Microsoft says users are protected from alleged NSA malware

Posted April 16, 2017

Back in August, the group released a large number of stolen tools purportedly hacked from "the Equation Group", which is near-unanimously believed to be the NSA. "It would give them a greater scope and access for reviewing and, indeed, trying to manipulate any of that financial records", the expert said.

According to Motherboard, the most risky program in the release is an NSA program known as FUZZBUNCH, "a hacking suite or toolkit that contains several plug-and-play exploits to attack several versions of Windows operating system".

They "suggest the NSA was targeting the SWIFT banking system of several banks around the world".

Matthew Hickey, founder of Hacker House whoo reproduced the hacks, said businesses who delay patches for operational purposes should make sure their software is up to date.

"It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it", he told Ars Technica. Hickey was able to test out exploits in his United Kingdom firm's lab and confirmed they "work just as they are described".

The Shadow Brokers, a group of anonymous hackers had published hacking tools used by the NSA previous year. If you're still running Windows XP or Windows Vista then it's time to look at something more modern as you're open to these security flaws and many more that will remain unpatched and exploited. But Microsoft, which initially stated only that it was investigating the matter, added on late Friday night that it already patched most of the vulnerabilities.

Hickey said the Windows exploits leaked on Friday could be used to conduct espionage and target critical data in Windows-based environments.

Several of the tools would let a hacker remotely gain the ability to run their own code on a targeted Windows-operated machine.

An email to the NSA's press office was not returned.

Microsoft however notes that these exploits were only patched "on supported products" and in particular note that 3 exploits, "EnglishmanDentist", "EsteemAudit", and "ExplodingCan", could not be reproduced on "Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange" urging customers to upgrade to supported versions of the software. "Below is our update on the investigation", says Phillip Misner, Principal Security Group Manager, Microsoft Security Response Center.

The tools appear legitimate, he said, and at least one of the zero-day exploits in the release still works against Windows Server 2013. In addition to the released files, Shadow Brokers announced an "auction" for the sale of an addition batch of NSA tools.

The attacks and new hacking tactics underscore the continuing vulnerability of the SWIFT messaging network, which handles trillions of dollars in fund transfers daily.

The released may also cause substantial diplomatic fallout, as the US government's access to SWIFT has always been controversial. "Because there was no indication Microsoft patched these bugs, researcher systems did not include last month's patches, so they [the exploits] still worked".

SWIFT, based in Belgium, released a less categorical statement, saying, "we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties".