Security Researchers Develop New Exploits Based on Leaked NSA Tools

While the WannaCry ransomware wave was sweeping the globe, one of the first stories that emerged alongside it was about the exploit that allowed it to exist: EternalBlue. Exposed as an NSA-discovered vulnerability during leaks by the mysterious Shadow Brokers, it allows malware authors to attack vulnerable Windows machines through a basic protocol for sharing files. Though it turns out that most of the machines WannaCry infected were Windows 7 computers, EternalBlue is just one part of a larger family of exploits. All these were leaked earlier this year, and security researchers have been pouring over them ever since.

One of these exploits, EternalSynergy, was only able to target older versions of Windows due to security improvements made by Microsoft. However, a dedicated researcher has tweaked EternalSynergy and developed an upgraded version to test the limits of its abilities. This new version would have the capacity to infect Windows 7 and Windows 8 machines, a big leap in functionality. Windows 10 is not affected by this version, but other researchers have successfully demonstrated attacks on Win10 using EternalBlue.

What this means is that there are now three specially crafted exploits based on the same vulnerability — and malware that uses all three attack vectors could potentially infect more than three-quarters of all unpatched Windows machines at this point. That’s a staggering number of systems, and it makes the dissemination of Microsoft’s patches all the more important. Computers with the update are immune to the exploits, but as we saw with WannaCry, there are many instances of embedded systems with out-of-date software exposed to the Internet.

This important work also highlights how critical “ethical hackers” are in the security sector. It’s not just about uncovering problems and developing solutions — it’s also important to push the limits of systems and what one could do with the right tools. Unpacking malware means the opportunity to find other attack vectors a malicious coder perhaps missed or didn’t think about yet. Not only does this help to uncover problems in a system that we might not have known about, but it also yields a chance to deploy fixes before an issue actually hits users. While we’ve already seen other attacks, like NotPetya, striking systems using this vulnerability, researchers will continue to dig into the Shadow Brokers leaks to find ways to implement more safeguards.