In the investigation of the recently revealed National Security Agency cyberweapons, security experts created a way to scan systems for NSA spyware and found tens of thousands of infected systems.
Security researchers at Countercept became interested in the Doublepulsar payload, which is the post-exploitation communication channel of the recently patched EternalBlue exploit, "because it seems to be a very stealthy kernel-mode payload that is the default payload for many exploits" used by the Equation Group. With that in mind, they developed a way to identify the presence of the NSA spyware based on memory signatures in "hosts that have not been rebooted" since being infected.
"That leaves an interesting case for a memory signature as it is quite a specific sequence of bytes, preceded by all zeros and always occurs at the same offset even with different sized DLLs [dynamic link libraries]," Countercept researchers wrote in a blog post. "This might prove a useful memory analysis indicator that could be used for finding evidence of previous compromise by Doublepulsar both in target user processes and within the kernel even long after the attackers have left, if the system has not been rebooted."
Luke Jennings, head of research and development at Countercept by MWR InfoSecurity, released the tool to detect Doublepulsar to GitHub and recently updated it with the ability to remotely uninstall the NSA spyware for remediation.
Security company BeyondEdge has been running scans since the tool was released. In its initial scan, BeyondEdge found more than 100,000 infected systems. And in the days following, that number has grown to more than 180,000. Close to 70,000 of those infections were found in the U.S. alone.
However, Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., put the number around 150,000.
In my latest scans, I'm seeing about 3% of the more than 5 million machines with TCP 445 open to the Internet infected with DOUBLEPULSAR.— Jake Williams (@MalwareJake) April 23, 2017
Richard Henderson, global security strategist at Absolute Software Corp., an endpoint security company in Vancouver, B.C., suggested that not all of the instances of this NSA spyware should be attributed to the NSA itself.
"What's more likely to have happened is that other attackers, reasonably skilled independent hackers, and other state-sponsored groups have taken the information that became available and used that to make as much hay as they could in the small window available to them before enterprises can mitigate any exposure inside their environments," Henderson told SearchSecurity. "That's the real danger for the average company -- that someone else other than a state-sponsored group will take advantage of the exploit before they can react."
Nick Bilogorskiy, senior director of threat operations at Cyphort Inc., a cybersecurity software company based in Santa Clara, Calif., was especially surprised by these numbers, because "Doublepulsar does not persist and is erased by a reboot."
"I think when NSA used them, the number of victims was small and targeted. But now, I expect the number to grow quickly, now that code is in the wild and has been recently added to Metasploit -- and because people are very slow to patch," Bilogorskiy told SearchSecurity. "This malware was written by NSA, then leaked to third parties, and now anyone with access to it can take full control of vulnerable systems. These exploits are already being adopted in the wild for the distribution of ransomware. They can also be used in worms and other widespread attacks."
The dangers of Doublepulsar NSA spyware
Regardless of the actual number of infections, experts noted this NSA spyware is already in the hands of malicious actors, so response is critical.
Bobby Kuzma, system engineer at Core Security, based in Roswell, Ga., said Doublepulsar communicates over the Windows Server Message Block (SMB) protocol on port 445, so remediation may not be too difficult.
"I suggest that you scan your external IP ranges for any active instances of port 445 and kill them. Ensure that updates are applied to supported systems and reboot. Doublepulsar does not appear to be persistent," Kuzma told SearchSecurity. "And if you have a not-currently-supported system that's vulnerable, it's time to have a hard conversation with the business sponsor about why that box is even still alive."
Kevin Beaumont, a security architect based in the U.K., said on Twitter that scanning is very inexpensive.
To scan 4294967295 IPs for DoublePulsar on SMB it costs less than a Starbucks coffee. #2017— Kevin Beaumont (@GossiTheDog) April 25, 2017
Oleg Kolesnikov, director of threat research at Securonix, based in Addison, Texas, suggested disabling SMBv1 altogether -- a sentiment recently echoed by US-CERT.
"My recommendation would be to start by reducing your attack surface by making sure services such as SMB are not exposed to the internet. In addition to the GitHub repo script mentioned, you can now leverage the nmap smb-double-pulsar-backdoor NSE script released earlier to scan [and] address any potential exposed services," Kolesnikov told SearchSecurity via email. "Overall, I think it is important to assume that breaches like this will happen as part of your security defense strategy, so focusing on implementing multiple layers of detection and defense mechanisms as part of your security posture to increase the chance of detecting the behaviors associated with such attacks can be a good idea, too."
Learn how users can tell if Windows SMBv1 is enabled on systems.
Find out about the international operation linked to NSA spyware.
Get info on Android spyware found in the wild being used by governments.