The latest dump of hacking tools allegedly belonged to the NSA is believed to be the most damaging release by the Shadow Brokers till the date.
But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month’s Patch Tuesday update.
“Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Microsoft Security Team said in a blog post published today.
On Good Friday, the Shadow Brokers released a massive trove of Windows hacking tools allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.
“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” Microsoft says.
The data dump also includes some top-secret presentations and excel sheets, indicating that the leaked exploits may have been used to hack the SWIFT banking system of several banks across the world.
Hacking tool, called Eternalromance, contains an easy-to-use interface and exploits Windows systems over TCP ports 445 and 139.
The most noteworthy exploit in the Friday’s dump is Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could cause older versions of Windows to execute code remotely.
But if the company already patched this flaw last month, then how could this exploit works against an updated machine? It seems like the researcher tried this exploit against a Windows PC without installing the latest updates.
“The patches were released in last month’s update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable – if you apply MS17-010 it should protect hosts against the attacks,” Matthew clarifies during a conversation with The Hacker News.
No Acknowledgement for SMB RCE Issue by Microsoft
There’s also news floating around the Internet that the “NSA has had, at a minimum, 96 days of warning,” knowing that the Shadow Brokers could drop the files at any time, but the agency did not report the flaws to Microsoft.
The Intercept also reported that Microsoft told it that the company had not been contacted by any “individual or organization,” in relation to the hacking tools and exploits released by the Shadow Brokers.
The vulnerabilities have already been patched by Microsoft, which acknowledges all security researchers for reporting the issues in its products, but, interesting, there are no acknowledgments for MS17-010 which patched most of the critical flaws from the Shadow Brokers dump.
This indicates that someone from the agency or linked with defense contractor might have warned the company of the SMB RCE issue.
So, only those who are still using Windows XP, which Microsoft doesn’t support for very long, are at risk of getting their machines hacked.
And there is no need to panic if you use updated Windows 7, 8 or 10 (or even Windows Vista, whose support ended just last week and the issue was patched last month).
The simple advice for you is to always keep your Windows machines and servers up-to-date in order to prevent yourself from being hacked.