NSA’s DoublePulsar Kernel Exploit In Use Internet-Wide


If you’re on a red team or have been on the receiving end of a pen-test report from one, then you’ve almost certainly encountered reports of Windows servers vulnerable to Conficker (MS08-067), which has been in the wild now for nearly 10 years since the bug was patched.

A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for much longer than Conficker.

MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish.

“This is a full ring0 payload that gives you full control over the system and you can do what you want to it,” said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday.

“This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it’s still found in a lot of places,” Dillon said. “I find it everywhere. This is the most critical Windows patch since that vulnerability.”

Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he’s running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue.

“This is easily describable as a bloodbath,” Tentler said.

Since the April 7 ShadowBrokers leak, hackers have been downloading and using the NSA exploits to attack exposed computers. They’ve also posted downloadable documentation and videos to YouTube and other sources walking users through the various exploits, said Matthew Hickey, founder of U.K. consultancy Hacker House.

“The fact that people are using these attack tools in the wild is unsurprising,” Hickey said. “It shows you these tools were very well developed, very weaponized and don’t require a lot of technical sophistication, so attackers are quick to adopt them into their repositories and toolkits. Subsequently, they’re using them as-is.”

At this point, some exploits are quite simply point-and-shoot operations where a user would just fill in a value such as a remote IP address and fire off the executable, said Jake Williams, president of Rendition InfoSec; Williams is also known as MalwareJake.

“For us, these are keys to the kingdom types of exploits,” Williams said.

Read more…