+91 9116117170

NSA's Windows "EsteemAudit" RPD Utilize Remains Unpatched - Wanna Cry Again | Cyberops

NSA’s Windows “EsteemAudit” RPD Utilize Remains Unpatched – Wanna Cry Again

By Shaurya Sharma 0 Comment May 26, 2017

Support yourselves for a possible ‘second wave’ of substantial global cyber attack, as SMB (Server Message Block) has not been the only network protocol whose zero-day uses created by NSA were exposed in the Darkness Brokers dump last month.

Although Microsoft released sections for SMB flaws for supported versions in March and unsupported versions immediately after the outbreak of the WannaCry ransomware, the organization ignored to patch other three NSA hacking tools, dubbed “EnglishmanDentist, ” “EsteemAudit, ” and “ExplodingCan.

It has been almost two weeks since WannaCry ransomware started out to propagate, which infected practically 300, 000 computers much more than 150 countries in a matter of 72 hours, though now it has been slowed down.

For those unaware, WannaCry exploited a Windows zero-day SMB bug that allowed remote hackers to hijack PCs running on unpatched Windows OS and then spread itself to other unpatched systems having a wormable capability.

EsteemAudit: Over 24, 000 PCs Still Susceptible

EsteemAudit is another dangerous NSA-developed Windows hacking tool leaked by the Darkness Brokers that targets RDP service (port 3389) on Microsoft Windows Server the year 2003 / Windows XP machines.

Since Microsoft no much longer support Windows Server the year 2003 and Windows XP and unlike EternalBlue the organization has not released any emergency patch for EsteemAudit exploit so far, over 24, 000 vulnerable systems remain still exposed on the Internet for anybody to hack.

“Even one afflicted machine opens your business to greater exploitation, say Omri Misgav and Tal Liberman, security experts at Ensilo cyber security firm who created the AtomBombing attack recently and now has released an unofficial patch for EsteemAudit, which we have released later in this post.

EsteemAudit can be used as a wormable malware, just like the WannaCry ransomware, which allows hackers to propagate in the organization networks, leaving a large number of systems vulnerable to ransomware, surveillance and other malicious problems.

Ransomware authors, such as criminals behind Crysis, Dharma, and SamSam, who are actually infecting computers via RDP protocol using brute force attacks, can leverage EsteemAudit anytime for widespread and damaging attacks like WannaCry.

How to Secure The Computers?

Due to the havoc caused by WannaCry, SMB service gained all the attention, neglecting RDP.

“Windows XP-based systems presently account for more than 7 percent of computer systems still in use today, and the internet security industry estimates that more than 600, 000 web-facing computers, which web host upwards of 175, 000, 000 websites, still run  Windows Server 2003 accounting for roughly 18 percent of the global market share, ” researchers say.

As Microsoft hasn’t released any patch in this vulnerability, users and enterprises are recommended to upgrade their systems to the higher variations to obtain themselves from EsteenAudit attacks.

“Of the 3 remaining exploits, “EnglishmanDentist, “EsteemAudit, ” and “ExplodingCan, ” none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and new versions of Exchange are not in danger,  Microsoft says.

If it is hard for your enterprise to upgrade their systems immediately, it’s good for these to secure their RDP slot by either disabling it or putting it in a back of the firewall.

Meanwhile, enSilo has released a spot to help Windows XP and Server 2003 users secure their machines against EsteemAudit. You are able to apply the patch to obtain your systems, but retain in mind, that it is not an official patch from Microsoft company.

In case you have any doubt on the patch, enSilo is a reputed cyber security company, though I expect Microsoft to release an official patch before any outcry like that of WannaCry.


error: Content is protected by Cyberops !!