The NSA's Equation Group hacking tools are in the news, again
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
April 21, 2017
One more time, we learn that the NSA's Equation Group hacking tools are in the news. This was actually leaked last Friday by the Shadow Brokers, and the tools have now been used to infect thousands of Windows machines worldwide, according to various reports.
Yesterday, Dan Tentler, founder of security firm Phobos Group said he's seen rising numbers of boxes on the public internet showing signs they have 'DOUBLEPULSAR' installed on them.
Those hijacked PCs can be used to install malware, spam users, launch further attacks on other victims, etc.
To be sure and be definition, DOUBLEPULSAR is actually a type of backdoor used to inject and run malicious code on an infected system, and is installed using the 'ETERNALBLUE' exploit that attacks SMB file-sharing services on Windows XP to Server 2008 R2.
This simply means that to compromise a computer or laptop device, it must be running a vulnerable version of Windows and expose an SMB service to the attacker. Both DOUBLEPULSAR and ETERNALBLUE are leaked Equation Group tools, now available to any beginning hacker or experienced cyber criminal to download and further infect already vulnerable systems.
Last month, Microsoft patched the SMB Server vulnerability (bulletin no. MS17-010) exploited by ETERNALBLUE, and it's clear that some people have been very slow in applying the critical security update, are unable to do so, or possibly they simply just don't care.
The security patch is now available for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Server Core.
If you have an older vulnerable system, such as XP or Server 2003, you're simply just out of luck as those two products are EOL support since March 2014.
Tentler asserted that a preliminary scan of the public internet yesterday using Shodan.io revealed no less than 15,196 infections, with about 82.3 percent of those coming from IP ranges in the United States.
Worse, those numbers simply increase with each followup scan! A DOUBLEPULSAR-riddled system can easily be identified in the manner that it responds to a special ping to port 445.
"Coming back to DOUBLEPULSAR, the polite term for what's happening is a real pain in the behind... I'm hopeful this is the wakeup moment for people over patching Windows machines," he asserted.
The security issue may be even more serious, depending on some specific cases. A larger and more in-depth scan by internet security researcher Robert Graham revealed no less than 41,048 infected hosts and even more scans are going to be carried out, so expect that number to rise in the short term.
Tentler added that when the Shadow Brokers' arsenal hit the web on Easter weekend, inexperienced hackers around the world grabbed the cyber-arms, went out, and infected just about everything they could find.
An analysis of the infected machines suggests a lot of them are going to stay that way for some time, however.
If they haven't applied MS17-010 by now, they probably won't do for a long while, if ever. DOUBLEPULSAR, being a nation-state-grade backdoor, is extremely stealthy and unlikely to be discovered on a hacked PC unless whichever miscreant is using it gets real clumsy.
And as is often usually the case in such security matters, Amazon's AWS and Microsoft's Azure showed up on the top one-hundred most-infected domains as you'd expect as large hosts of customer virtual machines. No surprises there.
Then, there are several systems at big names such as Ricoh in India, various universities, and many machines on Comcast connections in the U.S.
Typically, the numbers of infections in businesses are in the single digits, but as Tentler underscores, an attacker only needs one foothold in a corporate network to begin taking over the whole company.
Of course, and as can be expected in these cases, the extent to where this will end is anybody's guess. We'll keep you posted, but in the mean time, system and network admins are strongly advised to harden their Windows implementations against such attacks.
Source: The Phobos Group.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.