If you’re on a red team or have been on the receiving end of a pen-test report from one, then you’ve almost certainly encountered reports of Windows servers vulnerable to Conficker (MS08-067), which has been in the wild now for nearly 10 years since the bug was patched.
A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for much longer than Conficker.
MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish.
Since the April 7 ShadowBrokers leak, hackers have been downloading and using the NSA exploits to attack exposed computers. They’ve also posted downloadable documentation and videos to YouTube and other sources walking users through the various exploits, said Matthew Hickey, founder of U.K. consultancy Hacker House.
DoublePulsar works on older Windows Server versions with older versions of PatchGuard kernel protection; modern versions of Windows such as Windows 10 have better kernel checks that could help block or prevent these hooks deep into the OS. Once DoublePulsar is on a compromised host, an attacker can drop additional malware or executables onto a machine, meaning that this bug will quickly move from the exclusive realm of nation-state hackers to cybercriminals, and it may be a matter of time before ransomware and other commodity malware and botnets take advantage of these exploits to spread.
For now, attacks are taking shape through the use of malformed SMB requests and sit on the same port as the one the SMB service runs on (445). Tentler said it’s a rarity that malware would use an existing running port, Tentler said.
“It does not open new ports. Once the backdoor is present, it can do one of four things: either it responds to a specific ping request (such as a heartbeat), it can uninstall itself, load shellcode, or run a DLL on the host. That’s it,” Tentler said. “It’s only purpose is to provide a covert channel by which to load other malware or executables.”
One drawback for the attacker is that since the attack lives in memory, once a machine is rebooted, it’s gone. DoublePulsar also comes with a kill or burn command that won’t remove the infection, but does prevent others from making use of the backdoor.
Regardless, researchers are a bit disheartened that in the six weeks since the patch has been available, so many machines remain exposed.
Source Reference By : ThreatPost