Resultados 1 a 5 de 5
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] NSA's powerful Windows hacking tools leaked online

    A hacking group has dumped a collection of spy tools allegedly used by the National Security Agency online. Experts say they are damaging.

    Selena Larson
    April 15, 2017

    The exploits, published by the Shadow Brokers on Friday, contain vulnerabilities in Windows computers and servers. They may have been used to target a global banking system. One collection of 15 exploits contains at least four Windows hacks that researches have already been able to replicate.

    Late Friday, Microsoft said the exploits had been patched in previous updates, or are not able to be replicated on supported platforms. Windows users should make sure their software is up to date and upgrade to Windows 7 or a newer version.

    "This is quite possibly the most damaging thing I've seen in the last several years," said Matthew Hickey, founder of security firm Hacker House. "This puts a powerful nation state-level attack tool in the hands of anyone who wants to download it to start targeting servers."

    The exploits target a variety of Windows servers and Windows operating systems, including Windows 7 and Windows 8. Hickey was able to test out exploits in his UK firm's lab and confirmed they "work just as they are described."

    The Shadow Brokers is a group of anonymous hackers that published hacking tools used by the NSA last year. Last Saturday, the group returned and published a batch of NSA exploits it had previously tried, and failed, to sell. This Friday's release contains more serious exploits. The releases are published with strange and misspelled blog posts, and recent posts have been critical of the Trump administration. The group complained about the lack of media coverage of its release last Saturday.

    Hickey said the Windows exploits leaked on Friday could be used to conduct espionage and target critical data in Windows-based environments. Consumers using Windows PCs could be at risk, though experts say these kinds of tools are more commonly used to target businesses.

    "The individual consumer is a little less at risk, as these kinds of tools are targeted at enterprise and business environments," Hickey said.

    An email to the NSA's press office was not returned.

    "We've investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products," a Microsoft spokesperson told CNNTech. "Customers with up-to-date software are already protected."

    Microsoft told CNNTech no one from the government had contacted it about the exploits listed in the dump. Since the Shadow Brokers previously said they had obtained NSA exploits, the agency was likely aware of the potential for these hacks to be exposed to the public.

    "At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers," a Microsoft spokesperson said in an email on Friday.

    The Windows hacking tools may have been used to target the SWIFT financial security system, specifically an anti-money laundering financial institution called EastNets. The leaked documents contain notes about passwords, configuration data and networks.

    The U.S. government has long been able to access financial data through SWIFT as part of an anti-terrorism effort. However, according to security researcher Nicholas Weaver of the International Computer Science Institute, the methods in the documents show the NSA was going beyond its "official access."

    "Whenever the NSA is caught going in the backdoor when they already had front-door access (such as the backdoor monitoring of Google and Yahoo's internal communication revealed in the Snowden documents), it not only closes the backdoor but also results in legal pushback that may limit the front-door access," Weaver told CNNTech in an email.

    SWIFT told reporters it has not seen unauthorized access on its networks, and EastNets said the same.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Microsoft says it's already patched flaws exposed in leak of NSA hacks

    Zack Whittaker
    April 15, 2017

    Microsoft has confirmed that most of the NSA's hacking tools designed to target Windows published earlier this week have been patched.

    A spokesperson said in an email in the middle of the night that the company has "investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products."

    The company followed in a late-night blog post noting that nine of the disclosed exploits were patched as recently as March, while three other exploits weren't able to be reproduced on supported platforms and didn't require patches.

    Those exploits could have allowed an attacker to compromise affected computers on a range of Windows versions.

    Microsoft isn't expected to fix some of the bugs as they affect versions of Windows that are no longer supported. (In other words, if you're still running an aged version of Windows, now might be a good time to upgrade.)

    This entire saga all started Friday after a hacker group known as the Shadow Brokers released tools designed to target Windows PCs and servers, along with presentations and files purporting to detail the agency's methods of carrying out clandestine surveillance.

    Some of the tools appeared to target the SWIFT banking system, according to classified documents found in the cache.

    Security researchers spent most of the day trying to figure out how the various exploits worked by testing the exploits in various virtual machines in their respective labs. One such researcher, Matthew Hickey (known as "Hacker Fantastic") later noted that his tests were run on a fresh install of Windows -- in other words, it was missing March's patches -- which as a result he later discounted.

    Though patches have been rolled out, questions remain about the disclosure process.

