The EternalSynergy, EternalRomance, and EternalChampion exploits have been reworked to work on all vulnerable Windows versions: Windows 2000 -- Server 2016. Credit: Thinkstock Oh, good, three NSA exploits previously leaked by The Shadow Brokers have been tweaked so they now work on all vulnerable Windows 2000 through Server 2016 targets, as well as standard and workstation counterparts.Before this, EternalSynergy, EternalRomance, and EternalChampion had partially been used in the NotPetya cyber attack. However, they had not been used by malicious actors nearly as much as EternalBlue because they didn’t work on recent Windows versions. That has now changed thanks to RiskSense security researcher Sean Dillon, aka @zerosum0x0, who ported the Microsoft Server Message Block (SMB) exploits to work on Windows versions released over the past 18 years.Can you judge by a disclaimer how much reworked exploits might wreck your digital world? Dillon’s disclaimer warned:This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Authors and project maintainers are not responsible or liable for misuse of the software. Use responsibly.MS17-010 #EternalSynergy #EternalRomance #EternalChampion exploit and auxiliary modules for @Metasploit. Support for Windows 2000 through 2016. I basically bolted MSF psexec onto @sleepya_ zzz_exploit. https://t.co/UnGA1u4gWe pic.twitter.com/Y9SMFJguH1— zǝɹosum0x0🦉 (@zerosum0x0) January 29, 2018The “new and improved” versions of these exploits were ported to the Metasploit Framework. How the exploits workTripwire explained, “Each of the revised exploits boast remote command and code execution modules that rely on the zzz_exploit adaptation in that they exploit the SMB connection session structures to gain Admin/SYSTEM access. Unlike EternalBlue, EternalSynergy, EternalRomance, and EternalChampion do not use kernel shellcode to stage Meterpreter. Someone could still stage Meterpreter, a payload which comes with the Metasploit penetration testing software, but they would likely need to evade their payloads.”While that doesn’t mean this is the end for EternalBlue, Dillon noted, “This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).” Security researcher Kevin Beaumont tried it out and added that it is reliable and doesn’t cause a Blue Screen of Death like EternalBlue does.Big one: SMB exploit (fixed in MS17-010+) now ported to Windows 2000 up to Windows Server 2016, and all versions in between. Reliable, doesn’t cause BSOD like EternalBlue either. I’ve tried on Win2000 and XP. https://t.co/EZ96eFsV5C— Kevin Beaumont (@GossiTheDog) January 29, 2018According to Heimdal Security, “Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB (Server Message Block) connection session structures to gain admin rights over the system.”Dillon added, “Unlike EternalBlue, the exploit module will drop to disk (or use a PowerShell command).”In the span of a few short days, the newly modified exploits became two of the most popular tested modules for Metasploit.exploit/windows/smb/ms17_010_psexec and auxiliary/admin/smb/ms17_010_command are now surely two of the most vigorously tested modules in all of @Metasploit. Thanks to everyone who helped! Should land to master branch soon… pic.twitter.com/NKy8nopF9p— zǝɹosum0x0🦉 (@zerosum0x0) February 2, 2018“It is worth mentioning that these exploits could have self-replicate abilities that enable to spread fast and impact lots of machines, so we urge you to apply all software patches available,” wrote Heimdal Security.Microsoft issued a patch in March 2017. If you haven’t deployed the fixes on your box yet, then it would be wise to do so now. Versions of Windows that can be exploitedThe reworked NSA exploits work on all unpatched versions, 32-bit and 64-bit architectures, of Windows since 2000. Dillon included this list of supported versions of Windows that can be exploited:Windows 2000 SP0 x86Windows 2000 Professional SP4 x86Windows 2000 Advanced Server SP4 x86Windows XP SP0 x86Windows XP SP1 x86Windows XP SP2 x86Windows XP SP3 x86Windows XP SP2 x64Windows Server 2003 SP0 x86Windows Server 2003 SP1 x86Windows Server 2003 Enterprise SP 2 x86Windows Server 2003 SP1 x64Windows Server 2003 R2 SP1 x86Windows Server 2003 R2 SP2 x86Windows Vista Home Premium x86Windows Vista x64Windows Server 2008 SP1 x86Windows Server 2008 x64Windows 7 x86Windows 7 Ultimate SP1 x86Windows 7 Enterprise SP1 x86Windows 7 SP0 x64Windows 7 SP1 x64Windows Server 2008 R2 x64Windows Server 2008 R2 SP1 x64Windows 8 x86Windows 8 x64Windows Server 2012 x64Windows 8.1 Enterprise Evaluation 9600 x86Windows 8.1 SP1 x86Windows 8.1 x64Windows 8.1 SP1 x64Windows Server 2012 R2 x86Windows Server 2012 R2 Standard 9600 x64Windows Server 2012 R2 SP1 x64Windows 10 Enterprise 10.10240 x86Windows 10 Enterprise 10.10240 x64Windows 10 10.10586 x86Windows 10 10.10586 x64Windows Server 2016 10.10586 x64Windows 10 10.0.14393 x86Windows 10 Enterprise Evaluation 10.14393 x64Windows Server 2016 Data Center 10.14393 x64 Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe