PoC Exploits Released For Crypto Vulnerability Found By NSA
Researchers say that while the recently-released PoC exploits work, they show that the flaw is not easily exploitable for attackers, particularly because victims would also need to first visit a very specific website, making a targeted attack more difficult.
PoC Exploits Released for Crypto Vulnerability Found by NSA
Despite the roadblocks to exploitation, security experts say that publicly-released PoC exploits can pave the way for future exploitation of CVE-2020-0601 by adversaries. Researchers urge Microsoft customers to make sure that their systems are up to date.
Tracked as CVE-2022-34689 (CVSS score: 7.5), the spoofing vulnerability was addressed by the tech giant as part of Patch Tuesday updates released in August 2022, but was only publicly disclosed two months later on October 11, 2022.
US authorities reacted to the vulnerability very openly and proactively. The NSA released a rare security alert about the bug, and the DHS' CISA department issued an emergency directive, giving government agencies ten days to patch systems by applying the January 2020 Microsoft Patch Tuesday updates.
Astute and experienced security experts and cryptographers like Thomas Ptacek and Kenneth White have confirmed the vulnerability's severity and wide impact -- although it does not impact the Windows Update mechanism, which would have allowed a threat actor to fake Windows updates.
"We believe there are more vulnerable targets in the wild and our research is still ongoing. We found that fewer than 1% of visible devices in data centers are patched, rendering the rest unprotected from exploitation of this vulnerability."
"There is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7. We advise you to patch your Windows servers and endpoints with the latest security patch released by Microsoft," Akamai said.
CISA released one Industrial Control Systems (ICS) advisory on February 7, 2023. This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA released six Industrial Control Systems (ICS) advisories on February 2, 2023.These advisories provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-.mw-parser-output cite.citationfont-style:inherit;word-wrap:break-word.mw-parser-output .citation qquotes:"\"""\"""'""'".mw-parser-output .citation:targetbackground-color:rgba(0,127,255,0.133).mw-parser-output .id-lock-free a,.mw-parser-output .citation .cs1-lock-free abackground:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat.mw-parser-output .id-lock-limited a,.mw-parser-output .id-lock-registration a,.mw-parser-output .citation .cs1-lock-limited a,.mw-parser-output .citation .cs1-lock-registration abackground:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat.mw-parser-output .id-lock-subscription a,.mw-parser-output .citation .cs1-lock-subscription abackground:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat.mw-parser-output .cs1-ws-icon abackground:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat.mw-parser-output .cs1-codecolor:inherit;background:inherit;border:none;padding:inherit.mw-parser-output .cs1-hidden-errordisplay:none;color:#d33.mw-parser-output .cs1-visible-errorcolor:#d33.mw-parser-output .cs1-maintdisplay:none;color:#3a3;margin-left:0.3em.mw-parser-output .cs1-formatfont-size:95%.mw-parser-output .cs1-kern-leftpadding-left:0.2em.mw-parser-output .cs1-kern-rightpadding-right:0.2em.mw-parser-output .citation .mw-selflinkfont-weight:inherit2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer.
Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself. The next day (May 13, 2017), Microsoft released emergency security patches for the unsupported Windows XP, Windows 8, and Windows Server 2003.
A security expert released technical details and proof-of-concept exploit (PoC) code for the high-severity vulnerability CVE-2021-28482 in Microsoft Exchange that could be exploited by remote attackers to execute arbitrary code on vulnerable systems.
Imperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit CVE-2017-9805:When we probed the remote server we found a list of suspicious files:The list includes known malicious files, like minerd, but also some unknown suspicious files like transfer.sh.When we submitted transfer.sh hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines:This shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know:
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to organizations' cyber security but many were not implemented due to ignorance of their importance. Some have claimed a need for 24/7 operation, aversion to risking having formerly working applications breaking because of patch changes, lack of personnel or time to install them, or other reasons.
EternalBlue is an exploit of Microsoft's implementation of their Server Message Block (SMB) protocol released by The Shadow Brokers. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) (from whom the exploit was likely stolen) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. Microsoft eventually discovered the vulnerability, and on Tuesday, 14 March 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016.
When executed, the WannaCry malware first checks the kill switch domain name; if it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and laterally to computers on the same network. As with other modern ransomware, the payload displays a message informing the user that their files have been encrypted, and demands a payment of around US$300 in bitcoin within three days, or US$600 within seven days, warning that "you have not so enough time. [sic]" Three hardcoded bitcoin addresses, or wallets, are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.
Organizations that had not installed Microsoft's security update from March were affected by the attack. Those still running unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003 were at particularly high risk because no security patches had been released since May 2014 for Windows XP and July 2015 for Windows Server 2003. A Kaspersky Lab study reported, however, that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7. In a controlled testing environment, the cybersecurity firm Kryptos Logic found that it was unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.
The day after the initial attack in May, Microsoft released out-of-band security updates for end-of-life products Windows XP, Windows Server 2003 and Windows 8; these patches had been created in February of that year following a tip-off about the vulnerability in January of that year. Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack. The head of Microsoft's Cyber Defense Operations Center, Adrienne Hall, said that "Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]".