NSA’s DoublePulsar Kernel Exploit In Use Internet-Wide

Scans show tens of thousands of Windows servers infected with the DoublePulsar kernel exploit leaked by the ShadowBrokers two weeks ago.

If you’re on a red team or have been on the receiving end of a pen-test report from one, then you’ve almost certainly encountered reports of Windows servers vulnerable to Conficker (MS08-067), which has been in the wild now for nearly 10 years since the bug was patched.

A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for much longer than Conficker.

MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish.

“This is a full ring0 payload that gives you full control over the system and you can do what you want to it,” said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday.

“This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it’s still found in a lot of places,” Dillon said. “I find it everywhere. This is the most critical Windows patch since that vulnerability.”

Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he’s running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue.

“This is easily describable as a bloodbath,” Tentler said.

Since the April 7 ShadowBrokers leak, hackers have been downloading and using the NSA exploits to attack exposed computers. They’ve also posted downloadable documentation and videos to YouTube and other sources walking users through the various exploits, said Matthew Hickey, founder of U.K. consultancy Hacker House.

“The fact that people are using these attack tools in the wild is unsurprising,” Hickey said. “It shows you these tools were very well developed, very weaponized and don’t require a lot of technical sophistication, so attackers are quick to adopt them into their repositories and toolkits. Subsequently, they’re using them as-is.”

At this point, some exploits are quite simply point-and-shoot operations where a user would just fill in a value such as a remote IP address and fire off the executable, said Jake Williams, president of Rendition InfoSec; Williams is also known as MalwareJake.

“For us, these are keys to the kingdom types of exploits,” Williams said.

DoublePulsar works on older Windows Server versions with older versions of PatchGuard kernel protection; modern versions of Windows such as Windows 10 have better kernel checks that could help block or prevent these hooks deep into the OS. Once DoublePulsar is on a compromised host, an attacker can drop additional malware or executables onto a machine, meaning that this bug will quickly move from the exclusive realm of nation-state hackers to cybercriminals, and it may be a matter of time before ransomware and other commodity malware and botnets take advantage of these exploits to spread.

For now, attacks are taking shape through the use of malformed SMB requests and sit on the same port as the one the SMB service runs on (445). Tentler said it’s a rarity that malware would use an existing running port, Tentler said.

“It does not open new ports. Once the backdoor is present, it can do one of four things: either it responds to a specific ping request (such as a heartbeat), it can uninstall itself, load shellcode, or run a DLL on the host. That’s it,” Tentler said. “It’s only purpose is to provide a covert channel by which to load other malware or executables.”

One drawback for the attacker is that since the attack lives in memory, once a machine is rebooted, it’s gone. DoublePulsar also comes with a kill or burn command that won’t remove the infection, but does prevent others from making use of the backdoor.

Regardless, researchers are a bit disheartened that in the six weeks since the patch has been available, so many machines remain exposed.

“This is really a quite serious issue,” Hickey said. “This is a level of attack we have not seen since Conficker, and certainly none with this ease of use. Now you have a nation-state attack tool available to anyone online to use for their own purposes. It’ll be used to compromise and impact systems for many years to come.”

Suggested articles