eternalblue
Latest
Ransomware attacks in US cities are using a stolen NSA tool
The ransomware attacks in Baltimore and other US cities appear to have a common thread: they're using NSA tools on the agency's home soil. In-the-know security experts talking to the New York Times said the malware in the cyberattacks is using the NSA's stolen EternalBlue as a "key component," much like WannaCry and NotPetya. While the full list of affected cities isn't available, San Antonio and the Pennsylvania city of Allentown have reportedly been victims of EternalBlue-based campaigns.
Russian hackers can reportedly take over unsecured hotel WiFi
Security-conscious travelers typically avoid public WiFi hotspots, instead using VPNs and other tools to make sure their data is safely encrypted as it transmits from computer to unsecured wireless router to the internet. According to networking security website, FireEye, that concern is justified. The security team discovered a malicious document in several emails sent to "multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July." The document contained a macro that installs GAMEFISH malware, which is associated with a politically-motivated Russian hacking group known as APT28 (or Fancy Bear). This is allegedly the same group that hacked the Democratic National Committee ahead of last year's US election. Even worse, the tool used after the initial malware installation, EternalBlue, reportedly leaked from the NSA itself.
'Shadow Brokers' threaten to release more hacking tools in June
An exploit that the "WannaCry" malware used to encrypt computers worldwide first appeared in a leak from "The Shadow Brokers," a group that claims to have stolen a number of tools from the NSA. Now the Shadow Brokers are back with a new blog post threatening more leaks. Through an intentionally sloppy writing style, the group taunts not only TheEquationGroup (read: NSA), but also Microsoft and its blog post blaming spy agencies, claiming that Microsoft is simply upset the NSA didn't pay to hold its vulnerability.
The 'WannaCry' ransomware is a stark reminder of a broken system
In April, a hacking group called The Shadow Brokers dumped a cache of Windows' exploits it pilfered from the NSA. The group had decided to start leaking exploits it stole from the agency after it was unable to find a buyer for the government's hacking tools. Inside that April drop was a remote code execution vulnerability called "EternalBlue" (aka MS17-010). Fortunately, Microsoft issued a security patch that fixed EternalBlue in March. What's not so fortunate is that not everyone had applied it to their machines.
Microsoft patches Windows XP to fight 'WannaCrypt' attacks (updated)
Microsoft officially ended its support for most Windows XP computers back in 2014, but today it's delivering one more public patch for the 16-year-old OS. As described in a post on its Windows Security blog, it's taking this "highly unusual" step after customers worldwide including England's National Health Service suffered a hit from "WannaCrypt" ransomware. Microsoft patched all of its currently supported systems to fix the flaw back in March, but now there's an update available for unsupported systems too, including Windows XP, Windows 8 and Windows Server 2003, which you can grab here (note: if that link isn't working then there are direct download links available in the Security blog post). Of course, for home users, if you're still running one of those old operating systems then yes, you should patch immediately -- and follow up with an upgrade to something current. If you're running a vulnerable system and can't install the patch for some reason, Microsoft has two pieces of advice: Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously. Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 Update: Microsoft legal chief Brad Smith has written a blog post that both calls for more help from customers (read: update more often) and chastises intelligence agencies for hoarding security exploits. They don't understand the risk to the public if the exploits leak, Smith says -- it's as if someone stole a batch of Tomahawk missiles. We wouldn't count on the NSA or other agencies heeding the call, but Microsoft clearly wants to make its frustrations heard.
'WannaCry' ransomware attack spreads worldwide (update)
England's healthcare system came under a withering cyberattack Friday morning, with "at least 25" hospitals across the country falling prey to ransomware that locked doctors and employees out of critical systems and networks. It's now clear that this is not a (relatively) isolated attack but rather a single front in a massive digital assault. Update 2 (5/13): In response to infections like the ones that crippled parts of the NHS system, Microsoft is releasing a patch for unsupported systems including Windows XP, Windows 8 and Windows Server 2003.
Microsoft says it already patched 'Shadow Brokers' NSA leaks
Yesterday, the mysterious "Shadow Brokers" posted some hacking tools for Windows that were allegedly stolen from the NSA. All of them were at least a few years old, but exploited flaws in several versions of the operating system to move across networks and infect systems. early Saturday morning, Microsoft has responded with a blog post, saying it has evaluated all of the exploits listed. Its response to the release is surprisingly simple: most of them have already been fixed.
'Shadow Brokers' dump of NSA tools includes new Windows exploits (updated)
Earlier this year "The Shadow Brokers" -- an entity claiming to have stolen hacking tools from the NSA then offering them for sale -- seemed to pack up shop, but the group has continued on. Today, it made a new post that contained a number of working exploits for Windows machines running everything from XP up to at least Windows 8. As far as Windows 10, it appears that the stolen data is from 2013 and predates the latest OS. As such, it isn't immediately apparent if it's vulnerable, but early results indicate at least some of the tools aren't working on it. Update (4/15): Microsoft responded early Saturday morning, saying that for the seven flaws leaked that affect supported systems -- they've all already been patched. Of course, the story gets a bit more interesting from there, since it appears that four of them were only patched just last month, suggesting someone informed the company about the security issues before TSB could leak them.
