The NSA's Windows-hacking arsenal leaked, affects Windows 2000 through 8, servers included [Update]

Last year, hacking group Shadow Brokers leaked a series of tools used by "an elite team" inside of the US"s National Security Agency. Since, by their own admission, the hacker group has not been paid by anyone to "shutup [sic] and going [sic] away", they have released another cache of tools, this time targeted at Windows systems.

According to ZDNet and Hacker Fantastic on Twitter, the tools and exploits affect Windows 2000, Windows XP, Windows 7, Windows 8, as well as their server-side variants like Server 2000, 2003, 2008, 2008 R2 and 2012.

ETERNALBLUE,
ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYSTEM - INTERNET GOD MODE, remote exploits for every Microsoft Windows incl 8 & 2012.

— Hacker Fantastic (@hackerfantastic) April 14, 2017

These exploits have been allegedly used by the NSA to target several banks and the SWIFT banking system. What"s more, according to security researcher Kevin Beaumont, the hacking tools belonging to the Agency"s so-called Equation Group even give it the ability to infiltrate deep inside networks by exploiting VPN and firewall systems:

One running theme with the banking operation - they"re compromising prime vendor VPN and firewall devices, also they"re FAR into networks. pic.twitter.com/MNUlCpLjVW

— Kevin Beaumont (@GossiTheDog) April 14, 2017

Among the leaked arsenal there is ExplodingCan, which creates a remote backdoor by exploiting the Windows web server Internet Information Services on older versions of the OS. Then, there is EternalSynergy, a remote SMB exploit for Windows 8 and Server 2012. From the same "family", there is also EternalRomance, a remote SMB1 exploit targeting Windows XP, Vista, 7, 8 and their server counterparts, Server 2003 plus 2008 and 2008 R2.

Even more so, info has been revealed about EsteemAudit, a Remote Desktop Protocol exploit targeted at Windows Server 2003. This one exploits SmartCard authentication at login, and works on a patched version of the server OS.

A Microsoft spokesman declared for ZDNet that "We are reviewing the report and will take the necessary actions to protect our customers".

Many of the exploits described by these researchers appear to be zero-day, but have not been confirmed as of yet.

Source: ZDNet, Kevin Beaumont (Twitter)

Update: Microsoft has put up a blog post, stating that the majority of the vulnerabilities exposed by this leak have been patched. They are, as follows:

Codename Patch / Solution
EternalBlue MS17-010
EmeraldThread MS10-061
EternalChampion CVE-2017-0146 and CVE-2017-0147
ErraticGopher Addressed prior to the release of Vista
EskimoRoll MS14-068
EternalRomance MS17-010
EducatedScholar MS09-050
EternalSynergy MS17-010
EclipsedWing MS08-067

The firm goes on to state that the three remaining vulnerabilities, EnglishmanDentist, EsteemAudit, and ExplodingCan are not able to be reproduced on any of the operating systems it still supports. This means that "customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk". Naturally, the software giant encourages people to upgrade to the latest versions to keep safe.

What is interesting is that although most of these patches do show up in the acknowledgements section on TechNet, MS17-010 does not, as noticed by the grugq on Twitter. The researcher goes on to state that it may be due to the NSA themselves reporting the exploit to Microsoft.

Report a problem with article
Next Article

BioShock: The Collection for the Xbox One is now 52% off

Previous Article

Microsoft's cancelled Lumia 750 aka "Guilin" gets revealed in new video