Microsoft has patched most of the new Windows exploits from the Shadow Brokers that were thought to be zero-days,...
but experts said there are still risks in the wild.
The Shadow Brokers gave the infosec world the gift of more National Security Agency (NSA) hacking tools and techniques for Easter weekend. And although experts tend to see the SWIFT banking attack information as more dangerous, there were also several Windows exploits released in the data dump.
The Microsoft Security Response Center said in a blog post that Microsoft "engineers have investigated the disclosed exploits, and most of the exploits are already patched." Microsoft listed 12 Windows exploits found in the latest Shadow Brokers release and said nine of them were patched between 2008 and the March 2017 Patch Tuesday release.
"Of the three remaining exploits, 'EnglishmanDentist', 'EsteemAudit', and 'ExplodingCan', none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft wrote in the blog post. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering."
Kevin Beaumont, a security architect based in Liverpool, U.K., detailed 13 Windows exploits; the additional exploit not listed by Microsoft, called Zippybeer, was an authenticated Microsoft Domain Controller exploit, which Beaumont said may have been patched in 2014.
Of the 12 Windows exploits listed by both Microsoft and Beaumont, nine of the NSA cyberweapons released targeted the Server Message Block (SMB) v1 protocol, and the other exploits targeted Microsoft Internet Information Services 6, Windows Remote Desktop Protocol and Outlook Web Access. Beaumont's analysis also diverged from Microsoft in that he tested some of the tools and found they worked on Windows 8 and Windows Server 2008 -- two versions of Windows that are still eligible for extended support from Microsoft.
Experts said the risk of these Windows exploits to enterprises should not be underestimated because the use of legacy, unsupported systems is still common.
"Organizations frequently have end-of-life or unsupported systems with older protocol versions, and that is the concern here," Amol Sarwate, director of engineering at Qualys Inc., based in Redwood City, Calif., told SearchSecurity. "As there are no security patches released for unsupported systems, organizations are greatly exposed if they have unsupported software with a public exploit like this."
Tom Kellermann, CEO of Strategic Cyber Ventures, based in Washington, D.C., said these vulnerabilities can be especially dangerous for systems that maintain critical infrastructure, because they often use legacy versions of Windows.
"Transportation, energy and some financial-sector wire-transfer systems are exploitable as a result," Kellermann told SearchSecurity. "The real issue here is that Shadow Brokers released these cyber guns to the streets of American cyberspace to create a free-fire zone. Shadow Brokers basically gave bullets to the masses of cybercriminals -- it's almost like someone handing out guns in an armory where there are not enough bulletproof vests to go around."
Shadow Brokers release timing
Chris Wysopal, CTO and co-founder of Veracode, based in Burlington, Mass., said the timing of the release "was well-designed."
"Some of the exploits are for Windows Vista, which was just end-of-lifed on Tuesday [last] week. This means they may never get patches for the vulnerabilities," Wysopal told SearchSecurity. "Also, the release is on Good Friday and Easter weekend, so many people are already travelling to visit family and not at their computers. This will increase lag time on getting any patches out."
However, some questioned the timing of the release of these Windows exploits because of Microsoft's release of three patches related to these tools in March. Some saw this timing as pure coincidence, while others speculated about the aims of the Shadow Brokers, when Microsoft found out about these vulnerabilities and who disclosed them.
A Microsoft spokesperson said in a statement that the company does not acknowledge the source of a disclosure "for reasons including reports from employees, requests for non-attribution, or if the finder doesn't follow coordinated vulnerability disclosure." Microsoft also added that in this case, "other than reporters, no individual or organization has contacted us in relation to the materials released by the Shadow Brokers."
Learn more about a list of NSA-targeted servers released by the Shadow Brokers.
Find out why US-CERT said Windows SMB v1 needs to die.
Get info on how the Shadow Brokers dump shook up the IT industry.