Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em

Yep, vulns of WannaCry infamy. Why haven't you patched yet?

By John Leyden


Hackers* have improved the reliability and potency of Server Message Block (SMB) exploits used to carry out the hard-hitting NotPetya ransomware attack last year.

EternalBlue, EternalSynergy, EternalRomance and EternalChampion formed part of the arsenal of NSA-developed hacking tools that were leaked by the Shadow Brokers group before they were used (in part) to mount the devastating NotPetya cyber attack.

The exploits – linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities – have been "rewritten and stabilised" to affect operating systems from Windows 2000 up to and including Server 2016 edition, Heimdal Security warns. These beefed-up exploits can be used to push arbitrary code on vulnerable systems targeted with specially crafted messages to the Microsoft SMB servers.

"Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB connection session structures to gain admin rights over the system," Heimdal said.

"After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0, and then copy directly to the hard drive."

Worse yet, the revamped exploits could have worm-like self-replicating abilities, meaning any infection could spread far more quickly.

The development makes the patching of older server-based systems an even higher priority. Those still relying on Windows 2000 Server need to either disable or firewall inbound SMB traffic since there's no patch.

Heimdal's call to patch is backed by an earlier warning by security researcher Kevin Beaumont, who warned that the revamped exploits can be used to push ransomware, trojans or other nasties onto vulnerable Windows systems instead of simply crashing them and causing the infamous Blue Screen of Death.

The crashing, rather than spreading, effect limited the impact of the WannaCry outbreak, which partly relied on the EternalBlue exploit.

Patches that address the vulnerabilities are already available in the shape of updates from MS17-010 onwards. ®

*Including those who are not named John, Johnnie, Janelle or Jonah

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

UK white hats blacklisted by Cisco Talos after smart security code stumbles

Cisco gracefully says it won't charge for the privilege

Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds

High-value servers targeted by cyber-weapons dumped online by Shadow Brokers

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Q. What connects the global financial crisis, Ursnif malware, and Coldplay's Viva la Vida?

A. Bad things from 2008 we can't seem to shake

Cisco and Pure shove mini AI in FlashStack converged systems

Entry-level AIRI equivalent

Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

Lab suspects Chinese spyware was on home computer

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?