a secure VPN connection on one machine. Use these to gain control over everything else on the network.

[ARikozuM]

4 minutes ago, AnonymousGuy said:

Is this a case of you'd have to turn off the Windows firewall which no one does?

While I would like to say "I agree", this is the tin-foil hat community...

[ARikozuM]

Is EXPLODINGCAN what affected Note 7s?

[2FA]

Just now, ARikozuM said:

While I would like to say "I agree", this is the tin-foil hat community...

While most script kiddies aren't worth the tin-foil, there are some serious groups out there that can pull off tin-foil level of attacks involving many exploits.

[AnonymousGuy]

2 minutes ago, DeadEyePsycho said:

While most script kiddies aren't worth the tin-foil, there are some serious groups out there that can pull off tin-foil level of attacks involving many exploits.

I realize this is a variation of "I don't have anything to hide", but I really doubt anyone would want to blow their giant load of an exploit on someone like me.

[2FA]

1 minute ago, AnonymousGuy said:

I realize this is a variation of "I don't have anything to hide", but I really doubt anyone would want to blow their giant load of an exploit on someone like me.

True enough in targeted attacks, drive-by attacks on websites that auto-download malware en-mass could be dangerous though. Hopefully Microsoft patches these fast though.

[Ithanul]

12 minutes ago, ARikozuM said:

Is EXPLODINGCAN what affected Note 7s?

Gov and Military have this bad track record for naming things.

 

15 minutes ago, DeadEyePsycho said:

By themselves, they are blocked. Use an attack vector such as some Javascript exploit that's not blocked to setup a secure VPN connection on one machine. Use these to gain control over everything else on the network.

Social engineering is a lovely way to get stuff into a network.  Firewalls are looking for outside network threats, not inside threats.  So, once in, the mayhem beginnings.

Unless, you got HIPS on all the client machines that can detect the threat.

I never got to sit behind a red team working, but I know others who have, interesting info for sure.

[Taf the Ghost]

The Shadow Brokers dump are full compiles, rather than technical documents (which most of the Vault 7 releases has been).

 

This is BAD.  Like, really, really bad.

 

Also, apparently the NSA has interest in a bunch of colleges/universities in East Asia.  I don't know why.

[Tieox]

 

[Ryujin2003]

6 hours ago, DeadEyePsycho said:

Personal Opinion: Let this dump be a lesson to those that think that having government exclusive backdoors is safe and secure. Both the CIA and NSA managed to have their secret arsenals stolen while supposedly being the most secure agencies on Earth. Strong security can only work if it's strong for everyone.

Most of the information leaks come from stupid people. If the information was stolen from their network, all it takes is some dumb lonely nerd interested in Russian Singles. Otherwise, it's someone on the inside sneaking out information. This type of information isn't available from the standard internet the world has access to (unless it's emailed to Hilary). It takes some special engineering, not software and social, to get to this iinformation.

 

Also, NSA and CIA are super visible as being high profile targets, but anyone who thinks no other government (UK, Germany, Russia, China, AU, etc..) are above this type of activity is blindly naive.

[2FA]

7 minutes ago, Ryujin2003 said:

Most of the information leaks come from stupid people. If the information was stolen from their network, all it takes is some dumb lonely nerd interested in Russian Singles. Otherwise, it's someone on the inside sneaking out information. This type of information isn't available from the standard internet the world has access to (unless it's emailed to Hilary). It takes some special engineering, not software and social, to get to this iinformation.

You're arguing the means but the end is the same. These were supposedly unleakable and they were leaked, end of story.

7 minutes ago, Ryujin2003 said:

Also, NSA and CIA are super visible as being high profile targets, but anyone who thinks no other government (UK, Germany, Russia, China, AU, etc..) are above this type of activity is blindly naive.

Not sure what you're going on about, nobody said they weren't. Words have specific meaning, realize what I wrote and how your response has literally nothing to do with it.

 

[Ryujin2003]

Just now, DeadEyePsycho said:

You're arguing the means but the end is the same. These were supposedly unleakable and they were leaked, end of story.

Not sure what you're going on about, nobody said they weren't. Words have specific meaning, realize what I wrote and how your response has literally nothing to do with it.

 

 I'm so sorry for not specifying, but that last part was not in direct response to your statement. I figured I'd make one post instead of two. Just highlighting the idea that this type of activity will continue.

