NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet

An anonymous reader quotes a report from Ars Technica: The Shadow Brokers -- the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits -- just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world. Friday's release -- which came as much of the computing world was planning a long weekend to observe the Easter holiday -- contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and "slick" code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday's release contains several tools with the word "eternal" in their name that exploit previously unknown flaws in Windows desktops and servers.

Need to order a drone strike against these traitor

The NSA has done nothing wrong. It's their duty to protect the United States by spying on threats to national security. Whoever is leaking this information needs to be on the receiving end of a drone strike.

Doesn't affect me

[110010001000]

I use Windows 10. The safest OS every made. Unbreakable.

Thanks, NSA

The Shadow Brokers advertised the names of these exploits in January. The NSA had 3 months to warn Microsoft. But nope. Enjoy the 0day shitstorm that's about to drop.

Re: Thanks, NSA

Because these are the sort of people that shoot you if you don't pay them to screw around doing whatever they want.
They should have been incarcerated instead of employed.

Re:Need to order a drone strike against these trai

And all the other nations are using the same exploits to spy on americans. Deal with that dumbass.

Re:Need to order a drone strike against these trai

[drsmack1]

Preventing companies from repairing exploitable flaws in major software products is NOT something they should be doing.

Re: Why are these fucking Americans hacking banks?

[pchasco]

My uneducated guess would be that they would use it to follow the money.

Really old

[110010001000]

Wow, this code is really old. Almost 10 years old. You can tell by the excessive use of XML.

Re:Really old

[SuricouRaven]

In ten more years people will be saying the same about JSON.

Re:Really old

[Mr0bvious]

{
    "question": "What?"
}

Re:Need to order a drone strike against these trai

[CaptainDork]

It's their duty to protect their own goddam security and all Americans.

Given that they know millions of Americans are at risk from exploits they have not reported to the vendors, by your logic, the NSA is a traitor organization and qualifies for a drone strike.

Why not read the article before ranting about it?

"This would make a lot of sense that the NSA compromise this specific SWIFT Service Bureau for Anti-money laundering (AML) reasons in order to retrieve ties with terrorists groups," Suiche wrote.

Re:Need to order a drone strike against these trai

[HeckRuler]

Sitting on a zero-day vulnerability without telling the maintainers certainly makes the USA less secure and runs afoul of their duty to protect the USA...
 
...But have they actually prevented a company from fixing exploits? Like a court order telling Microsoft to leave a vulnerability in place?

Advance notice?

[jodido]

Anybody else wonder if Microsoft is cooperating with the NSA? Seems like there are a lot of security issues and I wonder why MS hasn't seemed to be able to find them and why the NSA has.

Re:Advance notice?

[rtb61]

Why has the NSA found them and M$ hasn't, dude seriously, now tell me where is the profit for M$ to find and fix bugs in their software. Does it help them to sell the next version, hmm, NO. Does it make them profit to do so, paying coders to review code that just barely works, hmm, NO. Does it prevent M$ from being prosecuted for failing to secure systems (when the users of M$ do get prosecuted for failing to secure systems, which once windows has been installed, apparently can not be secured), hmm, NO. Why can't M$ find because there is no profit in doing so but there is a whole bunch of profit in not doing so. Any other questions?

Yes, the NSA is exploiting M$'s greed driven stupidity, just as the FSB does and just as MSS does (those guys and gals need to advertise more no one knows what those letters stand for https://en.wikipedia.org/wiki/... , catch up with that pompous dude from the CIA, c'mon China). When M$ and all the other software companies start getting fined for security bugs, just like the sucker companies that use that insecure software and get blamed for it, than M$ will fix their software, until then, well, that's what advertising is for, spread a layer of sweet smelling fertiliser across the foetid cesspool rotting below.

So why is it when companies use M$ software and get hacked they get fined but the suppliers of the software point to their non-warranty and say, see we acknowledge our software is shite and only warrant losses to the value of the software ie M$ software should only be used to secure stuff to the value of the M$ software licence and that it is categorically across the board unfit for any purpose (actually right in the warranty, "Microsoft excludes all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement."). So is a company liable for using M$ software, just by using it, based upon the M$ warranty and the declaration by M$ that it is unfit for use for any particular purpose in writing.

Re:Advance notice?

[Atryn]

I don't think all the negative press is good for M$ or their Windows brand. People do have alternatives and this does make those alternatives look a bit better than before.

BTW, where is the NSA's trove of Linux and MacOS exploits? How about an NSA trove of Android and iOS exploits? They must have them.

Re:Advance notice?

[jodido]

I think you're half right. Security is just an added expense. OTOH as someone else pointed out it's also good PR to say you've found x bug and have fixed it. And bad PR when it leaks that the NSA found all kinds of ways to exploit your software and you didn't. So there are costs on both sides. In the end the main reason I have no confidence in MS is that they are, after all, a very large American corporation, and the NSA and all the rest of the cop agencies exist to protect them. So why wouldn't they cooperate?

bugs or backdoors?

