For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-
2013, is the most concerning. It contains exploits for vulnerabilities that can be used to hack into
unpatched Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some
cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other
protocols.
If you have a vulnerable aging machine with those services running, it is possible they can be
hijacked using today's dumped tools – if not by strangers on the 'net then potentially by
malicious employees or malware already on your network. If you're running the latest up-to-
date gear, such as Windows 10, none of this will directly affect you – but not everyone is so
lucky. There are plenty of organizations out there that cannot keep every box up to date, for
various reasons.
The leaked archive also contains the NSA's equivalent of the Metasploit hacking toolkit:
FUZZBUNCH.
Matthew Hickey, cofounder of British security shop Hacker House, told The Register
FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few
strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to
remote control the gear and romp through file systems.
"This is a nation-state toolkit available for anyone who wants to download it – anyone with a
little bit of technical knowledge can download this and hack servers in two minutes," Hickey
said. "It's as bad as you can imagine."
He pointed out that the timing of the release – just before Easter – is also significant. With
much of the Western world taking it easy on Zombie Jesus weekend, some organizations may be
caught short by the dumped cache of cyber-arms.
It looks as though the NSA is keeping up with its habit of amusing nomenclature. The files
include an exploit dubbed ENGLISHMANSDENTIST, which appears to trigger executable code
on victims' desktops via Outlook clients. Other examples include but are not limited to:
ESKIMOROLL, a Kerberos exploit targeting Windows 2000, Server 2003, Server 2008
and Server 2008 R2 domain controllers.
EMPHASISMINE, a remote IMAP exploit for later versions of Lotus Domino.
ETERNALROMANCE, a remote SMB1 network file server exploit targeting Windows XP,
Server 2003, Vista, Windows 7, Windows 8, Server 2008, and Server 2008 R2. This is
yet another reason to stop using SMB1 – it's old and vulnerable.
ETERNALBLUE, another SMB1 and SMB2 exploit. Below is a video showing
ETERNALBLUE compromising a Windows 2008 R2 SP1 x64 host via FUZZBUNCH to
install a remote command execution tool called DOUBLEPULSAR.
ETERNALCHAMPION, another SMB2 exploit.
ERRATICGOPHER, an SMB exploit targeting Windows XP and Server 2003.
ETERNALSYNERGY, a remote code execution exploit against SMB3 that potentially
works against operating systems as recent Windows Server 2012.
EMERALDTHREAD, an SMB exploit that drops a Stuxnet-style implant on systems.
ESTEEMAUDIT, a remote RDP exploit targeting Windows Server 2003 and Windows
XP to install hidden spyware.
EXPLODINGCAN, a Microsoft IIS 6 exploit that targets WebDav on Server 2003 only.