The NSA’s Equation Group hacking tools, leaked last Friday by the Shadow Brokers, have now been used to infect thousands of Windows machines worldwide, we’re told.
On Thursday, Dan Tentler, founder of security shop Phobos Group, told The Register he’s seen rising numbers of boxes on the public internet showing signs they have DOUBLEPULSAR installed on them. These hijacked machines can be used to sling malware, spam netizens, launch further attacks on other victims, and so on.
DOUBLEPULSAR is a backdoor used to inject and run malicious code on an infected system, and is installed using the ETERNALBLUE exploit that attacks SMB file-sharing services on Windows XP to Server 2008 R2. That means to compromise a computer, it must be running a vulnerable version of Windows and expose an SMB service to the attacker. Both DOUBLEPULSAR and ETERNALBLUE are leaked Equation Group tools, now available for any script kiddie or hardened crim to download and wield against vulnerable systems.
In March, Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE, and it’s clear that some people have been slow to apply the critical update, are unable to do so, or possibly just don’t care.
The fix is available for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Server Core. If you have an older vulnerable system, such as XP or Server 2003, you’re out of luck.
Tentler said that a preliminary scan of the public internet on Thursday using Shodan.io revealed 15,196 infections, with four-fifths of those coming from IP ranges in the US. These numbers increase with each followup scan. A DOUBLEPULSAR-riddled system can be identified by the way it responds to a special ping to port 445.
Some people just want to watch the world burn … Dan’s stats showing DOUBLEPULSAR infections
“The polite term for what’s happening is a bloodbath. The impolite version is dumpster fire clown shoes shit show,” Tentler said. “I’m hopeful this is the wakeup moment for people over patching Windows machines.”
The problem may be even more serious. A larger scan by infosec researcher Robert Graham showed around 41,000 infected hosts and more scans are going to be carried out, so expect that number to rise.
Tentler reckons that when the Shadow Brokers’ arsenal hit the web on Easter weekend, script kiddies around the world grabbed the cyber-arms, went out, and infected everything they could find.
An analysis of the infected machines suggests a lot of them are going to stay that way for some time. If they haven’t applied MS17-010 by now, they probably won’t do for a long while, if ever. DOUBLEPULSAR, being a nation-state-grade backdoor, is…