NSA`s DoublePulsar Exploit Widely Used Online

If you are a member of a read team or you have received a pen-rest report from such, then it is highly possible that you are familiar with the reports of Windows servers that are vulnerable to the Conficker worm (MS08-067). Conficker has been around for almost 10 years since the problem was addressed and the flaw was patched.

A couple of weeks after the most recent ShadowBrokers leaks of the National Security Agency (NSA) hacking tools, security experts alert that the DoublePulsar post-exploitation Windows kernel attack will have similar endurance. Moreover, they are certain that pen-testers will be able to find servers vulnerable to the MS17-010 patched bugs for much longer than Conficker.

MS17-010 was published in the middle of March when it closed several holes in Windows SMB Server, exploited by the National Security Agency. Exploits like EternalSynergy, EternalChampion, EternalRomance and EternalBlue are all part of the Fuzzbunch platform and they all drop DoublePulsar onto victims` machines.

DoublePulsar is an advanced memory-based kernel payload. It can be used on x86 and 64-bit systems and practically allows the attacker to execute whatever raw shellcode payload they want.

“This is a full ring0 payload that gives you full control over the system and you can do what you want to it.” – says the senior security analyst at RiskSense, Sean Dillon, who was the first to manage to reverse-engineer a DoublePulsar payload. Dillon`s analysis was published last Friday. – “This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it’s still found in a lot of places. I find it everywhere. This is the most critical Windows patch since that vulnerability.”

The CEO and founder of Phobos Croup, Dan Tentler, stated that, according to the internet-net scans he has been running, 3.1% (62,000-65,000) of vulnerable machines have already been infected and that the numbers are expected to grow.

“This is easily describable as a bloodbath.” – Tentler said.

Ever since the ShadowBrokers leak on April 7th, crooks have been downloading NSA exploits and using them to attack vulnerable machines. The founder of U.K. consultancy Hacker House, Matthew Hickey, even said that the hackers have also posted available for download videos and documentation on YouTube and others online coursed to help users through different exploits.

“The fact that people are using these attack tools in the wild is unsurprising.”
– Hickey said – “It shows you these tools were very well developed, very weaponized and don’t require a lot of technical sophistication, so attackers are quick to adopt them into their repositories and toolkits. Subsequently, they’re using them as-is.”

Jake Williams, the president of Rendition InfoSec and also known as MalwareJake, added that some exploits are simply “point-and-shoot operations” as the user has to just fill in a value such as a remote IP and launch the executable.

“For us, these are keys to the kingdom types of exploits.” – Williams said.

What is also interesting is that DoublePulsar only works on older Windows Server versions with older PatchGuard kernel protection versions. Newer Windows versions such as Windows 10, for instance, feature better kernel checks which could prevent DoublePulsar`s hooking of these systems.

Once DoublePulsar is on the infected machine, the attackers can drop any additional executable or malware they want. This means that it is only a matter of time before cybercriminals start using the exploit for ransomware and other malware distribution.

For the moment, attacks rely on malformed SMB requests and sit on the same port as the one the SMV service uses. According to Tentler, a malware that uses an existing running port is very rare.

“It does not open new ports. Once the backdoor is present, it can do one of four things: either it responds to a specific ping request (such as a heartbeat), it can uninstall itself, load shellcode, or run a DLL on the host. That’s it.”
– Tentler said – “It’s only purpose is to provide a covert channel by which to load other malware or executables.”

One disadvantage for the attacker is that the attack is gone once the infected machine is rebooted because of the fact that the attack lives in memory. DoublePulsar also features “kill or burn” command that doesn’t remove the infection but it prevents others from using it as a backdoor.

However, experts are very concerned and discouraged of the fact that in a six weeks window, there are so many exposed and already infected machines.

“This is really a quite serious issue.” – Hickey said – “This is a level of attack we have not seen since Conficker, and certainly none with this ease of use. Now you have a nation-state attack tool available to anyone online to use for their own purposes. It’ll be used to compromise and impact systems for many years to come.”

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.