Re: ShadowBrokers dump of NSA Equation Group Files

[Steven Alexander <steven.alexander () KCCD EDU>]

Good news: If you're patched up to date and not still using Windows 2003 anywhere, you're probably okay.

Despite stating otherwise (probably because they had to), it appears that Microsoft got a heads-up on this and fixed 
the SMB vulnerabilities in a patch described in Security Bulletin MS17-010.  The IIS and RDP exploits for Win 2003 will 
not be fixed and the SMB patches are not available for 2003 so Win 2003 (and XP) should be considered dead at this 
point.  For 2008 and up, you just need to be patched up to date.

The reports yesterday were that the SMB exploits worked on fully-patched Windows 7, but that appears to have been 
incorrect.

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

Steven Alexander
Director of IT Security
Kern Community College District

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Steven 
Alexander [steven.alexander () KCCD EDU]
Sent: Friday, April 14, 2017 9:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ShadowBrokers dump of NSA Equation Group Files

+1 for the Twitter feeds you listed, HackerFantastic in particular.

In addition to the older IIS exploit, there are exploits for Remote Desktop and SMB.  Basically anything up to Server 
2012 is vulnerable.  Presumably we'll see some patches coming from Microsoft in the not-to-distant future, but any 
Windows 2003 Servers, or Windows XP/Vista desktops are not supposed to get security updates from Microsoft.  I realize 
I'm preaching to the choir, but now would be a great time to put other projects on hold long enough to retire of those 
systems that are still hanging around your network.

If you have any IIS 6.0 servers on the Internet, this dump (plus the exploit from ~2 weeks ago) should provide the 
justification you need to insist on taking them down now.  Hopefully you're not exposing RDP or SMB.

Good luck everyone.

Steven Alexander
Director of IT Security
Kern Community College District

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Seiwert, Matt 
[Matt.Seiwert () WICHITA EDU]
Sent: Friday, April 14, 2017 12:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ShadowBrokers dump of NSA Equation Group Files

Hello.

If you haven’t already seen this in the news, the ShadowBrokers group has released the collection of NSA Windows 
exploits they claimed to have obtained. Various members of the information security community have already verified 
that this dump is legitimate. This dump has given a toolbox of ready to use exploits to anyone who wishes to download 
them now. Many of the tools target older versions of Windows and IIS, but many institutions still have world facing 
services that fall into the affected scope.

I wanted to bring this to everyone’s attention in case anyone had missed it.

Reference:

Shadow Brokers Dump Alleged Windows Exploits and NSA Presentations on Targeting Banks:

https://motherboard.vice.com/en_us/article/shadow-brokers-dump-alleged-windows-exploits-and-nsa-presentations-on-targeting-banks

NSA-leaking Shadow Brokers just dumped its most damaging release yet:

https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

Key analysts working on evaluation of these files:

https://twitter.com/GossiTheDog
https://twitter.com/x0rz
https://twitter.com/hackerfantastic

Thank you.

Matt


|| Matt Seiwert – IT Security Team – 316-978-3049 – matt.seiwert () wichita edu<mailto:matt.seiwert () wichita edu> ||