Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em

Yep, vulns of WannaCry infamy. Why haven't you patched yet?

By John Leyden


Hackers* have improved the reliability and potency of Server Message Block (SMB) exploits used to carry out the hard-hitting NotPetya ransomware attack last year.

EternalBlue, EternalSynergy, EternalRomance and EternalChampion formed part of the arsenal of NSA-developed hacking tools that were leaked by the Shadow Brokers group before they were used (in part) to mount the devastating NotPetya cyber attack.

The exploits – linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities – have been "rewritten and stabilised" to affect operating systems from Windows 2000 up to and including Server 2016 edition, Heimdal Security warns. These beefed-up exploits can be used to push arbitrary code on vulnerable systems targeted with specially crafted messages to the Microsoft SMB servers.

"Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB connection session structures to gain admin rights over the system," Heimdal said.

"After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0, and then copy directly to the hard drive."

Worse yet, the revamped exploits could have worm-like self-replicating abilities, meaning any infection could spread far more quickly.

The development makes the patching of older server-based systems an even higher priority. Those still relying on Windows 2000 Server need to either disable or firewall inbound SMB traffic since there's no patch.

Heimdal's call to patch is backed by an earlier warning by security researcher Kevin Beaumont, who warned that the revamped exploits can be used to push ransomware, trojans or other nasties onto vulnerable Windows systems instead of simply crashing them and causing the infamous Blue Screen of Death.

The crashing, rather than spreading, effect limited the impact of the WannaCry outbreak, which partly relied on the EternalBlue exploit.

Patches that address the vulnerabilities are already available in the shape of updates from MS17-010 onwards. ®

*Including those who are not named John, Johnnie, Janelle or Jonah

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

Lab suspects Chinese spyware was on home computer

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Fancy Bear still Putin out new modules for VPNFilter malware

Talos turns up obfuscation, lateral attacks, and proxies

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

NSA's Cisco PIX exploit leaks

NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

Bloke sent down after spilling Uncle Sam's cyber-weapons