Shadow Brokers and what the leaks mean to Windows users

Topic

New Reply

I’m a little late to the party on this one. As many/most/all of you know, on Friday a group called Shadow Brokers published an enormously damaging tro
[See the full post at: Shadow Brokers and what the leaks mean to Windows users]

6 users thanked author for this post.

Fred, Pepsiboy, Microfix, AJNorth, HiFlyer, MrBrian

Reply | Quote

Replies

From What Windows users need to know about the latest ‘ShadowBrokers’ exploits:

“We tested the leaked files on virtual machines running Windows XP, Windows 7, Windows Server 2012 R2 and Windows 8 Pro to see if they’re vulnerable. We also tested a local installation of Windows 10 Pro 64-bit. This is a quick list of what we found:

Windows 10 seems to be immune to the exploits leaked on April 14, 2017.
There are exploits that work 100 percent against Windows 7 with the April Service Pack.
There are exploits that work 100 percent against Windows Server 2012 R2 with the latest updates as of April 14, 2017.
There are exploits that work 100 percent against Windows XP with the latest updates.
Windows 8 Pro doesn’t grant full remote access when using these tools, but it isn’t immune and some slight variation of the code could make the OS vulnerable.”

Reply | Quote

GWX: Phase II.

Reply | Quote

@ MrBrian

Today, it made a new post that contained a number of working exploits for Windows machines running everything from XP up to at least Windows 8. As far as Windows 10, it appears that the stolen data is from 2013 and predates the latest OS.

It’s self-explanatory.

The NSA have likely, since 29 July 2015, been using newer exploits for Win 10 which may have yet to be leaked publicly by Shadow Brokers or other hackers.
Some people are even saying that Win 10 has inbuilt NSA spyware based on MS’s past collaboration/cooperation with the NSA in the PRISM spying program.

Reply | Quote

A link to your quote would be appreciated. It would allow others to read more on the issue, if they wished.

Reply | Quote

The quote’s from Richard Lawler’s piece in engadget. ‘Shadow Brokers’ dump of NSA tools includes new Windows exploits (updated)

Lawler just updated his piece to say:

Update (4/15): Microsoft responded early Saturday morning, saying that for the seven flaws leaked that affect supported systems — they’ve all already been patched. Of course, the story gets a bit more interesting from there, since it appears that four of them were only patched just last month, suggesting someone informed the company about the security issues before TSB could leak them.

There’s a whole lot of debate about what NSA knew, when they knew it, and whether/if/how they notified Microsoft that the apocalypse was coming.

2 users thanked author for this post.

Kirsty, walker

Reply | Quote

From ‘Shadow Brokers’ dump of NSA tools includes new Windows exploits:

‘Contacted via email, Matthew Hickey expressed a similar outlook, saying that “most home users will not be directly impacted by these vulnerabilities as an attacker needs to connect to services on their computer. The risk is much bigger to enterprise and businesses who rely on these services to connect online.”‘

Reply | Quote

http://www.bbc.com/news/technology-39553241

BBC published about the ShadowBrokers NSA Malware release on April 10th, saying

“Some cyber-security experts have said some of the malware is real, but old.”

https://medium.com/@d0znpp/analysis-of-the-eqgrp-leakage-a14bc92040d2

Ivan Novikov analysed the #EQGRP NSA leakage data, which shows 910 servers hacked around the world between 2000 and 2010.

http://www.bbc.com/news/technology-39606575

BBC published about the ShadowBrokers NSA tools leak on April 15th, saying

“… accompanying documents appear to indicate a possible breach of the Swift global banking system.
Such a hack could have enabled the US to covertly monitor financial transactions, researchers said.
If genuine, it represents perhaps the most significant exposure of NSA files since the Edward Snowden leaks in 2013.
Multiple experts have said this latest “data dump” is credible…
The files contained several “zero day” exploits – vulnerabilities that were previously unknown to the companies that create the software, or the security community at large.
… multiple experts said the sheer number of zero days released at the same time was unprecedented.
Microsoft said in a statement to the BBC that it was “reviewing the report and will take the necessary actions to protect our customers”.
”

1 user thanked author for this post.

walker

Reply | Quote

Microsoft says it already patched ‘Shadow Brokers’ NSA leaks

Reply | Quote

Tweet from Microsoft employee:

“Removing/disabling SMB1 is encouraged. This is coming in the next OS release for many SKUs and editions http://aka.ms/stopusingsmb1 “

2 users thanked author for this post.

