DoublePulsar Pwnage: Attackers Tap Equation Group ExploitThousands of Windows Servers Infected via SMB Networking Flaw
Warning: Drop everything and patch all the Windows things now.
That's the alert being sounded by security researchers in the wake of the Shadow Brokers releasing a suite of Equation Group attack tools that are designed to exploit a flaw in older versions of Windows.
Those tools, including the DoublePulsar implant - aka malware - that is designed to provide covert, backdoor access to a Windows system, have been quickly adopted by attackers.
"Thousands upon thousands of servers are implanted with Equation Group implant DoublePulsar kernel implant right now," says England-based security researcher Kevin Beaumont via Twitter, who predicts that the flaw will soon be exploited by ransomware gangs.
I cannot see how this is going to end well.— Kevin Beaumont (@GossiTheDog) April 21, 2017
The Shadow Brokers is the shadowy group believed to tie to the Russia government, while the Equation Group appears to be the National Security Agency's in-house hacking team, known as Tailored Access Operations.
The latest dump of stolen Equation Group attack tools - dating from 2013 and earlier - was released April 14, after the names of the attack tools were previewed by Shadow Brokers in January (see Hackers Reveal Apparent NSA Targeting of SWIFT Bureaus).
What's since come to light, however, is that in February, Microsoft canceled its regularly scheduled release of Windows security updates, and in March quietly issued fixes for a number of flaws targeted by the attack tools. In short, it looks like the NSA tipped off Microsoft as to which flaws the tools targeted (see No Coincidence: Microsoft's Timely Equation Group Fixes).
EternalBlue Delivers DoublePulsar
One of those fixes - MS17-010 - patches a server message block (SMB) server vulnerability present in every Windows operating system from XP to Server 2008 R2, which was exploited by an Equation Group tool called EternalBlue.
Of course, Microsoft releasing patches for products doesn't magically mean those patches then get installed, especially where servers are concerned. Furthermore, many organizations and individuals continue to use versions of the operation system - Windows XP, Windows Vista, Windows Server 2003 - that are no longer supported, vulnerable to many of the disclosed flaws, but for which no fixes will ever be issued.
Enterprise IT teams can use a plugin that targets the flaw has been added to the Metasploit open source vulnerability testing framework, meaning that enterprise IT teams can test their networks to see if they're at risk. Of course, that means the flaw has also been easy for attackers to target.
"Our own analysis corroborates other researchers' findings that most of the other vulnerabilities - particularly those that exploit the remote use of services and protocols typically used only on an internal network - would be blocked by typical firewall configurations on a relatively well secured and managed network," according to an analysis published by Jon Espenschied, who manages the threat intelligence group at security firm Alert Logic.
Unfortunately, numerous organizations appear to have Windows boxes running outdated operating systems or that do not yet have the latest security updates. Of course, that leaves them at risk to much more than leaked NSA hacking tools.
An increasing number of attacks are now using the SMB flaw targeted by EternalBlue to install another Equation Group tool, called DoublePulsar, which is a backdoor designed to communicate with a botmaster via a command-and-control (C2) server, warns the U.K.-based security researcher known as Hacker Fantastic.
Patch or be Pwned
Security researchers say the exploit is extremely effective. "I feel external systems will be either patched or pwned," security researcher Rik van Duijn at KPN-owned Dutch managed security service provider DearBytes, in a blog post. "The internal networks will remain, as often happens, unpatched."
As of April 19, Dan Tentler, founder of security shop Phobos Group, reported that "there are a [plethora*] of doublepulsar infected hosts" [*synonym for an astronomical amount of fecal matter]. Based on quick scans via the Shodan search engine - boxes with the flaw respond a port 445 ping - he found that about 11 percent of all internet-accessible endpoints that run SMB, totaling at least 20,000 endpoints, appeared to be infected with DoublePulsar.
According to security firm Below0Day, the greatest number of infected devices are in the United States, followed by Britain, Taiwan and South Korea.
As of April 24, however, Tentler found even more infected devices. Mikko Hypponen, chief research officer at Finnish cybersecurity firm F-Secure, says that based on Tentler's findings, 3 percent of all internet-connected machines that have port 445 open appear to be infected with DoublePulsar. Note that not all devices that have port 445 open are running SMB or are even Windows devices, meaning not all of them are at risk.
current status:— Dan Tentler (@Viss) April 23, 2017
1.17 million host scanned
33,468 found infected. pic.twitter.com/GEeOYKMgjP
The security researcher Hacker Fantastic, who's part of the British security research group Hacker House, says all digital forensics and incident response investigators should familiarize themselves with the Equation Group tools and the flaws they target. "We referred to this as a Microsoft apocalypse and it certainly is shaping up to be a very bad forthcoming few months for DFIR and incident response teams as attackers begin co-opting these tools into their own attacks," he says.
Security experts say these flaws will continue to targeted - and successfully exploited - by attackers for years to gain footholds in enterprise environments. "Our research suggests that threat actors are still actively and successfully exploiting vulnerabilities patched almost a decade ago," according to a new report from security firm Kaspersky Lab. Based on targeted exploits launched by sophisticated hackers from 2010 to 2016, it found that the Windows operating system flaws were most often targeted by attackers, followed distantly by flaws in Adobe Flash, Microsoft Office, Java and Internet Explorer.
Attack Tool Hygiene
Hacker Fantastic, meanwhile, has called on the NSA to do a better job of locking down its hacking tools in case they leak again in the future.
"The lesson to be learned from leak is not that nations build cyber weapons, it's that we are not building sufficient safeguards into them," Hacker Fantastic says via Twitter. "As a civilian, a toolkit like this should be highly difficult for me to run. It should of required authorized certificate or hardware token."
Updated April 24 with the latest count of DoublePulsar-infected endpoints.