Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Shadow Brokers and what the leaks mean to Windows users

    Posted on April 15th, 2017 at 06:53 woody Comment on the AskWoody Lounge

    I’m a little late to the party on this one.

    As many/most/all of you know, on Friday a group called Shadow Brokers published an enormously damaging trove of code, apparently from the NSA, with all sorts of exploits and hacking tools. Most (if not all) versions of Windows are in the crosshairs.

    Our tax dollars at work.

    To catch up, there’s a series of articles every Windows user should read.

    Dan Goodin, Ars Technica: NSA-leaking Shadow Brokers just dumped its most damaging release yet

    Andy Greenburg, Wired: Major leak suggests NSA was deepn in Middle East banking system

    Philip Misner, Microsoft Security Response Center: Protecting customers and evaluating risk

    Microsoft’s analysis (which is undoubtedly accurate, but will be debated endlessly):

    Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

    Code Name Solution
    EternalBlue Addressed by MS17-010
    EmeraldThread Addressed by MS10-061
    EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
    “ErraticGopher” Addressed prior to the release of Windows Vista
    EsikmoRoll Addressed by MS14-068
    EternalRomance Addressed by MS17-010
    EducatedScholar Addressed by MS09-050
    EternalSynergy Addressed by MS17-010
    EclipsedWing Addressed by MS08-067

    Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

    MS17-010, which figures prominently in that table, is the one that fixed the SMBv1 hole in all versions of Windows. This month’s patches don’t figure in any of the discussions. We’re still at MS-DEFCON 1.

    I haven’t seen any evidence that the disclosure is being used by Microsoft to convince folks to move to Windows 10. (I do note, with some nostalgia, that the demise of the Security Bulletin system will make such analysis and communication much more cumbersome in the future.)

    So… the sky isn’t falling. But there are some very gray clouds out there, and a whole bunch of cretins jumping around trying to incorporate the Shadow Brokers code into their products. Those of you who patched through last month’s Patch Tuesday crop are OK, according to Microsoft – and they should know. Windows XP and Vista remain debatable. Those of you in Group W — who aren’t patching at all — should take note.

    Last night, MrBrian started a Lounge thread on the topic. I’ve moved it to the location referenced above. Thanks, MrBrian.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Shadow Brokers and what the leaks mean to Windows users

    This topic contains 54 replies, has 16 voices, and was last updated by  MrBrian 5 months ago.

    • Author
      Posts
    • #108730 Reply

      woody
      Da Boss

      I’m a little late to the party on this one. As many/most/all of you know, on Friday a group called Shadow Brokers published an enormously damaging tro
      [See the full post at: Shadow Brokers and what the leaks mean to Windows users]

      6 users thanked author for this post.
    • #108655 Reply

      MrBrian
      AskWoody MVP

      From What Windows users need to know about the latest ‘ShadowBrokers’ exploits:

      “We tested the leaked files on virtual machines running Windows XP, Windows 7, Windows Server 2012 R2 and Windows 8 Pro to see if they’re vulnerable. We also tested a local installation of Windows 10 Pro 64-bit. This is a quick list of what we found:

      Windows 10 seems to be immune to the exploits leaked on April 14, 2017.
      There are exploits that work 100 percent against Windows 7 with the April Service Pack.
      There are exploits that work 100 percent against Windows Server 2012 R2 with the latest updates as of April 14, 2017.
      There are exploits that work 100 percent against Windows XP with the latest updates.
      Windows 8 Pro doesn’t grant full remote access when using these tools, but it isn’t immune and some slight variation of the code could make the OS vulnerable.”

      • #108660 Reply

        anonymous

        GWX: Phase II.

      • #108679 Reply

        anonymous

        @ MrBrian

        Today, it made a new post that contained a number of working exploits for Windows machines running everything from XP up to at least Windows 8. As far as Windows 10, it appears that the stolen data is from 2013 and predates the latest OS.

        It’s self-explanatory.

        The NSA have likely, since 29 July 2015, been using newer exploits for Win 10 which may have yet to be leaked publicly by Shadow Brokers or other hackers.
        Some people are even saying that Win 10 has inbuilt NSA spyware based on MS’s past collaboration/cooperation with the NSA in the PRISM spying program.

        • #108685 Reply

          Kirsty
          AskWoody MVP

          A link to your quote would be appreciated. It would allow others to read more on the issue, if they wished.

