This article is more than 1 year old
Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em
Yep, vulns of WannaCry infamy. Why haven't you patched yet?
Hackers* have improved the reliability and potency of Server Message Block (SMB) exploits used to carry out the hard-hitting NotPetya ransomware attack last year.
EternalBlue, EternalSynergy, EternalRomance and EternalChampion formed part of the arsenal of NSA-developed hacking tools that were leaked by the Shadow Brokers group before they were used (in part) to mount the devastating NotPetya cyber attack.
The exploits – linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities – have been "rewritten and stabilised" to affect operating systems from Windows 2000 up to and including Server 2016 edition, Heimdal Security warns. These beefed-up exploits can be used to push arbitrary code on vulnerable systems targeted with specially crafted messages to the Microsoft SMB servers.
"Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB connection session structures to gain admin rights over the system," Heimdal said.
"After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0, and then copy directly to the hard drive."
Worse yet, the revamped exploits could have worm-like self-replicating abilities, meaning any infection could spread far more quickly.
The development makes the patching of older server-based systems an even higher priority. Those still relying on Windows 2000 Server need to either disable or firewall inbound SMB traffic since there's no patch.
Heimdal's call to patch is backed by an earlier warning by security researcher Kevin Beaumont, who warned that the revamped exploits can be used to push ransomware, trojans or other nasties onto vulnerable Windows systems instead of simply crashing them and causing the infamous Blue Screen of Death.
Patches that address the vulnerabilities are already available in the shape of updates from MS17-010 onwards. ®
*Including those who are not named John, Johnnie, Janelle or Jonah