Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em

Yep, vulns of WannaCry infamy. Why haven't you patched yet?

By John Leyden

Posted in Security, 31st January 2018 16:32 GMT

Hackers* have improved the reliability and potency of Server Message Block (SMB) exploits used to carry out the hard-hitting NotPetya ransomware attack last year.

EternalBlue, EternalSynergy, EternalRomance and EternalChampion formed part of the arsenal of NSA-developed hacking tools that were leaked by the Shadow Brokers group before they were used (in part) to mount the devastating NotPetya cyber attack.

The exploits – linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities – have been "rewritten and stabilised" to affect operating systems from Windows 2000 up to and including Server 2016 edition, Heimdal Security warns. These beefed-up exploits can be used to push arbitrary code on vulnerable systems targeted with specially crafted messages to the Microsoft SMB servers.

"Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB connection session structures to gain admin rights over the system," Heimdal said.

"After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0, and then copy directly to the hard drive."

Worse yet, the revamped exploits could have worm-like self-replicating abilities, meaning any infection could spread far more quickly.

The development makes the patching of older server-based systems an even higher priority. Those still relying on Windows 2000 Server need to either disable or firewall inbound SMB traffic since there's no patch.

Heimdal's call to patch is backed by an earlier warning by security researcher Kevin Beaumont, who warned that the revamped exploits can be used to push ransomware, trojans or other nasties onto vulnerable Windows systems instead of simply crashing them and causing the infamous Blue Screen of Death.

The crashing, rather than spreading, effect limited the impact of the WannaCry outbreak, which partly relied on the EternalBlue exploit.

Patches that address the vulnerabilities are already available in the shape of updates from MS17-010 onwards. ®

*Including those who are not named John, Johnnie, Janelle or Jonah

Sign up to our NewsletterGet IT in your inbox daily

7 Comments

More from The Register

NHS deploys Microsoft threat detection service on just 30,000 devices

Updated That's only 2% of Blighty's health service PCs

NHS outages KO Welsh GP services and Manchester A&E

No connection... between the blackouts

NSA's Cisco PIX exploit leaks

Looking for scrubs? Nah, NHS wants white hats – the infosec techie kind

£20m vaccine for NHS cybersecurity

NHS given a lashing for lack of action plan one year since WannaCry

Cyber resiliency of the UK's health service still in disarray

NHS Digital to probe live-stream spillage of confidential patient info – after El Reg tipoff

Exclusive Risk of app's vid demo falls under spotlight

Fella faked Cisco, Microsoft gear death – then sold replacement kit for millions, say Feds

'Phony photos', legit serial numbers land chap in court

Watchdog slaps NHS for failure to tackle correspondence backlog

Finds 1,788 cases of potential harm

Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told

Don't panic, Captain Mainwaring!

Three in hospital after NSA cops open fire on campus ram-raid SUV

Roses are red, spy agencies are black, US g-men don't fsck around when under attack