Leaked versions of NSA malware is making Windows OS users vulnerable worldwide
The Shadow Brokers, an entity previously confirmed by The Intercept to have leaked authentic malware used by the NSA to attack computers around the world, today released another cache of what appears to be extremely potent ( and previously unknown) software capable of breaking into systems running Windows. The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users.
The leak includes a litany of typically codenamed software “implants” with names like ODDJOB, ZIPPYBEER, and ESTEEMAUDIT, capable of breaking into — and in some cases seizing control of — computers running earlier versions instead of windows 10. The vulnerable Windows versions ran more than 65 percent of desktop computers surfing the web last month, according to estimates from the tracking firm Net Market Share.
One implant collection appears to be a program named FUZZBUNCH, which essentially automates the deployment of NSA malware, and would allow a member of agency’s Tailored Access Operations group to more easily infect a target from their desk.
Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.
“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyber-weapon for hacking into computers.
Hickey provided The Intercept with a video of FUZZBUNCH being used to compromise a virtual computer running Windows Server 2008–an industry survey from 2016 cited this operating system as the most widely used of its kind.
Susan Hennessey, an editor at Law fare and former NSA attorney, wrote on Twitter that the leak will cause “immense harm to both U.S. intel interests and public security simultaneously.”
The full list of tools documented by Hickey are:
Eternalromance — Remote privilege escalation (SYSTEM) exploit ( Windows XP to Windows 2008 over TCP port 445)
Enternalchampion, eternalsystem—Remote exploit up to Windows 8 and 2012
Eternalblue — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
Explodingcan—Remote IIS 6.0 exploit for Windows 2003
Eworkfrenzy — Lotus Domino 6.5.4 and 7.0.2 exploit
Eternalsynergy — Windows 8 and Windows Server 2012
Fuzzbunch — Exploit Framework (Similar to Metasploit) for the exploits.
With the exception of Esteem au- dit, the exploits should be blocked by most firewalls. And best practices call for remote desktop connections to require use of a virtual private network, a practice that should make the Estememaudit exploit ineffective.
Microsoft also recommends that organizations disable SMBv1, unless they absolutely need to hang on to it for compatibility reasons, which may block Eternalblue.
That means organizations that are following best practices are likely safe from external attacks using these exploits. There’s no indication any of the exploits work on Windows 10 and Windows Server 2016, although it’s possible the exploits could be modified to work on these operating systems.
Still, the public distribution of some of the NSA’s most prized hacking tools is sure to cause problems. In a post published by the Lawfare website, Nicholas Weaver, a security researcher at the University of California at Berkeley and the International Computer Science Institute, wrote:
Normally, dumping these kinds of documents on a Friday would reduce their impact by limiting the news cycle.
But Friday was the perfect day to dump tools if your goal was to cause maximum chaos; all the script kiddies are active over the weekend, while far too many defenders are offline and enjoying the Easter holiday.