AES-NI Exploit – NSA’s Windows Tools Leaked

A new trove of alleged surveillance tools and exploits from the National Security Agency’s elite hacking team have been released by the Shadow Brokers’ hacking group.

The group appeared to release tools designed to target Windows PCs and servers, along with presentations and files purporting to detail the agency’s methods of carrying out clandestine surveillance.

According to several documents, the NSA used the Windows hacking tools to target several banks, including the SWIFT banking system.

The dump of Windows exploits — arguably affecting the most people and organizations and likely to cause the most damage and embarrassment to the intelligence agency — has been expected since the hacking group first emerged on the scene last year.

Several of the files we’ve seen appear to be “top secret” in classification, such as JeepfleaMarket, which appears to utilize the Jeepflea program to collect data on servers at least nine international banks.

The document purports to show the infrastructure behind the system, along with another document, which shows that the NSA has deep access to some networks by exploiting VPN and firewall systems. It appears that most of the exploits target older Windows versions, dating back as early as Windows XP and Windows Server 2003.

(Image: supplied, via Kevin Beaumont)

Among the more interesting exploits found in the cache include ExplodingCan, which exploits older versions of Windows’ web server Internet Information Services with a remote backdoor. Security researcher Kevin Beaumont, who examined the exploit, said in a tweet that the tool was “very well” built.

Another exploit, dubbed EmeraldThread, is a remote Windows SMB exploit for Windows XP and 2003.

Other tools point to several other remote exploits in every version of Windows, according to Hacker Fantastic, a security researcher who has been analyzing the files. The researcher was able to run many of the exploits found in the cache.

It’s not known how many of the exploits, if any, are unknown to the manufacturer. These so-called zero-day vulnerabilities are closely guarded secrets to allow analysts to carry out surveillance.

A Microsoft spokesperson said in a statement late Friday that it has “confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products.”

Article Source: ZDNet, Zack Whittaker

Are you running Windows Server OS on your server? If so, be sure to run security updates to ensure you are protected from this vulnerability. QuadraNet customers who are opted for our server management may contact our support department for further assistance.

Not enrolled in QuadraNet server management? Contact us at to learn more about the benefits of adding Server Management to your server today!