Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em

Yep, vulns of WannaCry infamy. Why haven't you patched yet?

By John Leyden


Hackers* have improved the reliability and potency of Server Message Block (SMB) exploits used to carry out the hard-hitting NotPetya ransomware attack last year.

EternalBlue, EternalSynergy, EternalRomance and EternalChampion formed part of the arsenal of NSA-developed hacking tools that were leaked by the Shadow Brokers group before they were used (in part) to mount the devastating NotPetya cyber attack.

The exploits – linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities – have been "rewritten and stabilised" to affect operating systems from Windows 2000 up to and including Server 2016 edition, Heimdal Security warns. These beefed-up exploits can be used to push arbitrary code on vulnerable systems targeted with specially crafted messages to the Microsoft SMB servers.

"Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB connection session structures to gain admin rights over the system," Heimdal said.

"After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0, and then copy directly to the hard drive."

Worse yet, the revamped exploits could have worm-like self-replicating abilities, meaning any infection could spread far more quickly.

The development makes the patching of older server-based systems an even higher priority. Those still relying on Windows 2000 Server need to either disable or firewall inbound SMB traffic since there's no patch.

Heimdal's call to patch is backed by an earlier warning by security researcher Kevin Beaumont, who warned that the revamped exploits can be used to push ransomware, trojans or other nasties onto vulnerable Windows systems instead of simply crashing them and causing the infamous Blue Screen of Death.

The crashing, rather than spreading, effect limited the impact of the WannaCry outbreak, which partly relied on the EternalBlue exploit.

Patches that address the vulnerabilities are already available in the shape of updates from MS17-010 onwards. ®

*Including those who are not named John, Johnnie, Janelle or Jonah

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

Lab suspects Chinese spyware was on home computer

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

NSA's Cisco PIX exploit leaks

Mini-Heartbleed info leak bug strikes Apache, airborne malware, NSA algo U-turn, and more

Roundup The security week in review

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Reality Winner, liberty loser: NSA leaker faces 63 months in the cooler

Renegade pantyhose smuggler admits slipping Russian election hacking dossier to hacks

Fella faked Cisco, Microsoft gear death – then sold replacement kit for millions, say Feds

'Phony photos', legit serial numbers land chap in court