Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft

WaPo confirms long-held suspicions as NSA cyberweapons crisis threatens to grow worse.

After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.

Those same NSA officials, according to Tuesday’s report, failed to communicate the severity of the vulnerability to the outside world. A month after Microsoft released the patch, the Shadow Brokers published the attack code, code-named EternalBlue, that exploited the critical Windows vulnerability. A month after that, attackers used a modified version of EternalBlue to infect computers around the world with malware that blocked access to data. Within hours of the outbreak of the ransomware worm dubbed WCry, infected hospitals turned away patients; banks, telecommunications companies, and government agencies shut down computers.”NSA identified a risk and communicated it to Microsoft, who put out an immediate patch,” Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told The Washington Post. The problem, he said, is that no senior official took the step of shouting to the world: “This one is very serious, and we need to protect ourselves.”

Elsewhere in the article, the paper, citing people who spoke on the condition of anonymity, said: “The agency eventually warned Microsoft after learning about EternalBlue’s theft, allowing the company to prepare a software patch issued in March.”

The Washington Post article is the first to explicitly report that the NSA was the source that alerted Microsoft to the vulnerability fixed in March’s MS17-010 security bulletin. But it comes as little surprise. Several pieces of evidence led outsiders to speculate for weeks that the NSA was the disclosing party. Exhibit A was the timing. On January 7, the Shadow Brokers announced the auction of dozens of NSA tools, including one called DoublePulsar, a backdoor that is installed by EternalBlue.

Enlarge

Five weeks later, Microsoft abruptly canceled February’s scheduled patch release, citing an undisclosed last-minute issue. It was the first time the company has ever canceled a Patch Tuesday. Four weeks later, MS17-010 was released. And precisely 28 days after that, the Shadow Brokers published EternalBlue, DoublePulsar, and dozens more hacking tools.

Exhibit B was Microsoft’s decision not to name the party that reported the vulnerabilities fixed in suspiciously timed MS17-010 bulletin. While Microsoft bulletins omit disclosing parties from time to time, the majority of them are credited.Tuesday’s article doesn’t say when NSA officials tipped off Microsoft. Company representatives declined to confirm or deny the agency was its source. Asked for comment on Tuesday’s report, a Microsoft representative wrote: “Our standard practice is to list acknowledgements on our website. We may not list an acknowledgement for reasons including reports from employees, requests for non-attribution, or if the finder doesn’t follow coordinated vulnerability disclosure.” The representative declined to answer additional questions.

EternalBlueScreen

During the more than five years the NSA used EternalBlue’s extraordinary powers to extract secrets from targeted computers, the Washington Post reported, some officials discussed whether the flaw was so dangerous they should reveal it to Microsoft. The worries were most acute for early versions, which contained bugs. The paper reported:

The NSA also made upgrades to EternalBlue to address its penchant for crashing targeted computers—a problem that earned it the nickname “EternalBlueScreen” in reference to the eerie blue screen often displayed by computers in distress.

To mitigate its instability in the early days, the NSA hackers were under strict usage rules that required approval from a senior supervisor on a target-by-target basis to use the exploit, the employees recalled.

After a few years, its stability was improved, but NSA was still mindful of the potential for harm if the tool somehow was breached.

“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network, and you can compromise everything.”

The Shadow Brokers’ first dump of exploits in August sparked a robust discussion within the Obama administration. “By that point, the intelligence value” of the exploits was “degraded,” so it was decided that NSA would alert whatever vendors were affected, a former senior administration official said.

Crisis could grow worse

The Shadow Brokers’ theft and subsequent leaks are one of the worst, if not the worst, crisis to hit the NSA. It’s not clear officials can do much to recover. Even with the patch Microsoft issued in March, the vulnerability remained an Achilles’ heel that paralyzed key parts of the physical world. There’s little stopping people from unleashing new attacks that similarly repackage EternalBlue or possibly other dangerous exploits already released by Shadow Brokers.

There’s also the possibility of even more dangerous Shadow Broker releases in the coming months. On Monday night, the group—which so far has made good on most of the threats it has foreshadowed—published a new dispatch that claimed to possess 75 percent of the NSA arsenal. It went on to warn future releases might include:

Web browser, router, handset exploits, and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and Central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

“The Shadow Brokers is launching new monthly subscription model,” the dispatch, written in the group’s characteristically exaggerated broken English, stated. “Is being like wine-of-month club. Each month, peoples can be paying membership fee, then getting members-only data dump each month. What members doing with data after is up to members.”

Source:https://arstechnica.com/security/2017/05/fearing-shadow-brokers-leak-nsa-reported-critical-flaw-to-microsoft/

Alisa Esage G

Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.

Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]

Hacking with MagicDots: Exploiting Dots & Spaces in Filenames/Pathnames for Permanent Admin Rights

Compromising Cryptographic Key Security Through PuTTY: A Deep Dive into CVE-2024-31497

How to hack a LG Smart TV via vulnerabilities in LG WebOS?

How to Check if a Linux Distribution is Compromised by the XZ Utils Backdoor in 6 Steps

CVE-2023-5528: Kubernetes Flaw Jeopardizing Windows Node That Can’t Be Ignored

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

Is Your etcd an Open Door for Cyber Attacks? How to Secure Your Kubernetes Clusters & Nodes

CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment

Major Python Infrastructure Breach – Over 170K Users Compromised. How Safe Is Your Code?

How to exploit Windows Defender Antivirus to infect a device with malware

Inside the Scam: How Ransomware Gangs Fool You with Data Deletion Lies!

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks

Cyber Security Channel

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]