AElMassry, Noel Carboni

Reply | Quote

Thanks. No SMB1 on my network!

-Noel

1 user thanked author for this post.

HiFlyer

Reply | Quote

Thanks, but does this break anything? Also I just noticed that IE 11 can be turned off.

1 user thanked author for this post.

HiFlyer

Reply | Quote

It could break some file and printer sharing functionality in your local network (if you have one).

1 user thanked author for this post.

HiFlyer

Reply | Quote

Thanks for replying, I performed some tests and Homegroup read-only sharing survives the change.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Do you have any XP systems on your LAN? I understand those might need SMB1 to see files / printers on the newer systems and vice versa.

Try disabling it and ensure all your systems can still communicate in the ways that you need them to. It can always be re-enabled.

-Noel

1 user thanked author for this post.

HiFlyer

Reply | Quote

ETERNALBLUE: Windows SMBv1 Exploit (Patched) by Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institut

1 user thanked author for this post.

HiFlyer

Reply | Quote

Dr. Ullrich knows whereof he speaks.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Here’s something interesting. Just a few hours ago, Tom Warren posted this on The Verge:

one security researcher, the grugq, claims that the NSA may have actually reported some of the bugs themselves. While Microsoft always acknowledges the source of security flaw reports, the grugq noticed there are no acknowledgements for patches (MS17-010) issued last month that fix some of the leaked NSA exploits. It’s possible that The Shadow Brokers or another group / individual tipped Microsoft to them in advance. Microsoft mysteriously delayed its Patch Tuesday release in February by a month in an unprecedented move, blaming a “last minute issue”. March’s Patch Tuesday included fixes for these leaked NSA exploits.

That qualifies as completely unsupported speculation… but it sure is worth chewing on. Fake news? Blazing insight? You choose.

https://twitter.com/arekfurt/status/853152866395181056

2 users thanked author for this post.

HiFlyer, walker

Reply | Quote

Interesting in hindsight: Patch Tuesday put on hold, SMB zero-day exploit likely to blame (Feb. 15, 2017)

1 user thanked author for this post.

HiFlyer

Reply | Quote

Do these leaks affect non-networked workstations?

Reply | Quote

Yes, but if you’re patched through last month, you’re OK.

The leaks cover ev-er-y-thing, but MS says it’s (almost) all been fixed already.

4 users thanked author for this post.

HiFlyer, walker, ht, SueW

Reply | Quote

Woody, I went to “Windows Features” on 3 non-networked workstations (win7 PRO x 64 and win7 Home Premium x 64) and SMB 1.0/CIFS File Sharing Support isn’t listed– perhaps that’s the MS fix?

1 user thanked author for this post.

HiFlyer

Reply | Quote

From https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/:

“When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: …”

For Windows 7, that involves these commands: https://pastebin.com/wnKyRR3W (source: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012)

 

1 user thanked author for this post.

HiFlyer

Reply | Quote

Win 7 x64 Ultimate & Professional here with a Homegroup set up that we both can use each other’s printers from. SMB1 doesn’t appear in the list on either one of them here either. I’ve never even heard of SMB1 before so obviously I didn’t disable it.

FWIW… Both of these systems are in Group B and I haven’t even installed the MARCH updates yet, so I can state for a fact that the MARCH Security Only Update didn’t remove it.

1 user thanked author for this post.

HiFlyer

Reply | Quote

@Mr. Brian:    I only have a very simple Win7 64 bit, OS which does not allow me to follow the instructions.   I’m searching for s “super simple” instruction that I can understand and be able to follow.   Thank you for what you posted, and hope that those who can understand everything will be “saved”.    Thank you for posting….

1 user thanked author for this post.

HiFlyer

Reply | Quote

The NSA Spyware situation with MS has not changed. The only thing that changes is programs that NSA uses. Although I don’t know the paticulars: the NSA and Microsoft have an iron clad agreement that NSA has access to all MS servers. You can draw your own conclusions!

1 user thanked author for this post.

HiFlyer

Reply | Quote

Yea, the NSA does not need any exploits with Windows 10, MS is already collecting all the information for them.

1 user thanked author for this post.

HiFlyer

Reply | Quote

BrianL wrote:

the NSA and Microsoft have an iron clad agreement that NSA has access to all MS servers.

How do you know this?

If this is true, then imagine the implications of all of the telemetry data-collection by Microsoft. This could explain why they are collecting all of the data, from Windows 7 forward.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Quite a worrying list here

I’m not convinced that Windows 10 is in the clear either since these exploits were stolen in 2013, before Windows 10 came out, so obviously it wouldn’t have been listed as a potential target.

Windows 10, it’s not like you have any privacy left to violate anyway!

Windows - commercial by definition and now function...

1 user thanked author for this post.

HiFlyer

Reply | Quote

NSA, in our present state of the world, can do what they want to, to protect us. Their intent is not to be disruptive to our computer uses. In fact I think that they have been doing this without causing any problems to us. We had no idea that this was going on for years, because it didn’t show up on our computers at all. I do think that with the boondoggle of the OS Windows 10, that NSA will have their work cut out for them. JUST MY THOUGHTS ONLY. Thanks for listening.

2 users thanked author for this post.

Karlston, HiFlyer

Reply | Quote

BrianL wrote:

NSA, in our present state of the world, can do what they want to, to protect us. Their intent is not to be disruptive to our computer uses. In fact I think that they have been doing this without causing any problems to us

I know I’m edging dangerously close to a rant when I ask this, but are you sure you want Big Brother’s protection? Anytime the government can gather all of my personal information at will “for my protection”, I think we have a major problem on our hands.

If you consider the total loss of our privacy not to be a problem, then I suppose you could say that they haven’t been causing any problems to us.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Windows 7 fight against windows 10, This picture say more about what is going on in the digital world than i can say with words. Most people know the story about David`s fight against Goliat. ( If not you should read it ) … The deal in this fight was this : If david (W7) loose the fight, then all the people had to surrender and be a slave to Goliat (W10)

To me Woody is a fighter like David… Thank you Woody !

1 user thanked author for this post.

HiFlyer

Reply | Quote

The really big deal is that these tools leaked into the wild to begin with. Because it looks as though at least with Windows 10 users have been patched if indeed users actually installed the updates. Of course it always get’s murkier as you go back in time with Windows versions.  Windows has always suffered from being a target just because of the vast numbers of PC’s running Windows. But even with Windows 10 being more secure than any previous version. I am skeptical and how much improvement is really there? Especially now that we have Windows 10 sending telemetry and other data back and forth to servers. Even if you trust Microsoft the questions remain on how well this telemetry is protected, where is it stored and what kind of potential does it hold for hackers?

1 user thanked author for this post.

HiFlyer

Reply | Quote

For people who normally never update Windows, you may wish to consider making an exception and install the March 2017 security-only update. If you don’t do so, malware on other devices in your local network could cause your computer to get malware due to issues mentioned in MS17-010.

1 user thanked author for this post.

HiFlyer

Reply | Quote

@Woody:

What are we going to do to try to stay safe?  If someone could write some directions for those of us who are ” computer illiterate” (just simple Win7 64 bit) to follow I think we could manage to do it (???)   We need HELP, and we need it fast.    Any and all advice will be very much appreciated.    It only gets worse and worse.