          • #108747 Reply

            woody
            Da Boss

            The quote’s from Richard Lawler’s piece in engadget. ‘Shadow Brokers’ dump of NSA tools includes new Windows exploits (updated)

            Lawler just updated his piece to say:

            Update (4/15): Microsoft responded early Saturday morning, saying that for the seven flaws leaked that affect supported systems — they’ve all already been patched. Of course, the story gets a bit more interesting from there, since it appears that four of them were only patched just last month, suggesting someone informed the company about the security issues before TSB could leak them.

            There’s a whole lot of debate about what NSA knew, when they knew it, and whether/if/how they notified Microsoft that the apocalypse was coming.

            • This reply was modified 6 months, 1 week ago by  woody.
            2 users thanked author for this post.
    • #108662 Reply

      anonymous

      From ‘Shadow Brokers’ dump of NSA tools includes new Windows exploits:

      ‘Contacted via email, Matthew Hickey expressed a similar outlook, saying that “most home users will not be directly impacted by these vulnerabilities as an attacker needs to connect to services on their computer. The risk is much bigger to enterprise and businesses who rely on these services to connect online.”‘

    • #108675 Reply

      Kirsty
      AskWoody MVP

      http://www.bbc.com/news/technology-39553241

      BBC published about the ShadowBrokers NSA Malware release on April 10th, saying

      “Some cyber-security experts have said some of the malware is real, but old.”

      https://medium.com/@d0znpp/analysis-of-the-eqgrp-leakage-a14bc92040d2

      Ivan Novikov analysed the #EQGRP NSA leakage data, which shows 910 servers hacked around the world between 2000 and 2010.

      http://www.bbc.com/news/technology-39606575

      BBC published about the ShadowBrokers NSA tools leak on April 15th, saying

      “… accompanying documents appear to indicate a possible breach of the Swift global banking system.
      Such a hack could have enabled the US to covertly monitor financial transactions, researchers said.
      If genuine, it represents perhaps the most significant exposure of NSA files since the Edward Snowden leaks in 2013.
      Multiple experts have said this latest “data dump” is credible…
      The files contained several “zero day” exploits – vulnerabilities that were previously unknown to the companies that create the software, or the security community at large.
      … multiple experts said the sheer number of zero days released at the same time was unprecedented.
      Microsoft said in a statement to the BBC that it was “reviewing the report and will take the necessary actions to protect our customers”.

      1 user thanked author for this post.
    • #108711 Reply

      MrBrian
      AskWoody MVP
    • #108716 Reply

      MrBrian
      AskWoody MVP

      Tweet from Microsoft employee:

      “Removing/disabling SMB1 is encouraged. This is coming in the next OS release for many SKUs and editions http://aka.ms/stopusingsmb1

      2 users thanked author for this post.
      • #108755 Reply

        Noel Carboni
        AskWoody MVP

        Thanks. No SMB1 on my network!

        NoSMB1

        -Noel

        Attachments:
        You must be logged in to view attached files.
        1 user thanked author for this post.
        • #108856 Reply

          anonymous

          Thanks, but does this break anything? Also I just noticed that IE 11 can be turned off. 🙂

          1 user thanked author for this post.
          • #108885 Reply

            MrBrian
            AskWoody MVP

            It could break some file and printer sharing functionality in your local network (if you have one).

            1 user thanked author for this post.
            • #108912 Reply

              anonymous

              Thanks for replying, I performed some tests and Homegroup read-only sharing survives the change. 🙂

              1 user thanked author for this post.
          • #108894 Reply

            Noel Carboni
            AskWoody MVP

            Do you have any XP systems on your LAN? I understand those might need SMB1 to see files / printers on the newer systems and vice versa.

            Try disabling it and ensure all your systems can still communicate in the ways that you need them to. It can always be re-enabled.

            -Noel

            1 user thanked author for this post.
      • #108774 Reply

        anonymous
        • #108794 Reply

          woody
          Da Boss

          Dr. Ullrich knows whereof he speaks.

          1 user thanked author for this post.
    • #108753 Reply

      woody
      Da Boss

      Here’s something interesting. Just a few hours ago, Tom Warren posted this on The Verge:

      one security researcher, the grugq, claims that the NSA may have actually reported some of the bugs themselves. While Microsoft always acknowledges the source of security flaw reports, the grugq noticed there are no acknowledgements for patches (MS17-010) issued last month that fix some of the leaked NSA exploits. It’s possible that The Shadow Brokers or another group / individual tipped Microsoft to them in advance. Microsoft mysteriously delayed its Patch Tuesday release in February by a month in an unprecedented move, blaming a “last minute issue”. March’s Patch Tuesday included fixes for these leaked NSA exploits.

