Hours after what was thought to be a damaging release of NSA hacking tools for Windows systems, Microsoft quelled some anxiety with a late-night statement on Friday that most of the vulnerabilities disclosed by the ShadowBrokers had already been patched.
The biggest surprise was that the most recent updates came in March in a bulletin, MS17-010, addressing six critical remote code execution vulnerabilities in Windows Server Message Block (SMB). Two of the six (CVE-2017-0146 and CVE-2017-0147) were in possession of the Equation Group and exploited in EternalBlue, EternalChampion, EternalSynergy and EternalRomance,
The March update was a highly anticipated set of patches since Microsoft’s February updates were a last-minute postponement with little explanation given at the time or since for the delay. Microsoft would not comment further after publishing a blog Friday reassuring users that the alleged zero-days in the ShadowBrokers’ dump had already been fixed.
“We’ve investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products,” Microsoft said in a statement. “Customers with up-to-date software are already protected.”
Microsoft did not, however, acknowledge who disclosed the respective vulnerabilities , which runs contrary to the majority of bugs patched on a monthly basis. This has given rise to a number of theories speculating that perhaps the government had privately disclosed the bugs to Microsoft through its Vulnerabilities Equities Process (VEP), that Microsoft may have paid for the bugs through a third party or directly to the ShadowBrokers, or that Microsoft followed breadcrumbs from a Jan. 8 dump that included the code names for some of the exploits leaked on Friday, including EternalRomance and EternalSynergy. Researcher Jacob Williams, aka MalwareJake, said there was evidence at the time indicating the existence of a SMB zero day. Williams also shared a price list from the January dump that he said could lend some credence to the possibility of a SMB 0day.
“Most interesting perhaps is the fact that the exploits contain a possible SMB zero day exploit,” Williams wrote. “For the price requested, one would hope it is a zero day. The price is far too high for an exploit for a known vulnerability.”
The SANS Institute, meanwhile, looked at a post-exploitation communications channel called Double Pulsar, used by the EternalBlue SMB zero day. SANS said the channel uses the Transaction 2 Subcommand Extension (Trans2) feature in SMB for packet capture. From the SANS report:
“In packet 13 of the pcap, the system running the exploit sends a “trans2 SESSION_SETUP” request to the victim. This happens before the actual exploit is sent. The intent of this request is to check if the system is already compromised. Infected or not, the system will respond with a “Not Implemented” message. But as part of the message, a “Multiplex ID” is returned that is 65 (0x41) for normal systems and 81 (0x51) for infected systems. If a system is infected, then SMB can be used as a covert channel to exfiltrate data or launch remote commands.
While the four SMB zero days are the attention-grabbers from Friday’s dump of Windows tools, the remaining vulnerabilities data back prior to the 2006 release of Windows Vista. Most of the patched vulnerabilities target flaws in SMB, while others are in Windows Server and Kerberos. Three will not be patched, Microsoft said.
“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk,” Microsoft said. “Customers still running prior versions of these products are encouraged to upgrade to a supported offering.”
Friday’s dump also included exploits used by the NSA to target two SWIFT Service Bureaus, outsourcing services used by banks to manage access and transactions on the SWIFT network. The SWIFT-related archives is called JEEPFLEA and contains credentials and the architecture data on EastNets, the Middle East’s largest SWIFT Service Bureau, researcher Matt Suiche said.
Suiche explained these bank transactions are handled on an Oracle database running SWIFT software. The archive includes tools used by the NSA to take data from the Oracle installation, including a list of users and SWIFT message queries, Suiche said.
“In this case, if Shadow Brokers claims are indeed verified, it seems that the NSA sought to totally capture the backbone of international financial system to have a God’s eye into a SWIFT Service Bureau — and potentially the entire SWIFT network,” said researcher Matt Suiche in a blog posted today explaining his analysis of the data dump. “This would fit within standard procedure as a covert entity entrusted with covert actions that may or may not be legal in a technical sense.”