Featured post

Microsoft says it has fixed exploits leaked by Shadow Brokers in March

fewdays back the Shadow Brokers hacker group has released a new portion of the alleged archive of the NSA containing hacking tools and exploits. The group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.
Some of the codenames for the hacking tools in the dump are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.
The tools work against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.
Security experts at Microsoft explained most of the Windows vulnerabilities exploited by the above hacking tools have been already patched in the last month’s Patch Tuesday update.
“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Microsoft Security Team said in a blog post published today.
Code NameSolution
EternalBlueAddressed by MS17-010
EmeraldThreadAddressed by MS10-061
EternalChampionAddressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher”Addressed prior to the release of Windows Vista
EsikmoRollAddressed by MS14-068
EternalRomanceAddressed by MS17-010
EducatedScholarAddressed by MS09-050
EternalSynergyAddressed by MS17-010
EclipsedWingAddressed by MS08-067
The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.
“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.
The SWIFT folder in the dump contains a PowerPoint document that contains credentials and data on the internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.
Shadow Brokers Windows exploits
The folder includes SQL scripts that could be used to query Oracle Database to obtain a wide range of information, including the list of users and the SWIFT message queries.Giving a look at the list of exploits in the archive we can find
Giving a look at the list of exploits in the archive we can find
  • Eternalromance that implements a Weaponized #0day Metasploit with an efficient GUI interfaces.
  • Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could trigger a RCE in older versions of Windows. The security expert Matthew Hickey published a video that demonstrates how to use the Eternalblue exploit against a server running Windows Server 2008 R2 SP1 and chaining the hack with the FuzzBunch exploit, which is being used to compromise a virtual machine running Windows Server 2008.
The experts noticed that the attack also works against Windows PCs without installing the latest updates.
“The patches were released in last month’s update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable – if you apply MS17-010 it should protect hosts against the attacks,” Matthewadded.
According to The Intercept, Microsoft had not been contacted by the US Government in relation to the Shadow Brokers data leak.