1 user thanked author for this post.

JDeC

Reply | Quote

If you’ve kept up to date on Windows updates (through March 2017), you should be protected against these Windows exploits. Disabling SMB1 isn’t necessary to protect against these particular Windows exploits.

3 users thanked author for this post.

SueW, HiFlyer, walker

Reply | Quote

@Mr.Brian:

Thank you so much for the supporting information about it not being necessary to disable SMB1.  I’m so thankful that I’m up-to-date with the March updates.  What a HUGE relief!  Your expertise and assistance is outstanding, and appreciated more than words can express.    Thank you once again for your invaluable assistance.    Truly wonderful!  

Reply | Quote

https://twitter.com/etlow/status/853439288926777344

“#ShadowBrokers Table with all the exploits leaked based on public info to help understand the impact for current and legacy unsupported OSs.”

3 users thanked author for this post.

HiFlyer, woody, walker

Reply | Quote

Detecting SMB Covert Channel (“Double Pulsar”)
Published: 2017-04-16
Last Updated: 2017-04-16 18:58:10 UTC
by Johannes Ullrich (Version: 1)

…
With Friday’s release of additional Shadowbroker tools, a lot of attention was spent on exploits with names like “Eternalblue”, which exploited only recently patched vulnerabilities. Another item of interest however, is the command and control channel used to communicate with systems post exploitation…

Read More:

Simple example usage pre and post-exploit:

root@kali:~# python detect_doublepulsar.py --ip 192.168.175[.]128

[-] [192.168.175[.]128] No presence of DOUBLEPULSAR

root@kali:~# python detect_doublepulsar.py --ip 192.168.175[.]128

[+] [192.168.175[.]128] DOUBLEPULSAR DETECTED!!!

Read More:

Reply | Quote

Resource for installing python on Windows.. perhaps not just for this use and definitively not a suggestion for a VPN.. I needed python. You can skip steps 1,2,5. You just need ‘Python’ and “Install Microsoft Visual C++ Compiler for Python 2.7 VCForPython27”.

The instructions are so very simple.

Since I already had “python27” installed, it was only a matter of using Notepad++ 7.3.3 (Thanks Crysta!) to paste the raw script from Github and saving it to
C:\python27\scripts
Command prompt admin; navigate to the folder above and run

C:\Python27\Scripts>detect_doublepulsar.py --ip 10.10.254.5
[-] [10.10.254.5] No presence of DOUBLEPULSAR

Reply | Quote

This is an example of why I don’t think W is a great path for people who care a lot about security if they don’t take other measures and have their computers among other less safe ones on the same network . If your teen’s gaming computer gets infected and you are a careful group W user, issues similar to this one could bite you, even if you are careful browsing the web, as the virus would spread automatically from the teen computer to yours with no intervention other than turning on your computer.

I have been deactivating SMB 1 since many years ago. It will create issues if you do file sharing on the network with XP or some old Linux or NAS if you have one, but it is an old insecure protocol and is only there for legacy reasons.  You might not be seen on the network by other XP computers if you disable it. But do you need that? Maybe try it while being aware of the potential issues and if it doesn’t work for you, you can simply turn it on again? I also always remove all network protocols except Ipv4 and QoS and I don’t do file sharing on the local network in the house. I don’t do printer sharing either, I just install the printer on each computer. Yes ch100 said to leave IPv6 on, but I used the registry to disable it anyway so I don’t think it matters but you could leave it on. I don’t use homegroups or anything and I try to run lean in terms of network procotols exactly for the reason that when a vulnerability is discovered, it can spread very easily by just having your laptop plugged anywhere in a public place, although now if you select public, MS deactivates lots of them on the public network, which is good. Any laptop I configure only gets Ipv4 and QoS and they work fine like that.

