Anti-Malware , Application Security , Breach Response

DoublePulsar Pwnage: Attackers Tap Equation Group Exploit

Thousands of Windows Servers Infected via SMB Networking Flaw
DoublePulsar Pwnage: Attackers Tap Equation Group Exploit
Infected SMB devices. Source: Below0Day

Warning: Drop everything and patch all the Windows things now.

See Also: How the New World of Digital Banking is Transforming Fraud Detection

That's the alert being sounded by security researchers in the wake of the Shadow Brokers releasing a suite of Equation Group attack tools that are designed to exploit a flaw in older versions of Windows.

Those tools, including the DoublePulsar implant - aka malware - that is designed to provide covert, backdoor access to a Windows system, have been quickly adopted by attackers.

"Thousands upon thousands of servers are implanted with Equation Group implant DoublePulsar kernel implant right now," says England-based security researcher Kevin Beaumont via Twitter, who predicts that the flaw will soon be exploited by ransomware gangs.

The Shadow Brokers is the shadowy group believed to tie to the Russia government, while the Equation Group appears to be the National Security Agency's in-house hacking team, known as Tailored Access Operations.

The latest dump of stolen Equation Group attack tools - dating from 2013 and earlier - was released April 14, after the names of the attack tools were previewed by Shadow Brokers in January (see Hackers Reveal Apparent NSA Targeting of SWIFT Bureaus).

What's since come to light, however, is that in February, Microsoft canceled its regularly scheduled release of Windows security updates, and in March quietly issued fixes for a number of flaws targeted by the attack tools. In short, it looks like the NSA tipped off Microsoft as to which flaws the tools targeted (see No Coincidence: Microsoft's Timely Equation Group Fixes).

EternalBlue Delivers DoublePulsar

One of those fixes - MS17-010 - patches a server message block (SMB) server vulnerability present in every Windows operating system from XP to Server 2008 R2, which was exploited by an Equation Group tool called EternalBlue.

Of course, Microsoft releasing patches for products doesn't magically mean those patches then get installed, especially where servers are concerned. Furthermore, many organizations and individuals continue to use versions of the operation system - Windows XP, Windows Vista, Windows Server 2003 - that are no longer supported, vulnerable to many of the disclosed flaws, but for which no fixes will ever be issued.

Enterprise IT teams can use a plugin that targets the flaw has been added to the Metasploit open source vulnerability testing framework, meaning that enterprise IT teams can test their networks to see if they're at risk. Of course, that means the flaw has also been easy for attackers to target.

"Our own analysis corroborates other researchers' findings that most of the other vulnerabilities - particularly those that exploit the remote use of services and protocols typically used only on an internal network - would be blocked by typical firewall configurations on a relatively well secured and managed network," according to an analysis published by Jon Espenschied, who manages the threat intelligence group at security firm Alert Logic.

Unfortunately, numerous organizations appear to have Windows boxes running outdated operating systems or that do not yet have the latest security updates. Of course, that leaves them at risk to much more than leaked NSA hacking tools.

An increasing number of attacks are now using the SMB flaw targeted by EternalBlue to install another Equation Group tool, called DoublePulsar, which is a backdoor designed to communicate with a botmaster via a command-and-control (C2) server, warns the U.K.-based security researcher known as Hacker Fantastic.

Patch or be Pwned

Security researchers say the exploit is extremely effective. "I feel external systems will be either patched or pwned," security researcher Rik van Duijn at KPN-owned Dutch managed security service provider DearBytes, in a blog post. "The internal networks will remain, as often happens, unpatched."

As of April 19, Dan Tentler, founder of security shop Phobos Group, reported that "there are a [plethora*] of doublepulsar infected hosts" [*synonym for an astronomical amount of fecal matter]. Based on quick scans via the Shodan search engine - boxes with the flaw respond a port 445 ping - he found that about 11 percent of all internet-accessible endpoints that run SMB, totaling at least 20,000 endpoints, appeared to be infected with DoublePulsar.

According to security firm Below0Day, the greatest number of infected devices are in the United States, followed by Britain, Taiwan and South Korea.

As of April 24, however, Tentler found even more infected devices. Mikko Hypponen, chief research officer at Finnish cybersecurity firm F-Secure, says that based on Tentler's findings, 3 percent of all internet-connected machines that have port 445 open appear to be infected with DoublePulsar. Note that not all devices that have port 445 open are running SMB or are even Windows devices, meaning not all of them are at risk.

"Microsoft Apocalypse"

The security researcher Hacker Fantastic, who's part of the British security research group Hacker House, says all digital forensics and incident response investigators should familiarize themselves with the Equation Group tools and the flaws they target. "We referred to this as a Microsoft apocalypse and it certainly is shaping up to be a very bad forthcoming few months for DFIR and incident response teams as attackers begin co-opting these tools into their own attacks," he says.

Security experts say these flaws will continue to targeted - and successfully exploited - by attackers for years to gain footholds in enterprise environments. "Our research suggests that threat actors are still actively and successfully exploiting vulnerabilities patched almost a decade ago," according to a new report from security firm Kaspersky Lab. Based on targeted exploits launched by sophisticated hackers from 2010 to 2016, it found that the Windows operating system flaws were most often targeted by attackers, followed distantly by flaws in Adobe Flash, Microsoft Office, Java and Internet Explorer.

Applications and operation systems most often exploited by targeted attack groups, 2010 to 2016. Source: Kaspersky Lab

Attack Tool Hygiene

Hacker Fantastic, meanwhile, has called on the NSA to do a better job of locking down its hacking tools in case they leak again in the future.

"The lesson to be learned from leak is not that nations build cyber weapons, it's that we are not building sufficient safeguards into them," Hacker Fantastic says via Twitter. "As a civilian, a toolkit like this should be highly difficult for me to run. It should of required authorized certificate or hardware token."

Updated April 24 with the latest count of DoublePulsar-infected endpoints.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network