I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.

Re:bugs or backdoors?

[bill_mcgonigle]

I wonder how many of this "unknown bugs" used by "slick code" where put there on purpose in windows and how much is actual bugs.

If you talk to people who have seen the older parts of Windows source, you start to become less conspiratorial. Much of the code was written when these machines were only networked if the company had a Novell network (yeah, yeah, both of you who ran LANMan can pipe down) and security wasn't even on the RADAR. Modern programmers at Microsoft are either disgusted or terrified by it, from what I hear.

Backwards compatibility cuts both ways.

Re:bugs or backdoors?

[davecb]

An old employer was a Windows 2.0 licensee: it wasn't even supposed to be secure, it was to run on a machine that wan't on a network, or was on a secure network.

Can you say "red-book at system-low" ? It was logical, but assumed there was no internet.

Re:bugs or backdoors?

[mikael]

That's true. The first Ethernet adapters that came along for PC's were huge cards with a physical key lock and a user ID card. Everything was intended to run on offical Ethernet cable; bright yellow or blue coaxial cables connected by vampire taps, which were simple blocks with three spikes that went through the coaxial sheathing and connected to the core copper, with LAN's connected by bridges, routers and firewalls. Everything was intended to be static and predefined.
For home business use, ISDN was the only choice, with data traffic charged at a cent per kilobyte. That didn't change anything since only business directors could really afford that service.

Microsoft was taken by surprise in 1993 by the sudden appearance of ISP's offering home Internet with SLIP and PPP. Those two protocols allowed every other traditional UNIX internet protocol to run transparently between the PC and remote web servers; X-windows, telnet, ftp, gopher, traceroute, netstat, ping, http, all suddenly had to be supported. Options for MSDOS were TCP/IP stack and text based browser provided by the ISP (Trumpet Winsock). Microsoft just simply could not invent their own API's as they always had to in the past. They were forced to adapt to the rest of the world.

Microsoft's only choice was to bundle their own network stack with Windows 95. Even then, CPU's were so slow that the code had to be super-optimized to the point that everything was munged together. Look at how svchost.exe does every function. There was never any anticipation at the time that joe sixpack was going to have an always-on 60Mbit connection to his gaming rig or netbook.

The other submission

The other submission, which mods ignored, contained a better list of the exploits: https://www.bleepingcomputer.c...

Re: Why are these fucking Americans hacking banks?

[rmdingler]

Of course they would... there's no need to steal money, per say, for black budget spending when you can essentially print your own money.

TPFTDL: $52.06 billion in 2013, according to an imperfectly legitimate Edward Snowden release of government information.

Years removed from the lessons of Iran/Contra, governments have learned to just fund the cloak & dagger bunch... saves on eventual, inevitable, embarassment as you're employing folks who have proven eager to scam the funds they need clandestinely.

Re:Linux FTW !!!

[bill_mcgonigle]

I'm glad I use Linux and not have to worry about these exploits and zero day attacks.

Hey, the NSA probably has more people working on breaking linux than we have working on building it. Be ready to apply updates when SB drops that tranche. Practice defense-in-depth.

Now we know why he went to FL early

[WillAffleckUW]

And why a certain foreign agent went to Korea a while back.

Re:Need to order a drone strike against these trai

[bill_mcgonigle]

C'mon, if you're going to hold yourself out as a professional propagandist, at least put in the effort to get your possessive pronoun number agreement correct.

Re:Linux FTW !!!

[ozduo]

Are you taking the piss? Or are you just naive?

Re:Linux FTW !!!

[RamBurner]

I use kernel 4.8 so no nightmares here.

Re:Linux FTW !!!

[Moheeheeko]

you must be new here

Re: Need to order a drone strike against these tra

[negRo_slim]

That sounds about right.

Security removed for good reasons

[raymorris]

> Much of the code was written when these machines were only networked if the company had a Novell network (yeah, yeah, both of you who ran LANMan can pipe down) and security wasn't even on the RADAR.

Indeed. Historically, it was DISK Operating System (DOS) on a PERSONAL Computer (PC) as opposed to the then-traditional NETWORK operating system on a time-sharing computer (which cost over $100,000). The point of DOS, the difference between Microsoft and what was already common place, was that the Microsoft OS was for cheap little computers used by one person, and not connected to a big corporate network. Instead of requiring many MBs of RAM, DOS could run in as little as 16KB pf RAM by getting rid of all the stuff that wasn't needed on a PERSONAL, DISK-based computer - stuff like security, stuff like isolating the files and processes of one user from the rest of the system.

This was a great idea. It worked brilliantly. Then the internet happened. Microsoft had a shit fit. Not only was their entire company based on PCs rather than the client-server model, but they had just spent millions upgrading Object Linking and Embedding (OLE), and named the new version COM. It was really cool - it let you do things like embed a picture in a Word document, or link a sound file from a picture. It was awesome. Then the web showed up with "img src" and "a href". Oh shit!

