The latest dump of hacking tools allegedly belonged to the NSA is believed to be the most damaging release by the Shadow Brokers till the date.
But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month's Patch Tuesday update.
The hacking exploits could give nearly anyone with technical knowledge the ability to break into millions of Windows computers and servers all over the Internet, but those which are not up-to-date.
The data dump also includes some top-secret presentations and excel sheets, indicating that the leaked exploits may have been used to hack the SWIFT banking system of several banks across the world.
Hacking tool, called Eternalromance, contains an easy-to-use interface and exploits Windows systems over TCP ports 445 and 139.
The most noteworthy exploit in the Friday's dump is Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could cause older versions of Windows to execute code remotely.
Matthew Hickey, a security expert and co-founder of Hacker House, also published a video demonstration, using this exploit against a computer running Windows Server 2008 R2 SP1 and pulling off the hack in less than 2 minutes with another alleged zero-day FuzzBunch, which is being used to compromise a virtual machine running Windows Server 2008.
But if the company already patched this flaw last month, then how could this exploit works against an updated machine? It seems like the researcher tried this exploit against a Windows PC without installing the latest updates.
There's also news floating around the Internet that the 'NSA has had, at a minimum, 96 days of warning,' knowing that the Shadow Brokers could drop the files at any time, but the agency did not report the flaws to Microsoft.
The Intercept also reported that Microsoft told it that the company had not been contacted by any 'individual or organization,' in relation to the hacking tools and exploits released by the Shadow Brokers.
The vulnerabilities have already been patched by Microsoft, which acknowledges all security researchers for reporting the issues in its products, but, interesting, there are no acknowledgments for MS17-010 which patched most of the critical flaws from the Shadow Brokers dump.
This indicates that someone from the agency or linked with defense contractor might have warned the company of the SMB RCE issue.
So, only those who are still using Windows XP, which Microsoft doesn't support for very long, are at risk of getting their machines hacked.
And there is no need to panic if you use updated Windows 7, 8 or 10 (or even Windows Vista, whose support ended just last week and the issue was patched last month).
The simple advice for you is to always keep your Windows machines and servers up-to-date in order to prevent yourself from being hacked.
![Download Download](/uploads/1/2/6/1/126137575/477075598.jpg)
The KB for MS17-010 typically will come through Windows update, you can download the stand alone patch from the update catalog. You can find direct links to the. The MS17-010 patch does nothing to stop the ransomware itself. If you download the exe and run it, it'll still do its thing and encrypt your files. For example, the primary infection vector on most networks was through email attachments, IIRC. The MS17-010 patch does nothing to stop the ransomware itself. If you download the exe and run it, it'll still do its thing and encrypt your files. For example, the primary infection vector on most networks was through email attachments, IIRC. This is nothing new for ransomware. To use this site to find and download updates, you need to change your security settings to allow ActiveX controls and active scripting. To get updates but allow your security settings to continue blocking potentially harmful ActiveX controls and scripting from other sites, make this site a trusted website.
But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month's Patch Tuesday update.
'Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,' Microsoft Security Team said in a blog post published today.On Good Friday, the Shadow Brokers released a massive trove of Windows hacking tools allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.
The hacking exploits could give nearly anyone with technical knowledge the ability to break into millions of Windows computers and servers all over the Internet, but those which are not up-to-date.
'Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.' Microsoft says.
The data dump also includes some top-secret presentations and excel sheets, indicating that the leaked exploits may have been used to hack the SWIFT banking system of several banks across the world.
Even though NSA exploits are patched, the Shadow Brokers leak is still big, which provides info on NSA targeting SWIFT Networks
Hacking tool, called Eternalromance, contains an easy-to-use interface and exploits Windows systems over TCP ports 445 and 139.
The most noteworthy exploit in the Friday's dump is Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could cause older versions of Windows to execute code remotely.
Matthew Hickey, a security expert and co-founder of Hacker House, also published a video demonstration, using this exploit against a computer running Windows Server 2008 R2 SP1 and pulling off the hack in less than 2 minutes with another alleged zero-day FuzzBunch, which is being used to compromise a virtual machine running Windows Server 2008.
But if the company already patched this flaw last month, then how could this exploit works against an updated machine? It seems like the researcher tried this exploit against a Windows PC without installing the latest updates.
'The patches were released in last month's update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable - if you apply MS17-010 it should protect hosts against the attacks,' Matthew clarifies during a conversation with The Hacker News.
No Acknowledgement for SMB RCE Issue by Microsoft
Ms17-10 Patch Download
There's also news floating around the Internet that the 'NSA has had, at a minimum, 96 days of warning,' knowing that the Shadow Brokers could drop the files at any time, but the agency did not report the flaws to Microsoft.