Folks behind a router, don’t panic too much although it is true if a device on your local network is infected, it could easily spread to you because you likely didn’t disable the sharing protocols for private networks.

 

3 users thanked author for this post.

HiFlyer, MrBrian, Noel Carboni

Reply | Quote

Sadly, I think you’re right.

We’re seeing “Group W” disappear, with these releases and the Word 0day.

https://www.askwoody.com/2017/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/

Unfortunately, these are widespread security holes, and folks will have to patch them sooner or later – or get bit.

5 users thanked author for this post.

walker, HiFlyer, AlexEiffel, MrBrian, Noel Carboni

Reply | Quote

What’s dismaying is that these holes have been built into the software forever, yet once found and exploited the whole thing becomes an emergency.

Would you think to lay off your professional testing staff in a world like that? Yet that’s precisely what Microsoft has done.

I wonder how many vulnerabilities they’re building into their new code on purpose.

-Noel

3 users thanked author for this post.

Karlston, HiFlyer, AlexEiffel

Reply | Quote

The only reason it becomes an “emergency” is to calm the ignorant masses of sheep, not only to prevent those same sheep from script-kiddies who’d love to get their hands on the technology and cause harm to others.

In any case shadow brokers are a joke.

Reply | Quote

Great post :).

I want to clarify a few things:

1. If you’re a home Windows user, and you didn’t apply the March 2017 patches and perhaps some of the other patches listed at https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/ (or are using an affected but unsupported-by-Microsoft Windows version), AlexEiffel’s scenario in the first paragraph (“teen’s gaming computer gets infected”) is your reality now.

2. AlexEiffel’s last paragraph is referring to the possibility that similar unpatched vulnerabilities (if they exist) can be exploited if mitigation steps are not taken. (Correct me if I am wrong.)

1 user thanked author for this post.

AlexEiffel

Reply | Quote

@ AlexEiffel

For Win 7/8.1 users,
Group W or C = may get hit by the Word 0-day exploit.
Group A or B = may get hit by Windows Update processor-block.

Will there be a Group D for affected Win 7/8.1 users to escape from the clutches of both hackers and MS ?

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Alas, that is why I don’t believe W is a good strategy in the long term. The risk might be worth taking it for some, but nobody can say W is a safe strategy. Of course, nothing is safe, but I would just go to 10 then or complain louder. You can hope that companies will voice their discontent loud enough to make MS back off when they replace old computers that breaks but they are not ready for 10.

Group D would be security only except processor blocking security patches, so it would be less bad than W, but for that to work, the security patches would have to be non cumulative.

Reply | Quote

Installing Win updates on Win 7 or 8.1 computers with Kaby Lake or Ryzen CPUs

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Is this related to the CIA leak from a few weeks ago?

Reply | Quote

The Shadow Brokers leak appears to contained NSA-developed malware. The CIA isn’t a factor.

1 user thanked author for this post.

HiFlyer

Reply | Quote

If this is the NSA, imagine what the NGA or the NRO are doing to us!

Reply | Quote

Those wearing tinfoil hats care about the NSA exploits. If you’re just some joe-schmoe on the planet then keep {quiet}, no one cares about your information.

This is a perfect example of NSA doing their job, since just about everyone from every country uses some type of OS. NSA needs tools to infiltrate and gather information on the watch list.

Reply | Quote

From >10,000 Windows computers may be infected by advanced NSA backdoor:

“Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week’s leak by the mysterious group known as Shadow Brokers.”

2 users thanked author for this post.

JohnW, Elly

Reply | Quote

MrBrian wrote:

From >10,000 Windows computers may be infected by advanced NSA backdoor: “Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week’s leak by the mysterious group known as Shadow Brokers.”

Check your port 445 here … http://ismyportopen.com/

Windows 10 Pro 22H2

1 user thanked author for this post.

HiFlyer

Reply | Quote

From Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft:

“After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.”

Reply | Quote