Shadow Brokers Release New Batch of Files Containing Windows and SWIFT Exploits

https://www.bleepingcomputer.com/ne...-files-containing-windows-and-swift-exploits/

 

"New leak shows how a major hacking group cracked Windows and international banks

...Likely originating with the NSA, the tools give new clues as to the group’s targets in recent years, which seem to include both international anti-money-laundering groups and oil companies in the Persian Gulf region. Some of the hacking tools were flagged by antivirus services as early as 2012, but experts believe the dump contains at least some undisclosed vulnerabilities for older versions of Windows. The leak also contains new attacks against the SWIFT banking network, used to transfer money internationally.

The files are mirrored on Github ..., and researchers are already poring through the findings in a dedicated #shadowbrokers room on the Freenode IRC channel...

Like previous drops, the data was accompanied by an enigmatic message in purposefully broken English. 'Is being too bad nobody deciding to be paying theshadowbrokers,' one portion reads. 'TheShadowBrokers rather being getting drunk with McAfee on desert island with hot babes,'..."



http://www.theverge.com/2017/4/14/15300826/shadow-brokers-nsa-windows-exploits-hacking

 

Obviously those folks have been watching to many movies and need to get back to hacking away

 

http://thehackernews.com/2017/04/swift-banking-hacking-tool.html

 

https://www.businessinsider.com.au/hackers-release-nsas-secret-hacking-tools-for-windows-2017-4

 

Per Snowden tweet:

 

For Emphasis (for anyone who did not read the full article linked by @Minimalist):

"Edward Snowden Verified account Snowden 2h2 hours ago

This is not a drill: #NSA exploits affecting many fully-patched Windows systems have been released to the wild. NSA did not warn Microsoft.

Edward Snowden added (retweeted),

Hacker Fantastic @hackerfantastic
This is really bad, in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe.
125 replies 3,367 retweets 2,268 likes"


https://twitter.com/hashtag/NSA?src=hash

https://twitter.com/Snowden

This isn’t a data dump, this is a damn Microsoft apocalypse. #0day #shadowbrokers
— Hacker Fantastic (@hackerfantastic) April 14, 2017 *

*Snowden recommends readers to follow Hacker Fantastic, i.e., HF has credibility:

https://twitter.com/Snowden

 

"Leaked NSA Malware Threatens Windows Users Around the World...

According to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be understated: “I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches...

...Susan Hennessey, an editor at Lawfare and former NSA attorney, wrote on Twitter that the leak will cause 'immense harm to both U.S. intel interests and public security simultaneously...'"

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

 

"...Beaumont [who was one of several experts who spent Friday combing through the documents and trying out the code] said there was bad news in the release for Microsoft as well. He said the malicious code published Friday appeared to exploit previously undiscovered weaknesses in older versions of its Windows operating system — the mark of a sophisticated actor and a potential worry for many of Windows' hundreds of millions of users.

The opinion was seconded by Matthew Hickey of Prestbury, England-based cybersecurity company Hacker House.

'It's an absolute disaster,' Hickey said in an email. 'I have been able to hack pretty much every Windows version here in my lab using this leak.'

Microsoft said in a statement that it is reviewing the leak and 'will take the necessary actions to protect our customers.' It declined to elaborate..."

https://www.yahoo.com/tech/leak-suggests-nsa-penetrated-mideast-141347857.html

 

"Hackers Warn of ‘Microsoft Apocalypse’ After Latest NSA Leaks...

Experts say the document dump—which is mostly lines of computer code—amounts to an emergency for Microsoft because the hacks consist of a variety of "zero-day exploits" that can serve to infiltrate Windows machines for purposes of espionage, vandalism, or document theft...

Other well-known figures in the security community also underscored the severity of the event for Microsoft. According to Cris Thomas (a.k.a. Space Rogue), a strategist and Tenable Network Security, the vulnerabilities affect a wide variety of products...

According to Cris Thomas (a.k.a. Space Rogue), a strategist and Tenable Network Security, the vulnerabilities affect a wide variety of products.
'There appears to be at least several dozen exploits, including zero-day vulnerabilities in this release. Some of the exploits even offer a potential 'God Mode' on select Windows systems. A few of the products targeted include Lotus Notes, Lotus Domino, IIS, SMB, Windows XP, Windows 8, Windows Server 2003, and Windows Server 2012,' said Thomas...

This is a huge deal. MS17-067 https://twitter.com/hackerfantastic/status/852872904865959936

- the grugq (@thegrugq) April 14, 2017...

Until today, though, the Shadow Brokers have not published anything critical, but instead released information apparently related to the theft of documents by former NSA contractor Edward Snowden.

...In its Good Friday blog post, though, the Shadow Brokers appear to allude to current global tensions, writing 'Maybe if all suviving WWIII theshadowbrokers be seeing you next week...'

http://fortune.com/2017/04/14/microsoft-shadow-brokers/

 

"NSA's powerful Windows hacking tools leaked online...

Hickey said the Windows exploits leaked on Friday could be used to conduct espionage and target critical data in Windows-based environments. Consumers using Windows PCs could be at risk, though experts say these kinds of tools are more commonly used to target businesses.

' . The individual consumer is a little less at risk, as these kinds of tools are targeted at enterprise and business environments,'Hickey said.'.."

http://money.cnn.com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html

 

"What Windows users need to know about the latest 'ShadowBrokers' exploits...

Windows 10 seems to be immune to the exploits leaked on April 14, 2017.

There are exploits that work 100 percent against Windows 7 with the April Service Pack.

There are exploits that work 100 percent against Windows Server 2012 R2 with the latest updates as of April 14, 2017.

There are exploits that work 100 percent against Windows XP with the latest updates.

Windows 8 Pro doesn't grant full remote access when using these tools, but it isn't immune and some slight variation of the code could make the OS vulnerable..."

http://www.windowscentral.com/everything-you-need-know-about-latest-shadowbrokers-dump?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wmexperts+(Windows+Central)

NB: There was earlier speculation that one of the exploits, ETERNALBLUE was effective on WIN 10 but that now appears to be false (said to be non-reproducible by two security researchers):

https://twitter.com/hackerfantastic/status/852999174631170048?ref_src=twsrc^google|twcamp^serp|twgr^tweet

 

Hope this holds true. Time(short) will tell. Note that the tests were performed on the Pro and not the Home versions.

Also note this tweet:

Appears most of the exploits are remote code execution.

 

Sounds like a ploy by Microsoft to get everyone into W10.

 

"NSA-leaking Shadow Brokers just dumped its most damaging release yet"

[Although it is not clear from the context of this ars Technica article exactly which exploits it is referring to -- you need to read it as it lists the known to date exploits in the dump -- the article states:]

"...With the exception of Esteemaudit, the exploits should be blocked by most firewalls. And best practices call for remote desktop connections to require use of a virtual private network, a practice that should make the Estememaudit exploit ineffective. Microsoft also recommends that organizations disable SMBv1, unless they absolutely need to hang on to it for compatibility reasons, which may block Eternalblue. That means organizations that are following best practices are likely safe from external attacks using these exploits...

Amol Sarwate, director of engineering at security firm Qualys, has confirmed that at least one of the exploits, Eternalblue, works on Windows 10 [] , even though the exploit was created before the OS was released. Hickey, Beaumont, and other researchers said they have been unable to reproduce that result..."

https://arstechnica.com/security/20...rs-just-dumped-its-most-damaging-release-yet/

 

I already block SMB using Eset IDS.

Appears to me you could get nailed by this one on Win 10 per the original bleepingcomputer.com link I posted:

From the Github source, appears to be delivered using a Word .docx e-mail.

 

You gotta know there's more. Always something held back in reserve. Where are the FUDsy-wudsy people getting shrill? Any machine(s) with mission-critical stuff demands prudent, watchful waiting. That's the ticket.

 

https://motherboard.vice.com/en_us/article/leaked-nsa-hacking-tools-were-worth-2-million

 

https://www.slashgear.com/microsoft...hacking-loopholes-have-been-patched-15482202/

 

NSA <-> Microsoft; "two peas together in the same pod."

 

Yes, maybe...
It's still good to hear that vulnerabilities have already been patched.

 

Jeez Louize - Talk about Much Ado About Nothing

Yesterday the security world woke up in a tizzy about a "Microsoft Apocolypse", the apparent severity of which lessened somewhat throughout the day - and now this Microsoft reveal, and the coordinated China/US "Good Cop-Bad Cop" approach apparently dissuaded North Korea from starting WW III (at least for the time being).

Be Thankful

 

My gut is telling me that there is more to this latest Shadow Brokers incident which amounted to a "dog and pony" show that gathered a lot of attention but amounted to zip substance-wise.

If you can keep the "dog occupied chasing his tail", he won't see the Bear sneaking up to eat him. Would not be surprised in the least if the "really good stuff" exploit-wise is being presently distributed on the Dark Web via secure channels.