      That qualifies as completely unsupported speculation… but it sure is worth chewing on. Fake news? Blazing insight? You choose.

      https://twitter.com/arekfurt/status/853152866395181056

      2 users thanked author for this post.
    • #108754 Reply

      MrBrian
      AskWoody MVP

      Interesting in hindsight: Patch Tuesday put on hold, SMB zero-day exploit likely to blame (Feb. 15, 2017)

      1 user thanked author for this post.
    • #108757 Reply

      anonymous

      Do these leaks affect non-networked workstations?

      • #108759 Reply

        woody
        Da Boss

        Yes, but if you’re patched through last month, you’re OK.

        The leaks cover ev-er-y-thing, but MS says it’s (almost) all been fixed already.

        4 users thanked author for this post.
    • #108760 Reply

      BrianL
      AskWoody Lounger

      The NSA Spyware situation with MS has not changed. The only thing that changes is programs that NSA uses. Although I don’t know the paticulars: the NSA and Microsoft have an iron clad agreement that NSA has access to all MS servers. You can draw your own conclusions!

      1 user thanked author for this post.
      • #108809 Reply

        thymej
        AskWoody Lounger

        Yea, the NSA does not need any exploits with Windows 10, MS is already collecting all the information for them.

        1 user thanked author for this post.
      • #109069 Reply

        MrJimPhelps
        AskWoody MVP

        the NSA and Microsoft have an iron clad agreement that NSA has access to all MS servers.

        How do you know this?

        If this is true, then imagine the implications of all of the telemetry data-collection by Microsoft. This could explain why they are collecting all of the data, from Windows 7 forward.

    • #108822 Reply

      Microfix
      AskWoody Lounger

      Quite a worrying list here

      I’m not convinced that Windows 10 is in the clear either since these exploits were stolen in 2013, before Windows 10 came out, so obviously it wouldn’t have been listed as a potential target.

      Windows 10, it’s not like you have any privacy left to violate anyway!

      | 3 PC W8.1 Pro x64 | | 1 PC Linux Hybrids x64 | | 1 PC Windows XP Pro x86 (offline) |
        No problem can be solved from the same level of consciousness that created IT - AE
      1 user thanked author for this post.
    • #108837 Reply

      BrianL
      AskWoody Lounger

      NSA, in our present state of the world, can do what they want to, to protect us. Their intent is not to be disruptive to our computer uses. In fact I think that they have been doing this without causing any problems to us. We had no idea that this was going on for years, because it didn’t show up on our computers at all. I do think that with the boondoggle of the OS Windows 10, that NSA will have their work cut out for them. JUST MY THOUGHTS ONLY. Thanks for listening.

      2 users thanked author for this post.
      • #109070 Reply

        MrJimPhelps
        AskWoody MVP

        NSA, in our present state of the world, can do what they want to, to protect us. Their intent is not to be disruptive to our computer uses. In fact I think that they have been doing this without causing any problems to us

        I know I’m edging dangerously close to a rant when I ask this, but are you sure you want Big Brother’s protection? Anytime the government can gather all of my personal information at will “for my protection”, I think we have a major problem on our hands.

        If you consider the total loss of our privacy not to be a problem, then I suppose you could say that they haven’t been causing any problems to us.

    • #108896 Reply

      Anonymous

      Windows 7 fight against windows 10, This picture say more about what is going on in the digital world than i can say with words. Most people know the story about David`s fight against Goliat. ( If not you should read it ) … The deal in this fight was this : If david (W7) loose the fight, then all the people had to surrender and be a slave to Goliat (W10)

      To me Woody is a fighter like David… Thank you Woody !

      • This reply was modified 6 months, 1 week ago by  Kirsty. Reason: Edited DB link
      1 user thanked author for this post.
    • #108951 Reply

      jescott418
      AskWoody Lounger

      The really big deal is that these tools leaked into the wild to begin with. Because it looks as though at least with Windows 10 users have been patched if indeed users actually installed the updates. Of course it always get’s murkier as you go back in time with Windows versions.  Windows has always suffered from being a target just because of the vast numbers of PC’s running Windows. But even with Windows 10 being more secure than any previous version. I am skeptical and how much improvement is really there? Especially now that we have Windows 10 sending telemetry and other data back and forth to servers. Even if you trust Microsoft the questions remain on how well this telemetry is protected, where is it stored and what kind of potential does it hold for hackers?

