Category Archives: Shadow Brokers

Win XP patched to avert new outbreaks spawned by NSA-leaking Shadow Brokers

(credit: Microsoft)

On Tuesday, Microsoft took the highly unusual step of issuing security patches for XP and other unsupported versions of Windows. The company did this in a bid to protect the OSes against a series of "destructive" exploits developed by, and later stolen from, the National Security Agency.

By Ars' count, Tuesday is only the third time in Microsoft history that the company has issued free security updates for a decommissioned product. One of those came one day after last month's outbreak of the highly virulent "WCry" ransom worm, which repurposed NSA-developed exploits. The exploits were leaked by the Shadow Brokers, a mysterious group that somehow got hold of weaponized NSA hacking tools. (WCry is also known as "WannaCry" and "WannaCrypt.")

Tuesday's updates, this updated Microsoft post shows, include fixes for three other exploits that were also released by the Shadow Brokers. A Microsoft blog post announcing the move said the patches were prompted by an "elevated risk of destructive cyberattacks" by government organizations.

Read 8 remaining paragraphs | Comments

New Shadow Brokers 0-day subscription forces high-risk gamble on whitehats

Enlarge / Gambling. (credit: Jamie Adams)

The mysterious group that over the past nine months has leaked millions of dollars' worth of advanced hacking tools developed by the National Security Agency said Tuesday it will release a new batch of tools to individuals who pay a $21,000 subscription fee. The plans, announced in a cryptographically signed post published Tuesday morning, are generating an intense moral dilemma for security professionals around the world.

On the one hand, the Shadow Brokers, as the person or group calls itself, has in the past released potent hacking tools into the wild, including two that were used to deliver the WCry ransomware worm that infected more than 200,000 computers in 150 countries. If the group releases similarly catastrophic exploits for Windows 10 or mainstream browsers, security professionals are arguably obligated to have access to them as soon as possible to ensure patches and exploit signatures are in place to prevent similar outbreaks. On the other hand, there's something highly unsavory and arguably unethical about whitehats paying blackhats with a track record as dark as that of the Shadow Brokers.

"It certainly creates a moral issue for me," Matthew Hickey, cofounder of security firm Hacker House, told Ars. "Endorsing criminal conduct by paying would be the wrong message to send. Equally, I think $21k is a small price to pay to avoid another WannaCry situation, and I am sure many of its victims would agree with that sentiment."

Read 11 remaining paragraphs | Comments

Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft

Enlarge / An aerial view of the NSA. (credit: nsa.gov)

After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.

Those same NSA officials, according to Tuesday's report, failed to communicate the severity of the vulnerability to the outside world. A month after Microsoft released the patch, the Shadow Brokers published the attack code, code-named EternalBlue, that exploited the critical Windows vulnerability. A month after that, attackers used a modified version of EternalBlue to infect computers around the world with malware that blocked access to data. Within hours of the outbreak of the ransomware worm dubbed WCry, infected hospitals turned away patients; banks, telecommunications companies, and government agencies shut down computers.

"NSA identified a risk and communicated it to Microsoft, who put out an immediate patch," Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told The Washington Post. The problem, he said, is that no senior official took the step of shouting to the world: "This one is very serious, and we need to protect ourselves."

Read 9 remaining paragraphs | Comments

>10,000 Windows computers may be infected by advanced NSA backdoor

(credit: Jeremy Brooks )

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

DoublePulsar, as the NSA implant is code named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.

Below0day

Read 5 remaining paragraphs | Comments

Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers

Enlarge (credit: NSA)

Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.

That's because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained in Friday's leak.

Microsoft provided the following table showing when various exploits were patched:

Read 7 remaining paragraphs | Comments

Microsoft says exploits leaked by Shadow Brokers were addressed by prior patches

 Microsoft researchers were working late into the hours the Friday before this holiday weekend looking to address yesterday’s Shadow Brokers dump of Windows exploits. In a message sent to TechCrunch overnight, the company said it has addressed the issue for systems running Windows 7 and later. “We’ve investigated and confirmed that the exploits disclosed by the Shadow Brokers… Read More

NSA-leaking Shadow Brokers just dumped its most damaging release yet

Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers. (credit: Matthew Hickey)

The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits—just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.

Friday's release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.

"It is by far the most powerful cache of exploits ever released," Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. "It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective."

Read 8 remaining paragraphs | Comments