    Microsoft, and other companies, regularly receive disclosure reports from security researchers, and almost always acknowledge their work in a separate note.

    But even though Microsoft had patched the flaws, the company didn't say what the source of the vulnerability report was, as something noted by security researcher The Grugq in a tweet. He suggested that the NSA had been in contact directly about the vulnerabilities, which it lost control of when the Shadow Brokers obtained a copy of the agency's hacking toolkit, and knew which exploits were at risk as early as January. The government and its agencies are known to disclose flaws, and often receive public acknowledgement for their disclosures.

    Microsoft said on Friday that, "other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers."

    A spokesperson clarified that the company "may not list an acknowledgement for reasons including reports from employees, requests for non-attribution, or if the finder doesn't follow coordinated vulnerability disclosure."

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Microsoft: Protecting customers and evaluating risk

    April 14, 2017

    Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

    When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed. Once validated, engineering teams prioritize fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation.

    Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

    Code Name Solution
    EternalBlue Addressed by MS17-010
    EmeraldThread Addressed by MS10-061
    EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
    “ErraticGopher” Addressed prior to the release of Windows Vista
    EsikmoRoll Addressed by MS14-068
    EternalRomance Addressed by MS17-010
    EducatedScholar Addressed by MS09-050
    EternalSynergy Addressed by MS17-010
    EclipsedWing Addressed by MS08-067

    Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

    We have long supported coordinated vulnerability disclosure as the most effective means to ensure customers and the computing ecosystem remains protected. This collaborative approach enables us to fully understand an issue and to deliver protection before customers are at risk due to public disclosure of attack methods. We work closely with security researchers worldwide who privately report concerns to us at We also offer bug bounties for many reported vulnerabilities to help encourage researchers to disclose responsibly.

    Phillip Misner,
    Principal Security Group Manager

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers

    If you're a security researcher sitting down to test if some exploits work, why would you not be doing that against a fully patched system? :-/

    Dan Goodin

    Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.

    That's because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained in Friday's leak.

    A measure of relief

    The revelation that none of the highly advanced exploits work against supported Microsoft products brings a measure of relief to some of the more dire warnings sounded 24 hours earlier. It means that most home and small-office users are likely to be safe, since their systems are likely to have automatically installed the critical updates weeks ago. Computers in larger organizations, however, can often remain two or more months behind Microsoft's patch schedule, as administrators test the updates to ensure they're compatible with intranets and other internal systems. That means that some of the most sensitive and mission-critical networks may still be vulnerable to the four exploits, which are known as EternalBlue, EternalChampion, EternalSynergy, and EternalRomance.

    Security researchers have taken to social media sites to speculate on the circumstances that led to Microsoft killing all four of would-be zerodays one month before they were published on the Internet. As mentioned above, one theory is that someone from the NSA privately gave Microsoft warning that the leaks were imminent. As reported Friday by Emptywheel, a Shadow Brokers release from early January gave NSA officials notice of some of the exploit names obtained by the mysterious person or group and later included in Friday's release. The extra time Microsoft needed to patch the bugs might possibly have something to do with February's unprecedented canceling of Patch Tuesday.

    A second possibility is that Microsoft paid Shadow Brokers for the vulnerabilities and didn't make that purchase public. In any event, and as noted by security commentator Ryan Naraine on Twitter, Microsoft's March Patch Tuesday bulletins explicitly said none of the Shadow affected vulnerabilities were being actively exploited, a claim company officials surely knew was false had the flaws been disclosed either by the NSA or the leakers.

    Another plausible possibility is that Microsoft patched the vulnerabilities by chance and without advanced warning of the NSA. When the Shadow Brokers recognized that the exploits were no longer valuable zerodays, they published them in a campaign designed to sow confusion. That theory is consistent with Friday's release of other exploits that remained unpatched in unsupported Microsoft products including Windows XP, Windows Server 2003, Exchange 2007, and IIS 6.0. Under this theory, none of the exploits published Friday worked on supported Microsoft products, so the Shadow Brokers decided to use them in a propaganda campaign. The problem with this theory, however, is the coincidental timing of the patch and leak seem highly unlikely.

    Aside from the mystery surrounding the patching of these vulnerabilities one month ahead of the exploits, the other major question is how multiple security researchers and news outlets all incorrectly reported the exploits targeted fully updated products that remained supported by Microsoft. The answer is that researchers didn't test the exploits against fully updated versions of Windows 7 and other Supported Microsoft products.

