Security Alert: Stabilized Exploits Target Legacy Windows-Running Servers and PCs

Share and earn Cybytes
Facebook Twitter LinkedIn Email

The need to regularly apply all the available patches should remain a top priority for each of us. If you haven’t installed the newest updates for your operating system, we strongly recommend you to immediately do this.

Especially if you have or manage your own server and you’re running older versions of Windows server ( which are still functional but lack new technologies) that make them more vulnerable to a new wave of exploits.

Along with the Eternal Blue, Eternal Synergy, Eternal Romance and Eternal Champion are methods used for malicious purposes and part of the arsenal of NSA leaked exploits used to help carry out the devastating Petya cyber attack.

The three exploits, which are linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities, have been rewritten and stabilized and can impact all Windows operating systems starting with Windows 2000 up to and including Server 2016 edition.

Microsoft Vulnerability CVE 2017 0143 details

Source: CVE Details

Microsoft Vulnerability CVE 2017 0146 details

Source: CVE Details

How the infection spreads

These exploits can be used by online criminals to remotely execute arbitrary code on systems if they send specially crafted messages to the Microsoft SMB servers.

They are ported to the popular Metasploit penetration testing Framework, which is a tool for developing and executing exploit code against a remote target machine.

Malicious actors try to run commands in the system, by default, to authenticate and perform the exploits. They make use of these SMB exploits (listing vulnerabilities until they try to open a named Pipe ) to spread malware and get inside users’ PCs.

Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB (Server Message Block) connection session structures to gain admin rights over the system.

After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0 and then copy directly to the hard drive.

Big one: SMB exploit (fixed in MS17-010+) now ported to Windows 2000 up to Windows Server 2016, and all versions in between. Reliable, doesn’t cause BSOD like EternalBlue either. I’ve tried on Win2000 and XP.

— Kevin Beaumont (@GossiTheDog) January 29, 2018

The difference between the Metasploit port of EternalBlue and these exploit modules is that the kernel shellcode is not used to load Meterpreter payloads.

It is worth mentioning that these exploits could have self-replicate abilities that enable to spread fast and impact lots of machines, so we urge you to apply all software patches available.

To check if your system is affected by these exploits, have a look at this list below containing Windows software which immediately needs the update:

  • Windows Server 2000 SP0 x86
  • Windows 2000 Professional SP4 x86
  • Windows 2000 Advanced Server SP4 x86
  • Windows XP Professional SP0 x86
  • Windows XP SP3 x86
  • Windows XP x64
  • Windows Server 2003 x86
  • Windows Server 2003 SP2 x86
  • Windows Server 2003 x64
  • Windows Vista Home Premium x86
  • Windows Server 2008 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2012 R2 x64
  • Windows Server 2016 10.10586 x64
  • Windows Server 2016 10.14393 x64

According to the pentester who noticed these exploits, he thinks that they “should virtually never crash post-Vista, and only in extremely rare circumstances for earlier versions”. More technical details can be found on Github.

Use this protection guide to fight against these exploits

  • First of all, we strongly encourage all users to install this critical patch released by Microsoft in March 2017 for Windows SMB Server (Microsoft Security Bulletin MS17-010) on all available systems RIGHT NOW. Here you will find links to all the software versions affected and the security update package to install. 
  • Consider adding another layer of protection on top of your AV product for maximum protection such as proactive cyber security software solution;
  • Make sure you have a reliable antivirus program installed on your computer to better protect your most sensitive data from online threats;
  • Firewalls can enhance network security by helping to prevent unauthorized access and should be enabled on your PC;
  • We remind you that security isn’t about choosing a solution or another, it’s also about improving our online habits and always being proactive;
  • Educate yourself and gain more knowledge in the info security field, so you can learn how to better detect and prevent such cyber attacks. Use these free online educational resources to learn actionable and useful things.

Final thoughts

Based on these exploits, we could see a new wave of global cyber attacks similar to WannaCry or nonPetya hitting both users and organizations, so prevention should be our top priority.

Have you applied the latest updates to your system?

Heimdal Official logo

If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox

*This article features cyber intelligence provided by CSIS Security Group researchers.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?