 

And nothing is "unleakable". When people are entrusted to protect information they have access to, you are inevitably going to deal with people who find themselves with internal conflict.  just because you slap a classification slapped onto a piece of paper doesn't mean that the information can't or won't be mishandled.

 

Don't get me wrong,  I don't believe in government exclusive gaps in security; however,  I'm not going to villianize the US government for trying to find gaps in security to exploit for nations security means. But, if the US found a vulnerability,  then it still exists for everyone else. They are just as vulnerable as everyone else.

[2FA]

Just now, Ryujin2003 said:

 I'm so sorry for not specifying, but that last part was not in direct response to your statement. I figured I'd make one post instead of two. Just highlighting the idea that this type of activity will continue.

 

And nothing is "unleakable". When people are entrusted to protect information they have access to, you are inevitably going to deal with people who find themselves with internal conflict.  just because you slap a classification slapped onto a piece of paper doesn't mean that the information can't or won't be mishandled.

 

Don't get me wrong,  I don't believe in government exclusive gaps in security; however,  I'm not going to villianize the US government for trying to find gaps in security to exploit for nations security means. But, if the US found a vulnerability,  then it still exists for everyone else. They are just as vulnerable as everyone else.

Sorry about that, thanks for the clarification.

 

My overall point is that they are too focused on offense and leave massive holes in our nations defense when they fail to inform the manufacturers of the exploits.

[Ryujin2003]

2 minutes ago, DeadEyePsycho said:

Sorry about that, thanks for the clarification.

 

My overall point is that they are too focused on offense and leave massive holes in our nations defense when they fail to inform the manufacturers of the exploits.

I completely agree with you, and I wasn't trying to argue you were wrong. Spying is the game, and nothing is going to change that. But the US, and every other nation for that matter, needs to defend it's nation as well. Focus on attacking politicians in foreign countries, but leave the energy and financial infrastructure vulnerable on the cyber front. That makes tons if sense.

 

If manufacturers never know, they will continue to make the same mistakes. Citizens will be the ones to pay in the end... The priorities are a little wonky.

[2FA]

Just now, Ryujin2003 said:

I completely agree with you, and I wasn't trying to argue you were wrong. Spying is the game, and nothing is going to change that. But the US, and every other nation for that matter, needs to defend it's nation as well. Focus on attacking politicians in foreign countries, but leave the energy and financial infrastructure vulnerable on the cyber front. That makes tons if sense.

 

If manufacturers never know, they will continue to make the same mistakes. Citizens will be the ones to pay in the end... The priorities are a little wonky.

IIRC a former NSA official or someone similar said that 80% of their budget is for offense.

[SammoFS]

smh im windows 7 FUCK.

[GoodBytes]

Microsoft responded on this story.

Quote

Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

Code Name	Solution
“EternalBlue”	Addressed by MS17-010
“EmeraldThread”	Addressed by MS10-061
“EternalChampion”	Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher”	Addressed prior to the release of Windows Vista
“EsikmoRoll”	Addressed by MS14-068
“EternalRomance”	Addressed by MS17-010
“EducatedScholar”	Addressed by MS09-050
“EternalSynergy”	Addressed by MS17-010
“EclipsedWing”	Addressed by MS08-067

 

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

Source: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

 

So in other words, stay with the latest fully supported version of Windows, and keep everything updated.

[2FA]

1 hour ago, GoodBytes said:

Microsoft responded on this story.

Source: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

 

So in other words, stay with the latest fully supported version of Windows, and keep everything updated.

Unfortunately people disable updates because they're afraid of telemetry which leaves them open zero-days.

[AresKrieger]

11 minutes ago, DeadEyePsycho said:

Unfortunately people disable updates because they're afraid of telemetry which leaves them open zero-days.

It doesn't matter what you do exploits like this will always exist, now they could be less common if everything related to adobe or oracle could be reworked to not use their crap services/code but the easier solution is to make backups and just wipe the affected drives if they are ever hacked, oh and use adblockers

[2FA]

1 minute ago, AresKrieger said:

It doesn't matter what you do exploits like this will always exist, now they could be less common if everything related to adobe or oracle could be reworked to not use their crap services/code but the easier solution is to make backups and just wipe the affected drives if they are ever hacked, oh and use adblockers

I would rather update and only worry about zero-days instead of refusing to update and worry about every exploit found ever.