The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency’s weaponized software exploits—just published its most significant release yet. Friday’s dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.
The exploits included in Friday’s data dump are probably some of the most severe exploits discovered, most of which result in remote data execution.
- ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
- ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012
- ETERNALBLUE — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
- EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003
- EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit
- ETERNALSYNERGY — Windows 8 and Windows Server 2012
- FUZZBUNCH — Exploit Framework (Similar to Metasploit) for the exploits.
The exploit codenamed ETERNALBLUE also appears to be even more severe than originally reported. According to several security specialists on Twitter, it also successfully affects Windows 10 systems.
That’s not all either, there are also tools for hacking into financial institutions such as banks.
Friday’s dump also contains code for hacking into banks, particularly those in the Middle East. According to this analysis by Matt Suiche, a researcher and cofounder of Cloud Volumes, Jeepflea_Market is the code name for a 2013 mission that accessed EastNets, the largest SWIFT service bureau in the Middle East. EastNets provides anti-money laundering oversight and related services for SWIFT transactions in the region. Besides specific data concerning specific servers, the archive also includes reusable tools to extract the information from Oracle databases such as a list of database users and SWIFT message queries.
The release also contains the software for “Oddjob”, an implant tool and backdoor for controlling hacked computers through an HTTP-based command server. Other implants have names such as Darkpulsar-1.1.0.exe, Mofconfig-1.0.0.exe, and PluginHelper.py. With the exception of minor generic detections for engines related to a “packer” that conceals Oddjob, none of the implants were detected by antivirus programs at the time this update was going live. AV companies are almost certainly in the process of pushing out updates.
Let this dump be a lesson to those that think that having government exclusive backdoors is safe and secure. Both the CIA and NSA managed to have their secret arsenals stolen while supposedly being the most secure agencies on Earth. Strong security can only work if it’s strong for everyone.