Microsoft did exactly the right thing, making an OS for personal, home computers, which weren't on a network and therefore any security was unnecessary overhead that they removed. Then the sudden popularity of the web screwed them and they had to play catch-up for 15 years.

Re:Linux FTW !!!

[skids]

Not "every linux kernel before 4.5". Whether a kernel is vulnerable depends on whether the bug was backported by distros. RHEL never backported it, and Debian quietly fixed it a good while ago (kernels of any version shipped Sep 2015 to Jan 2016)

http://www.zdnet.com/article/r...

Not too happy about this one

[GameboyRMH]

I think I'd prefer if the NSA *could* see those bank transactions. I'm not a fan of privacy in banking. If you want to do a transaction privately, that's what cash (and maybe cryptocurrency, that genie's out of the bottle) is for. Any privacy beyond that only provides enhanced convenience to criminals IMO. I'd prefer if all bank transactions were visible to law enforcement and tax authorities.

Re:Not too happy about this one

[GameboyRMH]

Well I'm glad that someone without a vested interest in banking secrecy has some idea about what's going on. If the NSA sees terrorists laundering money or companies violating sanctions they can tip off the relevant authorities.

I'd say that the FBI and IRS should be monitoring all global banking. along with their equivalents in every country. Interpol as well, sure.

Re:Not too happy about this one

[Atryn]

Well I'm glad that someone without a vested interest in banking secrecy has some idea about what's going on. If the NSA sees terrorists laundering money or companies violating sanctions they can tip off the relevant authorities.

Wait... what about this recent news has you believing the NSA wants to tip of anyone about anything they discover?

Re:Not too happy about this one

[John.Banister]

I'm happy if mine are visible so long as all the transactions investment banks make with one another are also visible.

Re:Why are these fucking Americans hacking banks?

[AHuxley]

The US does not like France winning, so the US (with 5 eye friends) spy on every part of the French economy.
https://wikileaks.org/nsa-fran...
"French contract proposals or feasibility studies and negotiations for international sales or investments in major projects or systems of significant interest to the foreign host country or $200 million or more in sales and/or services, including financing information or projects of high interest... "

Re:Need to order a drone strike against these trai

[bheerssen]

No kidding. Besides, how often do you get to use "It's its" in a sentence?

Re:Why are these fucking Americans hacking banks?

[Motherfucking+Shit]

They're monitoring transfers into and out of what appear to be primarily middle eastern banking institutions. This is a legitimate national security interest for the United States. It's helpful to see that (e.g.) Saudi Prince #1,804 is wiring money to AQAP principals or what have you.

This is exactly the sort of activity NSA is supposed to be engaging in, as opposed to trawling through every American's emails and credit card bills.

Re: Why are these fucking Americans hacking banks?

I agree the US is corrupt. However - I do not agree with watching those French by breaking in their banking systems.

Running the browser as root/Admin is bad

[raymorris]

> The only reason systems like Linux were more secure (hard to say if they are overall now**) is they were part of the front line of attacks which meant a lot of the direct network facing stuff had to be patched ASAP

Remember iitially on Windows, any program run by any user was allowed to do anything and everything to the computer. Programs did in fact interact with the system, writing registry entries wherever they felt like, putting files in system directories, etc. You can't just suddenly prevent that out the blue - a large percentage of the existing software would stop working.

So Microsoft had to slowly transition away from that. Which put them behind, because before DOS, UNIX users were ALREADY accustomed to running as a non-root user. Most computer users before Microsoft didn't *have* root access - they had a terminal connected to a mainframe. They were accustomed to the idea that they ran their software within their private space, and the user software didn't need system-level access.

For quite some time, Windows users were essentially running their browsers as root - including Flash and Java. For some years after that, it *appeared* that they were running as some user, but under the hood there was no real security.

Linux comes from that Unix heritage, from the basic assumption that an individual user shouldn't be able to take down the system even if they tried.

Re:Linux FTW !!!

[mikael]

Worry about what servers your Firefox web browser is settting up (SSDP) and why it needs to send out multicast broadcasts. Does your wifi router block those packets? Does it allow them to come in on your network? Why doesn't the menu option disable this feature? Apparently it's to provide competition to ChromeCast which allows you to stream the contents of your screen to other mobile devices across the Internet.

Re:Need to order a drone strike against these trai

you idiot, they are spying on innocent americans too. this is the early stages of a supranational surveillance system paid for by idiot whores like you.

Microsoft said they patched these last month

[UpnAtom]

"... the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks."

https://arstechnica.com/securi...

Re:Need to order a drone strike against these trai

[beastofburdon]

I agree, we should hit every one of their offices at the same time to minimize survivors, and while we're at it, hit the CIA at the same time.

Re: Need to order a drone strike against these tr

[beastofburdon]

All that money comes from the CIA.

Re:Thanks Obama

[chill]

Yeah! Beat Auburn! Roll Tide!