Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8
Now anyone can hijack millions of vulnerable machines at will. No big deal!
Analysis The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time easy-to-use exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.
The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry to compromise and commandeer possibly millions of systems around the world.
This is the same powerful toolkit Uncle Sam uses to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.
The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.
"The shadow brokers not wanting going there. Is being too bad nobody deciding to be paying the shadow brokers for just to shutup and going away," the group said in a typically garbled blog post.
"The Shadow Brokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all suviving WWIII the shadow brokers be seeing you next week. Who knows what we having next time?"
For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-2013, is the most worrying. It contains exploits for vulnerabilities – including at least four zero-day flaws for which no security patches yet exist – that can be used to hack into at-risk Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other protocols.
If you have a vulnerable machine with those services running, it is possible they can be hijacked using today's dumped tools – if not by strangers on the 'net then potentially by malicious employees or malware already on your network. If you're running the latest up-to-date gear, such as Windows 10, none of this will directly affect you. We have a sneaking suspicion that Uncle Sam's foreign espionage targets aren't exactly the types to keep all their systems bang up to date.
The leaked archive also contains the NSA's equivalent of the Metasploit hacking toolkit: FUZZBUNCH.
Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.
"This is a nation-state toolkit available for anyone who wants to download it – anyone with a little bit of technical knowledge can download this and hack servers in two minutes," Hickey said. "It's as bad as you can imagine."
He pointed out that the timing of the release – just before Easter – is also significant. With much of the Western world taking it easy on Zombie Jesus weekend, many companies will be caught short by the dumped cache of cyber-arms.
It looks as though the NSA is keeping up with its habit of amusing nomenclature. The files include an exploit dubbed ENGLISHMANSDENTIST, which appears to trigger executable code on users' desktops via Outlook clients.
Other examples include but are not limited to:
ESKIMOROLL, a Kerberos exploit targeting Windows 2000, Server 2003, Server 2008 and Server 2008 R2 domain controllers.
EMPHASISMINE, a remote IMAP exploit for later versions of Lotus Domino.
ETERNALROMANCE, a remote SMB1 network file server exploit targeting Windows XP, Server 2003, Vista, Windows 7, Windows 8, Server 2008, and Server 2008 R2. This is yet another reason to stop using SMB1 – it's old and vulnerable.
ETERNALBLUE, another SMB1 and SMB2 exploit. Below is a video showing ETERNALBLUE compromising a Windows 2008 R2 SP1 x64 host via FUZZBUNCH to install a remote command execution tool called DOUBLEPULSAR.
ETERNALCHAMPION, another SMB2 exploit.
ERRATICGOPHER, an SMB exploit targeting Windows XP and Server 2003.
ETERNALSYNERGY, a remote code execution exploit against SMB3 that potentially works against operating systems as recent Windows Server 2012.
EMERALDTHREAD, an SMB exploit that drops a Stuxnet-style implant on systems.
ESTEEMAUDIT, a remote RDP exploit targeting Windows Server 2003 and Windows XP to install hidden spyware.
EXPLODINGCAN, a Microsoft IIS 6 exploit that exploits WebDav on Server 2003 only.
Microsoft had no comment on the leaks at time of publication, but its engineers should be scrambling to fix the flaws exploited by the tools, where they can. Most of the exploited software is no longer officially supported. Given Redmond's increasingly secretive approach to patching, we hope they'll be more open about upcoming updates to address the NSA-exploited security holes.
SWIFT on insecurity
The second directory is labelled SWIFT but doesn't include tools to hack the interbank payments system directly. Rather it enables the surveillance of payments that go through service bureaus used by SWIFT's banking customers.
"SWIFT is aware of allegations surrounding the unauthorized access to data at two service bureaus," a spokesperson for the group told The Reg.
"There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties. We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."
The data appears to originate in September 2013 and details how operatives could penetrate the firewalls and monitor the transactions of the largest SWIFT Service Bureau of the Middle East, called EastNets.
The EastNets hack was dubbed JEEPFLEA_MARKET and includes PowerPoints of the company's network architecture, passwords for the system, and thousands of compromised employee accounts from different office branches.
The attackers installed bypasses in the company's firewalls and then worked through two management servers to set up monitoring stations on nine of their transaction servers, and presumably fed that data back to analysts.
"While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way," said Hazem Mulhim, CEO of EastNets in a statement.
"EastNets continues to guarantee the complete safety and security of its customers' data with the highest levels of protection from its SWIFT certified Service bureau."
A second weapon, called JEEPFLEA_POWDER, targeted an EastNets partner in Venezuela and Panama called BCG Business Computer Group. Administrator accounts were targeted using attack code dubbed SECONDATE and IRONVIPER. No data was collected at the time, according to the slides in the dump.
It's not surprising that the NSA would be targeting banks in the Middle East – given the terrorist threat and the 14-year war the US has been fighting in the regions – and its focus on Venezuela and Panama could be related to drug money or the US' somewhat rocky relationship with both countries.
More bad news for Windows
The Equation Group's ODDJOB folder appears to contain spyware that runs on Windows machines up to Server 2008, and, like other NSA software nasties, it is rather modular: you can plug features into it by adding more modules.
The directory contains instructions on how to set up ODDJOB with Microsoft's IIS 7 and, once installed, the malware can be updated remotely to gain new attacks and monitoring tools. It can use HTTP and HTTPS to receive and install its new code.
"ODDJOB will expect an encrypted payload.
To encrypt the payload, open the Builder and navigate down to the 'Payload Encryption' section," the instructions read. "Select an Unencrypted Payload, ie, what you want to run on target. Then select an encrypted payload, which is really a dummy file for now. Then select exe or dll, depending on whether the Unencrypted Payload is an exe or dll."
Based on an Excel spreadsheet shared with the malware, ODDJOB is effective on Windows 2000, XP, Server 2003, Vista, Server 2008 and Windows 7, although in each case only the Enterprise versions of the operating systems, rather than consumer builds.
"This is a worst-case estimate for which Windows releases will work with ODDJOB," the spreadsheet states. "An updated version of bits is available as a download for many of these releases, such as XP SP1. Also, ODDJOB v3 will fallback gracefully from HTTPS to HTTP. So, when in doubt, throw HTTPS at the target."
How's that vulnerability hoarding looking now?
This latest release is going to be uncomfortable reading for the NSA. Not only has some of its tip-top exploits – thought to be worth a couple of million on the gray market – been burned in a single day, but the agency has known for months now that its Equation Group goodies are in the hands of crooks that are going to leak the files.
Could the NSA have considered them already burned and alerted Microsoft, Cisco and others, to fix the vulnerabilities before the tools are dumped on the web? Microsoft says no one has given it any form of heads up on the materials leaked by the Shadow Brokers thus far.
Now all these cyber-arms are in the hands of anyone who wants them. States with an interest in hacking the US – ie, all of them – can now use these. Even worse, every script kiddy on the planet is going to be downloading these tools and using them this weekend for hacking around online for older, vulnerable gear.