The hacking tools that are leaked from NSA last Friday by Shadow Brokers, are now used by script kiddies to infect thousands of Windows machines globally.
On this Thursday, Dan Tentler, the founder of security shop Phobos Group, has told The Register that he has seen a rising in the numbers of boxes on the public internet that are showing signs that they have DOUBLEPULSAR installed in them. All these hijacked machines can now be used to spread spam netizens, malware, or even launch further attacks on other victims.
The DOUBLEPULSAR is a backdoor used, to inject and run some malicious code inside an infected system and it is installed using the ETERNALBLUE exploit which attacks SMB file-sharing services on the Windows XP to the Server 2008 R2. This means to compromise a computer, it must have a vulnerable version of Windows and is exposed to an SMB service to the attacker. Both ETERNALBLUE and DOUBLEPULSAR have leaked the Equation Group tools, and are now available for any script kiddie to download and wield against the vulnerable systems.
In March, Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE, and it’s clear that some people have been slow to apply the critical update, are unable to do so, or possibly just don’t care.
The fix is available for Windows 7, Windows Vista SP2, Windows RT 8.1, Windows 8.1, Windows Server 2008 SP2, Windows 10, Windows Server 2012, Windows Server 2008 R2 SP1 and Windows Server 2016, Windows Server 2012 R2 and Server Core. If you own an older vulnerable system, such as Server 2003, you’re just out of luck.
Tentler said that a preliminary scan of the public internet on Thursday using Shodan.io revealed 15,196 infections, with four-fifths of those coming from IP ranges in the US.