    The zeroday assessment "was based on best information at the time and early testing, which turned out to be incorrect," the security commentator and researcher who goes by the moniker SwiftOnSecurity wrote on Twitter. "Because there was no indication Microsoft patched these bugs, researcher systems did not include last month's patches, so they [the exploits] still worked."

    Other researchers, including Kevin Beaumont and Matthew Hickey, said they made the same critical mistake. Ars and dozens of other publications then reported those mistaken findings. Ars regrets the error.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Hackers release files indicating US NSA monitored global bank transfers

    Clare Baldwin

    Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks.

    The release included computer code that could be adapted by criminals to break into SWIFT servers and monitor messaging activity, said Shane Shook, a cyber security consultant who has helped banks investigate breaches of their SWIFT systems.

    The documents and files were released by a group calling themselves The Shadow Brokers. Some of the records bear NSA seals, but Reuters could not confirm their authenticity.

    The NSA could not immediately be reached for comment.

    Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said.

    In a statement to Reuters, Microsoft (MSFT.O), maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen.

    "Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers," the company said.

    The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama's staff, companies were usually warned about dangerous flaws.

    Shook said criminal hackers could use the information released on Friday to hack into banks and steal money in operations mimicking a heist last year of $81 million from the Bangladesh central bank.

    "The release of these capabilities could enable fraud like we saw at Bangladesh Bank," Shook said.

    The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday.

    SWIFT said it regularly releases security updates and instructs client banks on how to handle known threats.

    "We mandate that all customers apply the security updates within specified times," SWIFT said in a statement.

    SWIFT said it had no evidence that the main SWIFT network had ever been accessed without authorization.

    It was possible that the local messaging systems of some SWIFT client banks had been breached, SWIFT said in a statement, which did not specifically mention the NSA.

    When cyberthieves robbed the Bangladesh Bank last year, they compromised that bank's local SWIFT network to order money transfers from its account at the New York Federal Reserve.

    The documents released by the Shadow Brokers on Friday indicate that the NSA may have accessed the SWIFT network through service bureaus. SWIFT service bureaus are companies that provide an access point to the SWIFT system for the network's smaller clients and may send or receive messages regarding money transfers on their behalf.

    “If you hack the service bureau, it means that you also have access to all of their clients, all of the banks," said Matt Suiche, founder of the United Arab Emirates-based cybersecurity firm Comae Technologies, who has studied the Shadow Broker releases and believes the group has access to NSA files.

    The documents posted by the Shadow Brokers include Excel files listing computers on a service bureau network, user names, passwords and other data, Suiche said.

    “That's information you can only get if you compromise the system," he said.


    Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”.

    Since the early 1990s, interrupting the flow of money from Saudi Arabia, the United Arab Emirates and elsewhere to al Qaeda, the Taliban, and other militant Islamic groups in Afghanistan, Pakistan and other countries has been a major objective of U.S. and allied intelligence agencies.

    Mustafa Al-Bassam, a computer science researcher at University College London, said on Twitter that the Shadow Brokers documents show that the "NSA hacked a bunch of banks, oil and investment companies in Palestine, UAE, Kuwait, Qatar, Yemen, more."

    He added that NSA "completely hacked" EastNets, one of two SWIFT service bureaus named in the documents that were released by the Shadow Brokers.

    Reuters could not independently confirm that EastNets had been hacked.

    EastNets, based in Dubai, denied it had been hacked in a statement, calling the assertion "totally false and unfounded."

    EastNets ran a "complete check of its servers and found no hacker compromise or any vulnerabilities," according to a statement from EastNets' chief executive and founder, Hazem Mulhim.

    In 2013, documents released by former NSA contractor Edward Snowden said the NSA had been able to monitor SWIFT messages.

    The agency monitored the system to spot payments intended to finance crimes, according to the documents released by Snowden.

    Reuters could not confirm whether the documents released Friday by the Shadow Brokers, if authentic, were related to NSA monitoring of SWIFT transfers since 2013.

    Some of the documents released by the Shadow Brokers were dated 2013, but others were not dated.

    The documents released by the hackers did not clearly indicate whether the NSA had actually used all the techniques cited for monitoring SWIFT messages.

    (Additional reporting by Tom Bergin in London; Dustin Volz and John Walcott in Washington; Joseph Menn in San Franciso; and Jim Finkle in Buffalo, New York.; Editing by Brian Thevenot and Cynthia Osterman)

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens