nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

Microsoft claims it has patched most of the exploited bugs

By Iain Thomson, 14 Apr 2017

Updated The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.

The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.

The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.

The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.

"The shadow brokers not wanting going there. Is being too bad nobody deciding to be paying the shadow brokers for just to shutup and going away," the group said in a typically garbled blog post.

"The Shadow Brokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all suviving WWIII the shadow brokers be seeing you next week. Who knows what we having next time?"

For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-2013, is the most concerning. It contains exploits for vulnerabilities that can be used to hack into unpatched Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other protocols.

If you have a vulnerable aging machine with those services running, it is possible they can be hijacked using today's dumped tools – if not by strangers on the 'net then potentially by malicious employees or malware already on your network. If you're running the latest up-to-date gear, such as Windows 10, none of this will directly affect you – but not everyone is so lucky. There are plenty of organizations out there that cannot keep every box up to date, for various reasons.

The leaked archive also contains the NSA's equivalent of the Metasploit hacking toolkit: FUZZBUNCH.

Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.

"This is a nation-state toolkit available for anyone who wants to download it – anyone with a little bit of technical knowledge can download this and hack servers in two minutes," Hickey said. "It's as bad as you can imagine."

He pointed out that the timing of the release – just before Easter – is also significant. With much of the Western world taking it easy on Zombie Jesus weekend, some organizations may be caught short by the dumped cache of cyber-arms.

It looks as though the NSA is keeping up with its habit of amusing nomenclature. The files include an exploit dubbed ENGLISHMANSDENTIST, which appears to trigger executable code on victims' desktops via Outlook clients. Other examples include but are not limited to:

  • ESKIMOROLL, a Kerberos exploit targeting Windows 2000, Server 2003, Server 2008 and Server 2008 R2 domain controllers.
  • EMPHASISMINE, a remote IMAP exploit for later versions of Lotus Domino.
  • ETERNALROMANCE, a remote SMB1 network file server exploit targeting Windows XP, Server 2003, Vista, Windows 7, Windows 8, Server 2008, and Server 2008 R2. This is yet another reason to stop using SMB1 – it's old and vulnerable.
  • ETERNALBLUE, another SMB1 and SMB2 exploit. Below is a video showing ETERNALBLUE compromising a Windows 2008 R2 SP1 x64 host via FUZZBUNCH to install a remote command execution tool called DOUBLEPULSAR.
  • ETERNALCHAMPION, another SMB2 exploit.
  • ERRATICGOPHER, an SMB exploit targeting Windows XP and Server 2003.
  • ETERNALSYNERGY, a remote code execution exploit against SMB3 that potentially works against operating systems as recent Windows Server 2012.
  • EMERALDTHREAD, an SMB exploit that drops a Stuxnet-style implant on systems.
  • ESTEEMAUDIT, a remote RDP exploit targeting Windows Server 2003 and Windows XP to install hidden spyware.
  • EXPLODINGCAN, a Microsoft IIS 6 exploit that targets WebDav on Server 2003 only.
  • EASYPI, one of a few files in the dump detected by antivirus packages as containing code from the NSA's nuclear centrifuge-bothering malware Stuxnet, suggesting the spy agency reuses code from mission to mission.

Microsoft had no comment on the leaks at time of publication, but its engineers should be scrambling to fix the flaws exploited by the tools, where they can. Most of the exploited software is no longer officially supported. Given Redmond's increasingly secretive approach to patching, we hope they'll be more open about upcoming updates to address the NSA-exploited security holes.

SWIFT on insecurity

The second directory is labelled SWIFT but doesn't include tools to hack the interbank payments system directly. Rather it enables the surveillance of payments that go through service bureaus used by SWIFT's banking customers.

"SWIFT is aware of allegations surrounding the unauthorized access to data at two service bureaus," a spokesperson for the group told The Reg.

"There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties. We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."

The data appears to originate in September 2013 and details how operatives could penetrate the firewalls and monitor the transactions of the largest SWIFT Service Bureau of the Middle East, called EastNets.

The EastNets hack was dubbed JEEPFLEA_MARKET and includes PowerPoints of the company's network architecture, passwords for the system, and thousands of compromised employee accounts from different office branches.

The attackers installed bypasses in the company's firewalls and then worked through two management servers to set up monitoring stations on nine of their transaction servers, and presumably fed that data back to analysts.

"While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way," said Hazem Mulhim, CEO of EastNets in a statement.

"EastNets continues to guarantee the complete safety and security of its customers' data with the highest levels of protection from its SWIFT certified Service bureau."

A second weapon, called JEEPFLEA_POWDER, targeted an EastNets partner in Venezuela and Panama called BCG Business Computer Group. Administrator accounts were targeted using attack code dubbed SECONDATE and IRONVIPER. No data was collected at the time, according to the slides in the dump.

It's not surprising that the NSA would be targeting banks in the Middle East – given the terrorist threat and the 14-year war the US has been fighting in the regions – and its focus on Venezuela and Panama could be related to drug money or the US' somewhat rocky relationship with both countries. Spies do spying, right?

Where's James Bond when you need him?

The Equation Group's ODDJOB folder appears to contain spyware that runs on Windows machines up to Server 2008, and, like other NSA software nasties, it is rather modular: you can plug features into it by adding more modules.

The directory contains instructions on how to set up ODDJOB with Microsoft's IIS 7 and, once installed, the malware can be updated remotely to gain new attacks and monitoring tools. It can use HTTP and HTTPS to receive and install its new code.

"ODDJOB will expect an encrypted payload. To encrypt the payload, open the Builder and navigate down to the 'Payload Encryption' section," the instructions read. "Select an Unencrypted Payload, ie, what you want to run on target. Then select an encrypted payload, which is really a dummy file for now. Then select exe or dll, depending on whether the Unencrypted Payload is an exe or dll."

Based on an Excel spreadsheet shared with the malware, ODDJOB is effective on Windows 2000, XP, Server 2003, Vista, Server 2008 and Windows 7, although in each case only the Enterprise versions of the operating systems, rather than consumer builds.

"This is a worst-case estimate for which Windows releases will work with ODDJOB," the spreadsheet states. "An updated version of bits is available as a download for many of these releases, such as XP SP1. Also, ODDJOB v3 will fallback gracefully from HTTPS to HTTP. So, when in doubt, throw HTTPS at the target."

How's that vulnerability hoarding looking now?

This latest release is going to be uncomfortable reading for the NSA. Not only has some of its classic exploits – thought to be worth maybe a couple of million on the gray market – been burned in a single day, the agency has also known for months that its Equation Group goodies are in the hands of crooks who are going to leak the files.

Could the NSA have considered the programs lost for good, and alerted Microsoft, Cisco and others, to fix the vulnerabilities before the tools were dumped all over on the web? Microsoft says no one has given it any form of heads up on the materials leaked by the Shadow Brokers thus far.

Now all these cyber-arms are in the hands of anyone who wants them. Governments with an interest in hacking America – ie, all of them – can now use these. Even worse, every script kiddy on the planet is going to be downloading these tools and using them this weekend for hacking around online for older, vulnerable gear. ®

Updated to add

Microsoft reckons it has already patched the exploited bugs except for ENGLISHMANDENTIST, ESTEEMAUDIT and EXPLODINGCAN, which don't work on supported versions of Windows, eg: Windows 7, 8 and 10, and so won't be patched anyway. If you've been keeping up with your Patch Tuesday updates, you should be protected, according to Microsoft.

What's rather curious is that a Redmond spokesperson claimed earlier on Friday: "Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers."

In other words, apparently no one privately tipped off Microsoft about the exploited security bugs so that they could be fixed – not the brokers and not the NSA. And yet it now turns out Microsoft quietly patched a bunch of the SMB vulnerabilities exploited by the US spy agency in March this year. And then the Shadow Brokers went public with the SMB exploits exactly a month later. What fortuitous timing for Redmond!

Today, the software giant's principal security group manager Phillip Misner said: "Microsoft triaged a large release of exploits made publicly available by Shadow Brokers ... Customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched."

How odd, but also: what a relief. If you want to check which exploits affect which operating systems, someone's made a handy table here.

The Register - Independent news and views for the tech sector. Part of Situation Publishing