All versions' of Windows vulnerable to tweaked Shadow Broker NSA exploits

News by Jay Jay

NSA exploits stolen by hacker Shadow Brokers can be tweaked to exploit vulnerabilities in all versions of Windows, including Windows 10 - so deploy the MS17-010 security update from Microsoft as soon as possible.

A security researcher has revealed how sophisticated NSA exploits, which were stolen and published online by hacker group Shadow Brokers, can be tweaked to exploit vulnerabilities in all versions of Windows, including Windows 10.

Back in 2016, the hacker group named Shadow Brokers stole weaponised cyber-tools from the US National Security Agency and published them online, thereby enabling other cyber- criminals to use the tools to attack targeted organisations and to gain access to systems.

While stolen NSA exploits have so far been used for various purposes including launching WannaCry and NotPetya ransomware attacks, stealing classified data from enterprise computers and for injecting spyware into targeted systems, it was believed that the tools could only be used to exploit older versions of Windows that were unpatched for years.

However, security researcher Sean Dillon has demonstrated how stolen NSA tools can be tweaked to exploit known vulnerabilities in all versions of Windows, including Windows 10. Dillon ported three NSA exploits named EternalChampion, EternalRomance, and EternalSynergy and then used them to exploit a couple of vulnerabilities dubbed CVE-2017-0143 and CVE-2017-0146.

In a post on GitHub, Dillon explained that the new exploit chain brings a few improvements over the original Eternal exploits. "Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it," he said.

He also said that the said exploit would work on all unpatched versions of Windows, including older versions such as Windows 2000 and Windows XP as well as the latest versions including Windows 10 Enterprise and Windows Server 2016 Data Centre.

Commenting on how Dillon managed to tweak existing NSA exploits to target the latest Windows versions, Mark James, security specialist at ESET, said that even if original attack methods do not work, a small tweak in the code can turn harmless codes into formidable weapons for reuse.

He added that to protect themselves, enterprises and individuals should always keep their systems up-to-date as not doing so could mean the difference between getting compromised or not.

"Most exploits rely on an unpatched system and once it is patched that entry is gone. Keeping your system up-to-date these days is not that difficult; programs both free and paid for will help you make it easier and, in most cases, will remind or inform you about updates and when is best to apply them," he added.

"The updated EternalSynergy/Romance/Champion exploit modules developed for the Metasploit framework offer far greater efficacy compared to previous MS17-010 exploits, including those written by the NSA. Windows users are strongly urged to deploy the MS17-010 security update from Microsoft as soon as possible to prevent this attack," said Tom Bonner, senior manager threat research (EMEA) at Cylance.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews