The Hacker News — Cyber Security, Hacking, Technology News

Did you know… last month's widespread WannaCry ransomware attack forced Microsoft to release security updates against EternalBlue SMB exploit for unsupported versions of Windows, but the company left other three Windows zero-day exploits unpatched?

For those unaware, EternalBlue is a Windows SMB flaw that was leaked by the Shadow Brokers in April and then abused by the WannaCry ransomware to infect nearly 300,000 computers in more than 150 countries within just 72 hours on 12th of May.

Shortly after WannaCry outbreak, we reported that three unpatched Windows exploits, codenamed "EsteemAudit," "ExplodingCan," and "EnglishmanDentist," were also being exploited by individuals and state-sponsored hackers in the wild.

Specially EsteemAudit, one of the dangerous Windows hacking tool that targets remote desktop protocol (RDP) service on Microsoft Windows Server 2003 and Windows XP machines, while ExplodingCan exploits bugs in IIS 6.0 and EnglishmanDentist exploits Microsoft Exchange servers.

But now Microsoft has released free security updates for unsupported versions of its products, including Windows XP and Server 2003, to patch all the three cyber-weapons and block next wave of "destructive cyberattacks" similar to WannaCry.

According to the recent Microsoft blog post, the critical down-level patches for three Windows exploits were prompted by an "elevated risk of destructive cyberattacks" by government organizations, referred to as "nation-state actors or other copycat organizations."

The security patches for Windows XP, Vista, and Server 2003 contain fixes or mitigations for three alleged NSA-developed exploits — EsteemAudit, ExplodingCan, and EnglishmanDentist — though none of these exploits works on supported Windows platform.

Unlike regular Patch Tuesday releases that delivered automatically through the Windows Update mechanism to your devices, these down-level patches must be downloaded and installed manually.

These updates are available in the Microsoft Download Center or, in the Update Catalog, or you can find download links at the bottom of Security Advisory 4025685.

No doubt, this move by Microsoft to protect its customers by releasing security updates for end-of-support products is commendable, but this could also motivate users to stick to 14-years-old unsupported and risky versions of Windows OS that are exposed to all manner of potential threats.

And since Microsoft is fixing known vulnerabilities in Windows XP and Server 2003 that weren't fixed before, the job of migrating away from unsupported versions just got a whole lot harder than before.

However, Eric Doerr, general manager of the company's Security Response Center, said in a separate blog post that the move was only meant to fix flaws that are at "heightened risk of exploitation due to past nation-state activity and disclosures."

"Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies," Doerr said. "Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly."

However, Doerr urged users to adopt new, supported versions of Microsoft products, which are significantly more secured and resistant to exploits, and warned them not to expect regular security updates for out-of-date platforms in the future.

Meanwhile as part of its regular Patch Tuesday, Microsoft has released security updates to patch nearly a hundred flaws in its various Windows operating systems and software, two of which have actively been exploited in the wild.

All the regular releases are delivered automatically through the Windows Update mechanism to users running supported versions of Windows OS, including Windows 10, 8.1, 7, and post-2008 Windows Server releases, on their devices.

The notorious hacking group, Shadow Brokers, who claimed to have stolen a bunch of hacking tools from the NSA's elite hacking team Equation Group, had also promised to leak more zero-days and exploits starting this month.

Brace yourselves for a possible 'second wave' of massive global cyber attack, as SMB (Server Message Block) was not the only network protocol whose zero-day exploits created by NSA were exposed in the Shadow Brokers dump last month.

Although Microsoft released patches for SMB flaws for supported versions in March and unsupported versions immediately after the outbreak of the WannaCry ransomware, the company ignored to patch other three NSA hacking tools, dubbed "EnglishmanDentist," "EsteemAudit," and "ExplodingCan."

It has been almost two weeks since WannaCry ransomware began to spread, which infected nearly 300,000 computers in more than 150 countries within just 72 hours, though now it has been slowed down.

For those unaware, WannaCry exploited a Windows zero-day SMB bug that allowed remote hackers to hijack PCs running on unpatched Windows OS and then spread itself to other unpatched systems using its wormable capability.

EsteemAudit: Over 24,000 PCs Still Vulnerable

EsteemAudit is another dangerous NSA-developed Windows hacking tool leaked by the Shadow Brokers that targets RDP service (port 3389) on Microsoft Windows Server 2003 / Windows XP machines.

Since Microsoft no longer support Windows Server 2003 and Windows XP and unlike EternalBlue the company has not released any emergency patch for EsteemAudit exploit so far, over 24,000 vulnerable systems remains still exposed on the Internet for anyone to hack.

"Even one infected machine opens your enterprise to greater exploitation," say Omri Misgav and Tal Liberman, security researchers at Ensilo cyber security firm who came up with the AtomBombing attack last year and now has released an unofficial patch for EsteemAudit, which we have introduced later in this article.

EsteemAudit can also be used as a wormable malware, similar to the WannaCry ransomware, which allows hackers to propagate in the enterprise networks, leaving thousands of systems vulnerable to ransomware, espionage and other malicious attacks.

Ransomware authors, such as criminals behind CrySiS, Dharma, and SamSam, who are already infecting computers via RDP protocol using brute force attacks, can leverage EsteemAudit anytime for widespread and damaging attacks like WannaCry.

How to Secure Your Computers?

Due to the havoc caused by WannaCry, SMB service gained all the attention, neglecting RDP.

"Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today, and the cyber security industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of the global market share," researchers say.

Since Microsoft has not released any patch for this vulnerability, users and enterprises are advised to upgrade their systems to the higher versions to secure themselves from EsteenAudit attacks.

"Of the three remaining exploits, “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan,” none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft says.

If it's hard for your enterprise to upgrade their systems immediately, it's good for them to secure their RDP port by either disabling it or putting it behind the firewall.

Meanwhile, enSilo has released a patch to help Windows XP and Server 2003 users secure their machines against EsteemAudit. You can apply the patch to secure your systems, but keep in mind, that it is not an official patch from Microsoft.

If you have any doubt on the patch, enSilo is a reputed cyber security company, though I expect Microsoft to release an official patch before any outcry like that of WannaCry.