      1 user thanked author for this post.
    • #108952 Reply

      MrBrian
      AskWoody MVP

      For people who normally never update Windows, you may wish to consider making an exception and install the March 2017 security-only update. If you don’t do so, malware on other devices in your local network could cause your computer to get malware due to issues mentioned in MS17-010.

      1 user thanked author for this post.
    • #108971 Reply

      walker
      AskWoody Lounger

      @woody:

      What are we going to do to try to stay safe?  If someone could write some directions for those of us who are ” computer illiterate” (just simple Win7 64 bit) to follow I think we could manage to do it (???)   We need HELP, and we need it fast.    Any and all advice will be very much appreciated.    It only gets worse and worse.

      1 user thanked author for this post.
      • #108986 Reply

        MrBrian
        AskWoody MVP

        If you’ve kept up to date on Windows updates (through March 2017), you should be protected against these Windows exploits. Disabling SMB1 isn’t necessary to protect against these particular Windows exploits.

        3 users thanked author for this post.
        • #108995 Reply

          walker
          AskWoody Lounger

          @Mr.Brian:

          Thank you so much for the supporting information about it not being necessary to disable SMB1.  I’m so thankful that I’m up-to-date with the March updates.  What a HUGE relief!  Your expertise and assistance is outstanding, and appreciated more than words can express.    Thank you once again for your invaluable assistance.    Truly wonderful!   🙂

    • #108987 Reply

      MrBrian
      AskWoody MVP

      https://twitter.com/etlow/status/853439288926777344

      “#ShadowBrokers Table with all the exploits leaked based on public info to help understand the impact for current and legacy unsupported OSs.”

      3 users thanked author for this post.
    • #109001 Reply

      anonymous

      Detecting SMB Covert Channel (“Double Pulsar”)
      Published: 2017-04-16
      Last Updated: 2017-04-16 18:58:10 UTC
      by Johannes Ullrich (Version: 1)


      With Friday’s release of additional Shadowbroker tools, a lot of attention was spent on exploits with names like “Eternalblue”, which exploited only recently patched vulnerabilities. Another item of interest however, is the command and control channel used to communicate with systems post exploitation…

      Read More:

      Simple example usage pre and post-exploit:

      
      root@kali:~# python detect_doublepulsar.py --ip 192.168.175[.]128
      
      [-] [192.168.175[.]128] No presence of DOUBLEPULSAR
      
      root@kali:~# python detect_doublepulsar.py --ip 192.168.175[.]128
      
      [+] [192.168.175[.]128] DOUBLEPULSAR DETECTED!!!

      Read More:

      • #109003 Reply

        anonymous

        Resource for installing python on Windows.. perhaps not just for this use and definitively not a suggestion for a VPN.. I needed python. You can skip steps 1,2,5. You just need ‘Python’ and “Install Microsoft Visual C++ Compiler for Python 2.7 VCForPython27”.

        The instructions are so very simple.

        Since I already had “python27” installed, it was only a matter of using Notepad++ 7.3.3 (Thanks Crysta!) to paste the raw script from Github and saving it to
        C:\python27\scripts
        Command prompt admin; navigate to the folder above and run

        C:\Python27\Scripts>detect_doublepulsar.py --ip 10.10.254.5
        [-] [10.10.254.5] No presence of DOUBLEPULSAR

    • #109031 Reply

      AlexEiffel
      AskWoody Lounger

      This is an example of why I don’t think W is a great path for people who care a lot about security if they don’t take other measures and have their computers among other less safe ones on the same network . If your teen’s gaming computer gets infected and you are a careful group W user, issues similar to this one could bite you, even if you are careful browsing the web, as the virus would spread automatically from the teen computer to yours with no intervention other than turning on your computer.

      I have been deactivating SMB 1 since many years ago. It will create issues if you do file sharing on the network with XP or some old Linux or NAS if you have one, but it is an old insecure protocol and is only there for legacy reasons.  You might not be seen on the network by other XP computers if you disable it. But do you need that? Maybe try it while being aware of the potential issues and if it doesn’t work for you, you can simply turn it on again? I also always remove all network protocols except Ipv4 and QoS and I don’t do file sharing on the local network in the house. I don’t do printer sharing either, I just install the printer on each computer. Yes ch100 said to leave IPv6 on, but I used the registry to disable it anyway so I don’t think it matters but you could leave it on. I don’t use homegroups or anything and I try to run lean in terms of network procotols exactly for the reason that when a vulnerability is discovered, it can spread very easily by just having your laptop plugged anywhere in a public place, although now if you select public, MS deactivates lots of them on the public network, which is good. Any laptop I configure only gets Ipv4 and QoS and they work fine like that.

      Folks behind a router, don’t panic too much although it is true if a device on your local network is infected, it could easily spread to you because you likely didn’t disable the sharing protocols for private networks.

       

      3 users thanked author for this post.
      • #109045 Reply

        woody
        Da Boss

        Sadly, I think you’re right.

        We’re seeing “Group W” disappear, with these releases and the Word 0day.

        https://www.askwoody.com/2017/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/

        Unfortunately, these are widespread security holes, and folks will have to patch them sooner or later – or get bit.

        5 users thanked author for this post.
        • #109047 Reply

          Noel Carboni
          AskWoody MVP

          What’s dismaying is that these holes have been built into the software forever, yet once found and exploited the whole thing becomes an emergency.

          Would you think to lay off your professional testing staff in a world like that? Yet that’s precisely what Microsoft has done.

          I wonder how many vulnerabilities they’re building into their new code on purpose.

          -Noel

          3 users thanked author for this post.
          • #109205 Reply

            anonymous

            The only reason it becomes an “emergency” is to calm the ignorant masses of sheep, not only to prevent those same sheep from script-kiddies who’d love to get their hands on the technology and cause harm to others.

            In any case shadow brokers are a joke.

      • #109048 Reply

        MrBrian
        AskWoody MVP

        Great post :).

        I want to clarify a few things:

        1. If you’re a home Windows user, and you didn’t apply the March 2017 patches and perhaps some of the other patches listed at https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/ (or are using an affected but unsupported-by-Microsoft Windows version), AlexEiffel’s scenario in the first paragraph (“teen’s gaming computer gets infected”) is your reality now.

        2. AlexEiffel’s last paragraph is referring to the possibility that similar unpatched vulnerabilities (if they exist) can be exploited if mitigation steps are not taken. (Correct me if I am wrong.)

        • This reply was modified 6 months ago by  MrBrian.
        1 user thanked author for this post.
      • #109050 Reply

        anonymous

        @ AlexEiffel

        For Win 7/8.1 users,
        Group W or C = may get hit by the Word 0-day exploit.
        Group A or B = may get hit by Windows Update processor-block.

        Will there be a Group D for affected Win 7/8.1 users to escape from the clutches of both hackers and MS ?

        1 user thanked author for this post.
        • #109183 Reply

          AlexEiffel
          AskWoody Lounger

          Alas, that is why I don’t believe W is a good strategy in the long term. The risk might be worth taking it for some, but nobody can say W is a safe strategy. Of course, nothing is safe, but I would just go to 10 then or complain louder. You can hope that companies will voice their discontent loud enough to make MS back off when they replace old computers that breaks but they are not ready for 10.

          Group D would be security only except processor blocking security patches, so it would be less bad than W, but for that to work, the security patches would have to be non cumulative.

        • #109184 Reply

          MrBrian
          AskWoody MVP
    • #109030 Reply

      anonymous

      Is this related to the CIA leak from a few weeks ago?

      • #109044 Reply

        woody
        Da Boss

        The Shadow Brokers leak appears to contained NSA-developed malware. The CIA isn’t a factor.

        1 user thanked author for this post.
    • #109149 Reply

      anonymous

      If this is the NSA, imagine what the NGA or the NRO are doing to us!

    • #109204 Reply

      anonymous

      Those wearing tinfoil hats care about the NSA exploits. If you’re just some joe-schmoe on the planet then keep {quiet}, no one cares about your information.

      This is a perfect example of NSA doing their job, since just about everyone from every country uses some type of OS. NSA needs tools to infiltrate and gather information on the watch list.

    • #110083 Reply

      MrBrian
      AskWoody MVP

      From >10,000 Windows computers may be infected by advanced NSA backdoor:

      “Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week’s leak by the mysterious group known as Shadow Brokers.”

      2 users thanked author for this post.
    • #110182 Reply

      JohnW
      AskWoody Lounger

      From >10,000 Windows computers may be infected by advanced NSA backdoor: “Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week’s leak by the mysterious group known as Shadow Brokers.”

      Check your port 445 here … http://ismyportopen.com/

      1 user thanked author for this post.
    • #116051 Reply

      MrBrian
      AskWoody MVP

      From Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft:

      “After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.”

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Shadow Brokers and what the leaks mean to Windows users

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: