Leaked NSA Exploits Work on All Microsoft Operating Systems Since Windows 2000 

Author Photo
Feb 5, 2018
99Shares
Submit

A security researcher has made three leaked NSA exploits work on all versions of Windows since Windows 2000. These exploits were leaked last year by The Shadow Brokers. This is the same group that had leaked the notorious EternalBlue exploit that was used to power the biggest online ransomware campaign this industry has seen so far.

The three exploits in question now include EternalChampion, EternalRomance, and EternalSynergy, all of which were leaked by TSB in April, last year. One security researcher has now worked on the source code to make all of these run on all Windows versions released in the last two decades for “the purposes of academic research and for the development of effective defensive techniques”.

russia-cyber-war-2Related Leaked Tools Show How NSA Pulls Back from Target Computers If They’re Already Hacked by Other Nations

The researcher behind this is Sean Dillon from RiskSense (@zerosum0x0 on Twitter). The effort uses the security vulnerabilities tracked as CVE-2017-0143 (EternalRomance, EternalSynergy) and CVE-2017-0146 (EternalChampion, EternalSynergy). While some might suggest Dillon has made it easier for attackers to use these exploits, the criminal community has been extensively using leaked NSA exploits for the past 8 months or so. Dillon has merged these exploits into the open-source penetration testing project, the Metasploit Framework.

Releasing his code on GitHub, Dillon added that “this module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).”

Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF [Metasploit Framework] module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit’s psexec DCERPC implementation bolted onto it.

The security researcher added that the modified exploits work on both the 32-bit and 64-bit architectures. The following versions are vulnerable/supported:

cryptojacking-3Related NSA Exploits Are Now Being Used to Power Sophisticated Cryptojacking Campaigns

This isn’t the first time researchers have modified NSA exploits for research and pen-testing purposes. However, it’s probably the first time that nearly a decade worth of systems are vulnerable to these exploits. Dillon did include a disclaimer with his release saying that this is “purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized”.

Submit