The Intercept also reported that Microsoft told it that the company had not been contacted by any 'individual or organization,' in relation to the hacking tools and exploits released by the Shadow Brokers.
Ms17-10 Patch Download 2017
The vulnerabilities have already been patched by Microsoft, which acknowledges all security researchers for reporting the issues in its products, but, interesting, there are no acknowledgments for MS17-010 which patched most of the critical flaws from the Shadow Brokers dump.
It’s noteworthy, there’s no acknowledgement for recently patched MS17-10 SMB flaw on Microsoft (used in Eternalblue)
This indicates that someone from the agency or linked with defense contractor might have warned the company of the SMB RCE issue.
So, only those who are still using Windows XP, which Microsoft doesn't support for very long, are at risk of getting their machines hacked.
And there is no need to panic if you use updated Windows 7, 8 or 10 (or even Windows Vista, whose support ended just last week and the issue was patched last month).
The simple advice for you is to always keep your Windows machines and servers up-to-date in order to prevent yourself from being hacked.
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
Active2 years, 2 months ago
I don't understand this one:
There are contradictory things I read about how to mitigate WannaCry incident, some say if SMBv1 client and server are disabled, MS17-010 patch is NOT required, others say even if SMBv1 client and server are disabled, MS17-010 patch is STILL required.
So, I really don't understand now to whom I should listen, if SMBv1 client and server are disabled, where does installing the MS17-010 patch help in preventing WannaCry spreading to a non-infected PC as long as the aforementioned services are disabled i.e. SMBv1 where the worm part of this ransomware is exploiting are no longer enabled?
Please explain, it's useful for me to find out my mistake in case I did not install MS17-010 patch, because I have not installed the patch anywhere, I just disabled SMBv1 client and server through registry on the group policy.
Does the patch fix bugs in SMBv1 that allows me to re-enable SMBv1? Still microsoft says don't use SMBv1, so why would I bother about installing MS17-010 patch? As long as MS17-010 patch doesn't prevent WannaCry action as well.
I called many colleagues, many of them are still confused about this issue and know not what to do about it. Please don't close this question, it is very important to directly clarify this issue, and find it directly on google search.
elekgeekelekgeek
1 Answer
You do not need the MS17-010 patch if you disable SMBv1
As explained in the Executive Summary of Microsoft Security Bulletin MS17-010:
![Download Download](/uploads/1/2/6/1/126137575/477075598.jpg)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
This 'specially crafted message' is an exploit known as EternalBlue. Its role in spreading WannaCry is discussed in Cisco’s threat intelligence team's excellent blog post about the ransomware. In brief:
This patch is identical to and compatible with Patch for GTA 4 1.0.7.0 EN and differs from it only by the official RUSSIFICATION games With this patch Grand Theft Auto IV Patch 7-Title Update v. Gta 4 1070 patch download. 1.0.6.1 (Russian version) work great almost all the game of fashion and fashion cars for GTA 4, featured on GTAViceCity.RU. Official 7-Oh Patch download games GTA 4 version 1.0.6.1 (1.0.7.0): -Fixed bug with transparent leaves on trees; -fixed a bug which was not able to download the finished videos into Social Club, when you use certain musical compositions; -fixed a bug that causes performance degradation when near water, capture video clips; -the menu key remapping of Grand Theft Auto IV and the Lost and Damned added the 'blow up', which introduces the ability to remap the function down arrow. From the downloaded archive to run UpdateTitle.exe.
The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability.
The Wikipedia article for the EternalBlue exploit confirms it is version 1 of Microsoft's implementation of SMB that is vulnerable:
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. [Emphasis mine.]
Bottom line, if SMBv1 is disabled on a machine, then the EternalBlue exploit is not possible and WannaCry cannot infect the machine over SMB.
Note: SMBv1 is the only version of the protocol available on Windows Server 2003 and XP. Therefore disabling it also fully disables file sharing on these systems.
Yes, you should stop using SMBv1. You should have stopped using it a long time ago. But even if you disable it, install this security patch anyway.
Doing so is NOT redundant. It's prudent. Should someone else come behind you and re-enable SMBv1 and the system not be patched, the machine again becomes vulnerable to an exploit that is capable of compromising the host easily and in an undetected manner. And the next guy might not be aware of the land mine he's enabled.
You don't need that liability hanging over any machine you're responsible for.
Twisty ImpersonatorTwisty ImpersonatorMs17-010 Windows 10 Patch Download
19.9k15 gold badges69 silver badges102 bronze badges