Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

Microsoft claims it has patched most of the exploited bugs


Updated The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.

The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.

The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.

The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.

"The shadow brokers not wanting going there. Is being too bad nobody deciding to be paying the shadow brokers for just to shutup and going away," the group said in a typically garbled blog post.

"The Shadow Brokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all suviving WWIII the shadow brokers be seeing you next week. Who knows what we having next time?"

For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-2013, is the most concerning. It contains exploits for vulnerabilities that can be used to hack into unpatched Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other protocols.

If you have a vulnerable aging machine with those services running, it is possible they can be hijacked using today's dumped tools – if not by strangers on the 'net then potentially by malicious employees or malware already on your network. If you're running the latest up-to-date gear, such as Windows 10, none of this will directly affect you – but not everyone is so lucky. There are plenty of organizations out there that cannot keep every box up to date, for various reasons.

The leaked archive also contains the NSA's equivalent of the Metasploit hacking toolkit: FUZZBUNCH.

Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.

"This is a nation-state toolkit available for anyone who wants to download it – anyone with a little bit of technical knowledge can download this and hack servers in two minutes," Hickey said. "It's as bad as you can imagine."

He pointed out that the timing of the release – just before Easter – is also significant. With much of the Western world taking it easy on Zombie Jesus weekend, some organizations may be caught short by the dumped cache of cyber-arms.

It looks as though the NSA is keeping up with its habit of amusing nomenclature. The files include an exploit dubbed ENGLISHMANSDENTIST, which appears to trigger executable code on victims' desktops via Outlook clients. Other examples include but are not limited to:

  • ESKIMOROLL, a Kerberos exploit targeting Windows 2000, Server 2003, Server 2008 and Server 2008 R2 domain controllers.
  • EMPHASISMINE, a remote IMAP exploit for later versions of Lotus Domino.
  • ETERNALROMANCE, a remote SMB1 network file server exploit targeting Windows XP, Server 2003, Vista, Windows 7, Windows 8, Server 2008, and Server 2008 R2. This is yet another reason to stop using SMB1 – it's old and vulnerable.
  • ETERNALBLUE, another SMB1 and SMB2 exploit. Below is a video showing ETERNALBLUE compromising a Windows 2008 R2 SP1 x64 host via FUZZBUNCH to install a remote command execution tool called DOUBLEPULSAR.
  • ETERNALCHAMPION, another SMB2 exploit.
  • ERRATICGOPHER, an SMB exploit targeting Windows XP and Server 2003.
  • ETERNALSYNERGY, a remote code execution exploit against SMB3 that potentially works against operating systems as recent Windows Server 2012.
  • EMERALDTHREAD, an SMB exploit that drops a Stuxnet-style implant on systems.
  • ESTEEMAUDIT, a remote RDP exploit targeting Windows Server 2003 and Windows XP to install hidden spyware.
  • EXPLODINGCAN, a Microsoft IIS 6 exploit that targets WebDav on Server 2003 only.
  • EASYPI, one of a few files in the dump detected by antivirus packages as containing code from the NSA's nuclear centrifuge-bothering malware Stuxnet, suggesting the spy agency reuses code from mission to mission.

Microsoft had no comment on the leaks at time of publication, but its engineers should be scrambling to fix the flaws exploited by the tools, where they can. Most of the exploited software is no longer officially supported. Given Redmond's increasingly secretive approach to patching, we hope they'll be more open about upcoming updates to address the NSA-exploited security holes.

SWIFT on insecurity

The second directory is labelled SWIFT but doesn't include tools to hack the interbank payments system directly. Rather it enables the surveillance of payments that go through service bureaus used by SWIFT's banking customers.

"SWIFT is aware of allegations surrounding the unauthorized access to data at two service bureaus," a spokesperson for the group told The Reg.

"There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties. We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."

The data appears to originate in September 2013 and details how operatives could penetrate the firewalls and monitor the transactions of the largest SWIFT Service Bureau of the Middle East, called EastNets.

The EastNets hack was dubbed JEEPFLEA_MARKET and includes PowerPoints of the company's network architecture, passwords for the system, and thousands of compromised employee accounts from different office branches.

The attackers installed bypasses in the company's firewalls and then worked through two management servers to set up monitoring stations on nine of their transaction servers, and presumably fed that data back to analysts.

"While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way," said Hazem Mulhim, CEO of EastNets in a statement.

"EastNets continues to guarantee the complete safety and security of its customers' data with the highest levels of protection from its SWIFT certified Service bureau."

A second weapon, called JEEPFLEA_POWDER, targeted an EastNets partner in Venezuela and Panama called BCG Business Computer Group. Administrator accounts were targeted using attack code dubbed SECONDATE and IRONVIPER. No data was collected at the time, according to the slides in the dump.

It's not surprising that the NSA would be targeting banks in the Middle East – given the terrorist threat and the 14-year war the US has been fighting in the regions – and its focus on Venezuela and Panama could be related to drug money or the US' somewhat rocky relationship with both countries. Spies do spying, right?


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022