Multiple sources have reported that hackers are attacking scores of computers with DoublePulsar, a Windows-based backdoor malware that was revealed in the Shadow Brokers’ recent unauthorized leak of cyber spying tools allegedly employed by the U.S. National Security Agency.
The findings show what can happen when a nation-state’s cache of hacking tools falls into the wrong hands. The malware is delivered via TCP port 445 using a remote code execution exploit called EternalBlue, which leverages Server Message Block (SMB) vulnerabilities in a wide range of Windows operating systems. Microsoft patched the flaws in a March update, but the latest reports suggest that many machine owners have failed to apply the patches or are using an unsupported version of Windows.
Dan Tentler, founder of security firm Phobos Group, has been repeatedly scanning the Internet for signs of the infection. He reported on Sunday via Twitter that close to three percent of all connected machines with an open port 445 were infected with the malware, for a total of approximately 143,000 compromised machines.
But an even more recent tweet from Tentler warned to “expect more bloodbath,” after a newer scan shockingly suggested that about 25 percent of all vulnerable, publicly exposed SMB machines are currently infected.
Meanwhile, Internet data analysis firm BinaryEdge conducted a series of daily scans from Friday, April 21 through Monday April 24, finding that infections jumped from 106,410 machines to 183,107 in four days. The U.S. hosted 65,000 of these infections, with Hong Kong a distant second.
In its own scan, the pentesting company Below∅Day discovered nearly 5.2 million vulnerable hosts on April 21. Then, using a detect script from Countercept, the company identified 56,586 hosts worldwide infected with the DoublePulsar implant, just over 14,000 of which were located in the U.S. Those numbers grew from an April 18 scan that detected only 30,626 infections among 5.5 million vulnerable hosts.
In a statement printed by Ars Technica on Friday, Microsoft wrote: “We doubt the accuracy of the reports and are investigating.” On Monday, SC Media reached out to Microsoft for further comment and received the following statement from a company spokesperson: “Customers with up-to-date software are protected. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. For more information on protecting computers against malware, please visit https://aka.ms/bm9atl.”
It is unlikely that the malware’s original developer — widely believed to be the NSA, aka the “Equation Group” — is responsible for infecting thousands upon thousands of victims. It is far more likely that these infections are the recent work of malicious actors taking advantage of the wealth of hacking tools leaked earlier this month by the Shadow Brokers. “The implant is beautifully designed and could have been used by other actors,” noted BinaryEdge in its DoublePulsar report.
Indeed, a blog post from cyber threat intel provider SenseCy last week reported that members of the dark web “have been sharing the leaked attack tools and zero-day exploits among themselves,” as well as “uploading tutorials, taken from security researchers, on how to utilize the exploits.”