The hacker group known as the Shadow Brokers released a trove of exploits on April 14, raising the specter of a new group of previously unknown zero-day exploits that potentially could have exposed millions of users to risk. As it turns out, that wasn’t the case—within hours of the Shadow Brokers release, Microsoft issued a comprehensive overview of how it has already protected Windows against the newly disclosed Shadow Broker exploits.
The Shadow Brokers is a hacker group that first emerged publicly in August 2016, attempting to sell exploits. Multiple security firms, including Kaspersky Lab, have linked the exploits released by the Shadow Brokers to an organization known as the Equation Group, which allegedly is aligned with the U.S. National Security Agency (NSA). Within a few days of the Shadow Brokers initial exploit dump in August 2016, multiple IT vendors including Cisco and Fortinet publicly warned their customers about zero-day risks that were exposed.
With the new April 14 Shadow Brokers’ exploit data dump, Microsoft’s response was swift, noting in an advisory that nine of the 13 exploits had already been patched. The remaining exploits, according to Microsoft, are not “reproducible” on supported Windows operating systems.
Looking at the nine exploits released by the Shadow Brokers that Microsoft has already patched, one of them, EclipsedWing, was actually patched nearly nine years ago in October 2008.
“This is a remote code execution vulnerability,” Microsoft warned in its advisory at the time. “An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely.”
Two other exploits were also patched six or more years ago. Microsoft patched the Shadow Brokers’ EducatedScholar exploit in October 2009 and EmeraldThread in September 2010. The EducatedScholar exploit takes aim at the critical Server Message Block (SMB) protocol that is used by Windows to enable file and folder sharing. EmeraldThread is a print spooler vulnerability that could have enabled remote code execution.
Not all of the exploits released in the latest Shadow Brokers data dump are ancient. The EskimoRoll attack—a privilege escalation vulnerability in the Kerberos authentication mechanism—was patched in November 2014.
Four of the vulnerabilities were just patched this year, and it is unknown at this point how long the Shadow Brokers or the Equation Group has been actively using the exploits before the patches were issued. Among the issues Microsoft patched this year are a trio of attacks known as EthernalBlue, EternalRomance and EternalSynergy against Microsoft’s SMB Server—all patched in March.
Microsoft Security Bulletin MS17-010 provides details on the SMB vulnerabilities, which include remote code execution and information disclosure flaws.
“This security update resolves vulnerabilities in Microsoft Windows,” Microsoft claims in its advisory. “The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
While Microsoft has issued patches for all of the newly disclosed Shadow Brokers issues that impact supported versions of Windows, three of the issues impact nonsupported versions of Windows.
“Of the three remaining exploits, EnglishmanDentist, EsteemAudit, and ExplodingCan, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk,” Phillip Misner, principal security group manager at Microsoft’s Security Response Center, wrote in a blog post. “Customers still running prior versions of these products are encouraged to upgrade to a supported offering.”
Though none of the April 14 Shadow Brokers exploits turned out to be anything new, Microsoft has had a particularly busy month in April so far dealing with zero-day exploits. The April Patch Tuesday update fixed a zero-day flaw that security firms McAfee and FireEye reported as being exploited in the wild. Additionally, Microsoft has yet to patch multiple zero-day issues first reported to the company at the Pwn2Own hacking competition in March.