This article is more than 1 year old
Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8
Microsoft claims it has patched most of the exploited bugs
Updated The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.
The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.
The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.
The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.
"The shadow brokers not wanting going there. Is being too bad nobody deciding to be paying the shadow brokers for just to shutup and going away," the group said in a typically garbled blog post.
"The Shadow Brokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all suviving WWIII the shadow brokers be seeing you next week. Who knows what we having next time?"
For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-2013, is the most concerning. It contains exploits for vulnerabilities that can be used to hack into unpatched Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other protocols.
If you have a vulnerable aging machine with those services running, it is possible they can be hijacked using today's dumped tools – if not by strangers on the 'net then potentially by malicious employees or malware already on your network. If you're running the latest up-to-date gear, such as Windows 10, none of this will directly affect you – but not everyone is so lucky. There are plenty of organizations out there that cannot keep every box up to date, for various reasons.
The leaked archive also contains the NSA's equivalent of the Metasploit hacking toolkit: FUZZBUNCH.
Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.
"This is a nation-state toolkit available for anyone who wants to download it – anyone with a little bit of technical knowledge can download this and hack servers in two minutes," Hickey said. "It's as bad as you can imagine."
He pointed out that the timing of the release – just before Easter – is also significant. With much of the Western world taking it easy on Zombie Jesus weekend, some organizations may be caught short by the dumped cache of cyber-arms.
It looks as though the NSA is keeping up with its habit of amusing nomenclature. The files include an exploit dubbed ENGLISHMANSDENTIST, which appears to trigger executable code on victims' desktops via Outlook clients. Other examples include but are not limited to:
- ESKIMOROLL, a Kerberos exploit targeting Windows 2000, Server 2003, Server 2008 and Server 2008 R2 domain controllers.
- EMPHASISMINE, a remote IMAP exploit for later versions of Lotus Domino.
- ETERNALROMANCE, a remote SMB1 network file server exploit targeting Windows XP, Server 2003, Vista, Windows 7, Windows 8, Server 2008, and Server 2008 R2. This is yet another reason to stop using SMB1 – it's old and vulnerable.
- ETERNALBLUE, another SMB1 and SMB2 exploit. Below is a video showing ETERNALBLUE compromising a Windows 2008 R2 SP1 x64 host via FUZZBUNCH to install a remote command execution tool called DOUBLEPULSAR.
Here is a video showing ETERNALBLUE being used to compromise a Windows 2008 R2 SP1 x64 host in under 120 seconds with FUZZBUNCH #0day ;-) pic.twitter.com/I9aUF530fU— Hacker Fantastic (@hackerfantastic) April 14, 2017
- ETERNALCHAMPION, another SMB2 exploit.
- ERRATICGOPHER, an SMB exploit targeting Windows XP and Server 2003.
- ETERNALSYNERGY, a remote code execution exploit against SMB3 that potentially works against operating systems as recent Windows Server 2012.
- EMERALDTHREAD, an SMB exploit that drops a Stuxnet-style implant on systems.
- ESTEEMAUDIT, a remote RDP exploit targeting Windows Server 2003 and Windows XP to install hidden spyware.
- EXPLODINGCAN, a Microsoft IIS 6 exploit that targets WebDav on Server 2003 only.
- EASYPI, one of a few files in the dump detected by antivirus packages as containing code from the NSA's nuclear centrifuge-bothering malware Stuxnet, suggesting the spy agency reuses code from mission to mission.
Microsoft had no comment on the leaks at time of publication, but its engineers should be scrambling to fix the flaws exploited by the tools, where they can. Most of the exploited software is no longer officially supported. Given Redmond's increasingly secretive approach to patching, we hope they'll be more open about upcoming updates to address the NSA-exploited security holes.
SWIFT on insecurity
The second directory is labelled SWIFT but doesn't include tools to hack the interbank payments system directly. Rather it enables the surveillance of payments that go through service bureaus used by SWIFT's banking customers.
"SWIFT is aware of allegations surrounding the unauthorized access to data at two service bureaus," a spokesperson for the group told The Reg.
"There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties. We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."
The data appears to originate in September 2013 and details how operatives could penetrate the firewalls and monitor the transactions of the largest SWIFT Service Bureau of the Middle East, called EastNets.
The EastNets hack was dubbed JEEPFLEA_MARKET and includes PowerPoints of the company's network architecture, passwords for the system, and thousands of compromised employee accounts from different office branches.
The attackers installed bypasses in the company's firewalls and then worked through two management servers to set up monitoring stations on nine of their transaction servers, and presumably fed that data back to analysts.
"While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way," said Hazem Mulhim, CEO of EastNets in a statement.
"EastNets continues to guarantee the complete safety and security of its customers' data with the highest levels of protection from its SWIFT certified Service bureau."
A second weapon, called JEEPFLEA_POWDER, targeted an EastNets partner in Venezuela and Panama called BCG Business Computer Group. Administrator accounts were targeted using attack code dubbed SECONDATE and IRONVIPER. No data was collected at the time, according to the slides in the dump.
It's not surprising that the NSA would be targeting banks in the Middle East – given the terrorist threat and the 14-year war the US has been fighting in the regions – and its focus on Venezuela and Panama could be related to drug money or the US' somewhat rocky relationship with both countries. Spies do spying, right?