A report by BleepingComputer’s Catalin Cimpanu, using research from the cybersecurity firm Below0Day, has identified a large number of infections stemming from an NSA-developed malware downloader. Called DoublePulsar, the malware was first identified in the most recent Shadow Brokers dump of “implants.” DoublePulsar functions as a malware and exploit downloader. Once it infects a system, DoublePulsar then begins to download and install various powerful strains of malware via exploits. Such exploits created by the NSA that are found in DoublePulsar include EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, or EducatedScholar.
These exploits target, as was pointed out by Cimpanu, SMB port 445 connections related to Microsoft Windows. Microsoft, to its credit, did in fact release patches to block the NSA malware from utilizing exploits. The problem is, however, that security researchers at Below0Day discovered numerous computers already infected with DoublePulsar.
To discover the DoublePulsar infection, Below0Day researchers scanned roughly 5.5 million externally exposed SMB ports that, if their Windows OS is unpatched, would be susceptible to the malware. Next, the team took those IP addresses used in the initial scan and utilized a tool created by Luke Jennings of Countercept. As explained by Jennings, the tool is “a set of python2 scripts for sweeping a list of IPs for the presence of both SMB and RDP versions of the DoublePulsar implant.”
Upon utilizing this tool, Below0Day uncovered over 36,000 computers that had been infected with DoublePulsar. Of these 36,000-plus infections, the majority of them were in the United States. See the below images from Below0Day to find both an example of the scan results, as well as an in-depth graph showing the countries most affected by DoublePulsar.
Some have taken me to task in my frequent critiques of government hacking operations. As a journalist, I am used to calls of treason or, as happened recently much to my amusement, being accused of working as a Russian operative. At the end of the day, however, my strong critiques stem from an InfoSec perspective.
As seen from empirical evidence, the various NSA hacking tools (in this case DoublePulsar) have fallen into numerous hands, most certainly including black-hat hackers. In its reckless deployment of malware that nobody should have in their possession, the NSA has placed the entire world at risk for a powerful set of cyberattacks. The NSA’s main mission is reconnaissance of all kinds, especially sensitive data (which is obtained at all costs, civil liberties be damned).
With this in mind, imagine just how deeply compromised a system can become if these tools fall into the wrong hands. While the NSA swears that it is simply trying to protect the United States, the greatest irony is that the majority of the 36,000 DoublePulsar infections were based in America. I doubt this was the NSA’s doing based on the IP addresses used, but rather black hats who illegally obtained the malware.
The NSA, and all other entities in the global intelligence community, must rethink how they obtain information in the digital age.
Photo credit: Electronic Frontier Foundation