Security Alert: Stabilized Exploits Target Legacy Windows-Running Servers and PCs
And why your system is vulnerable to these exploits
The need to regularly apply all the available patches should remain a top priority for each of us. If you haven’t installed the newest updates for your operating system, we strongly recommend you to immediately do this.
Especially if you have or manage your own server and you’re running older versions of Windows server ( which are still functional but lack new technologies) that make them more vulnerable to a new wave of exploits.
Along with the Eternal Blue, Eternal Synergy, Eternal Romance and Eternal Champion are methods used for malicious purposes and part of the arsenal of NSA leaked exploits used to help carry out the devastating Petya cyber attack.
The three exploits, which are linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities, have been rewritten and stabilized and can impact all Windows operating systems starting with Windows 2000 up to and including Server 2016 edition.
Source: CVE Details
Source: CVE Details
How the infection spreads
These exploits can be used by online criminals to remotely execute arbitrary code on systems if they send specially crafted messages to the Microsoft SMB servers.
They are ported to the popular Metasploit penetration testing Framework, which is a tool for developing and executing exploit code against a remote target machine.
Malicious actors try to run commands in the system, by default, to authenticate and perform the exploits. They make use of these SMB exploits (listing vulnerabilities until they try to open a named Pipe ) to spread malware and get inside users’ PCs.
Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB (Server Message Block) connection session structures to gain admin rights over the system.
After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0 and then copy directly to the hard drive.
Big one: SMB exploit (fixed in MS17-010+) now ported to Windows 2000 up to Windows Server 2016, and all versions in between. Reliable, doesn’t cause BSOD like EternalBlue either. I’ve tried on Win2000 and XP. https://t.co/EZ96eFsV5C
— Kevin Beaumont (@GossiTheDog) January 29, 2018
The difference between the Metasploit port of EternalBlue and these exploit modules is that the kernel shellcode is not used to load Meterpreter payloads.
It is worth mentioning that these exploits could have self-replicate abilities that enable to spread fast and impact lots of machines, so we urge you to apply all software patches available.
To check if your system is affected by these exploits, have a look at this list below containing Windows software which immediately needs the update:
- Windows Server 2000 SP0 x86
- Windows 2000 Professional SP4 x86
- Windows 2000 Advanced Server SP4 x86
- Windows XP Professional SP0 x86
- Windows XP SP3 x86
- Windows XP x64
- Windows Server 2003 x86
- Windows Server 2003 SP2 x86
- Windows Server 2003 x64
- Windows Vista Home Premium x86
- Windows Server 2008 x64
- Windows Server 2008 R2 x64
- Windows Server 2012 R2 x64
- Windows Server 2016 10.10586 x64
- Windows Server 2016 10.14393 x64
According to the pentester who noticed these exploits, he thinks that they “should virtually never crash post-Vista, and only in extremely rare circumstances for earlier versions”. More technical details can be found on Github.
Use this protection guide to fight against these exploits
- First of all, we strongly encourage all users to install this critical patch released by Microsoft in March 2017 for Windows SMB Server (Microsoft Security Bulletin MS17-010) on all available systems RIGHT NOW. Here you will find links to all the software versions affected and the security update package to install.
- Consider adding another layer of protection on top of your AV product for maximum protection such as proactive cyber security software solution;
- Make sure you have a reliable antivirus program installed on your computer to better protect your most sensitive data from online threats;
- Firewalls can enhance network security by helping to prevent unauthorized access and should be enabled on your PC;
- We remind you that security isn’t about choosing a solution or another, it’s also about improving our online habits and always being proactive;
- Educate yourself and gain more knowledge in the info security field, so you can learn how to better detect and prevent such cyber attacks. Use these free online educational resources to learn actionable and useful things.
Based on these exploits, we could see a new wave of global cyber attacks similar to WannaCry or nonPetya hitting both users and organizations, so prevention should be our top priority.
Have you applied the latest updates to your system?
*This article features cyber intelligence provided by CSIS Security Group researchers.
to prevent your window follow this steps:
a) first install the critical patch which is provided by Microsoft after that for windows SMB server which is avilable recently.
find the link for all software versions that are affected and all security updated.
b) consider applying another layer of protections
c) firewall is used for security purpose and we know that security is not about checking about online habits
Thank you, Great report.
Hello, Rob and thank you so much for your feedback!
How about disabling SMBv1 on your computer? 🙂
Hello, Bruno and thank you for reaching out! Indeed, this is a very good recommendation for users to disable SMBv1 🙂
Jeg har flere gange overvejet, at gå over til Heimdal når mit BullGuard abonnement løber ud. Hver gang stopper det, når et (dansk) beskyttelsesprogram ikke også er på dansk.
Mvh. John Larsen
Hello, John and thank you for considering Heimdal. On the front page of our website (in the right) you can choose Danish (DA) as a default language: https://heimdalsecurity.com/da/home You should know that Heimdal is not an antivirus, but a proactive security solution that protects your PC and valuable data from advanced online threats. You should know that it will make a great addition to your antivirus product and enhance protection for your data while navigating online. Sould you have additional questions, you can use this page https://heimdalsecurity.com/en/media-center to get in touch with us. Thank you!