ShadowBrokers leak more hacking tools - MS says most exploits patched

News by Rene Millman

Malwarebytes reports recent zero-days among Shadowbrokers hacking tools and code analysis appears to confirm earlier reported NSA origins.

The Shadow Brokers have dumped more hacking tools onto the internet from code stolen from NSA-backed Equation Group. The exploits target Windows systems form Windows 2000 onwards.

According to a blog post from Malwarebytes, the information dump contains several exploits and Windows binary files that were not seen with the previous collection of information.

“While the ‘Auction' file may have contained obsolete exploits and information, this new release appears to contain much more recent and current data including 0-Day exploits,” said Adam McNeil, senior Malware Intelligence analyst at Malwarebytes.

He added that while his company hasn't had time to fully review the information dump, he cited Twitter user HackerFantastic already reporting a successful 0-day exploit on Windows 2008 Server.

The company uncovered author tags within the tools. It said these tags contain reference to a string: NSA-FTS327.

“This string appears in a number of NSA Organisational documents and appears to be related to the Requirements and Targeting office,” said McNeil. He added that the Snowden Surveillance Archive identifies the Requirements and Targeting office designation as FTS327, and provides a document authored by NSA's Texas TAO, Requirements and Targeting office suggesting that Computer Network exploitation was used to exploit a weakness in Mexican President Felipe Calderon's public email.

“While no mention of that particular string has been in this dump, if the Author string found on the documents is accurate, then that would suggest there may be validity in the claims that these are NSA tools,” said McNeil.

He added that if there are active zero-day exploits, software manufactures will “scramble to release timely patches to help thwart almost certain use of this code by malicious actors in the ‘residential' business of malware infection”.

Microsoft has said that it has patched many flaws in its Windows operation system last month, in a bid to prevent NSA-espionage tools being used by hackers following the leak.

In a blog post, The Microsoft Security Response Center said that it had “triaged” a large release of exploits made publicly available by Shadow Brokers. The hacking group had published several tools used by the US National Security Agency (NSA) to infiltrate and monitor financial transfers via SWIFT.

Phillip Misner, principal security group manager at Microsoft Security Response Center, said that customers had expressed concerns around the risk disclosure of the tools potentially created.

"Our engineers have investigated the disclosed exploits, and most of the exploits are already patched."

Usually with security patches, firms acknowledge who discovered the flaws. On this occasion, such acknowledgements were conspicuously absent. This has led to speculation about how Microsoft could have patched four zero-day vulnerabilities.

Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told SC Media UK that in the clear majority of cases, cyber-criminals or intelligence services can easily break in without any zero-days. “Therefore, I'd rather suggest concentrating efforts on efficient and effective risk management and cyber-security strategy, than on discussing new dumps,” he said.

Lee Munson, Security Researcher at Comparitech, told SC Media UK that the good thing about the new Shadow Brokers release is the fact than none of the exploits work against modern, fully patched versions of Windows.

“The bad news for many businesses, however, is the fact that they may be using legacy versions of Windows for specific tasks, or may not be fully up to date with their patch management,” he said.

“Given the fact that there may be more to come from Shadow Brokers, and the existing market for zero-days, all businesses should take this release as a cue to remain vigilant with the above in the future too.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews