Posted by Robert Vamosi on May 8, 2017
A hacking tool leaked in April by a mysterious organization is attacking older Windows boxes, exposing gaps in organizational update and upgrade policies. One researcher estimates that between 100K and 200K boxes may already be compromised worldwide.
What’s particularly interesting is that Microsoft issued a patch for the underlying vulnerabilities in March.
Several weeks ago, a group known as Shadow Brokers released a series of tools they claimed had been stolen from the National Security Agency (NSA). The NSA tools were first disclosed over a year ago in two software caches: one encrypted, the other not. The non-encrypted cache held a few lightweight proof-of-concept examples, ostensibly to prove the value of the encrypted cache. The second cache would be decrypted only if someone paid.
Apparently, no one did. So, a few weeks ago Shadow Brokers decrypted the second cache.
One of the tools released in the second cache was a Windows hacking tool known as DoublePulsar. It delivered its malware via TCP port 445 through another piece of malware known as EternalBlue, a remote execution exploit. EternalBlue leverages server message block (SMB) vulnerabilities found in a wide range of Windows operating systems.
In other words, this was a way for someone to compromise virtually any Windows box. It created a stealthy way to monitor the status and activity on that box. Except, upon public release, EternalBlue no longer affected all supported versions of Microsoft Windows. The underlying SMB vulnerability was addressed in a previous Patch Tuesday release.
Last February, Microsoft mysteriously canceled its monthly Patch Tuesday with only a few hours’ notice. In March, Patch Tuesday reappeared with nearly all the Shadow Broker vulnerabilities neatly patched.
One of the vulnerabilities patched in March was the SMB server vulnerability exploited by EternalBlue (MS17-010). Without confirmation from Microsoft, many believe that the software vendor either paid for advanced decryption of the cache or was otherwise provided with the tools before the release. This led Microsoft and others to gloat upon the release of the Shadow Brokers’ tool kit that Windows products were immune.
That is true only if you’re one of the millions who have updated your operating system to Windows 10. Even Windows 7 and 8. The fix is available for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and 2012 R2, Windows Server 2016, and Server Core.
A month after the update from Microsoft, Dan Tentler, a security researcher and the founder of security shop Phobos Group, began noticing a sharp uptick in the DoublePulsar. “The reason we’re experiencing this massive outbreak is because nobody patches,” Tentler told NBC. Another organization, Binary Edge, also saw infections jump from 106,410 machines to 183,107 in four days from Friday, April 21 through Monday April 24.
There is no patch available for older versions of Windows. Providing an end-of-life date for software makes sense from a vendor perspective. The vendor no longer must deal with pesky updates for a diminishing share of the market. In some cases, the lifetime of a given software product could be a generous decade. That doesn’t mean everyone discontinues use of those products.
Until recently ATMs still ran on Windows XP. Additionally, some medical devices supported Windows Server 2003. It is worse for industrial control systems where internet-connected devices are designed to run 15-20 years without maintenance out in the field and support several several Microsoft Windows products. And then there’s the casual end-user who still runs Windows Vista because they’re used to the interface or their hardware is too old.
Whatever the reason not to update to a newer OS or install the patch, the risk is real. A metasploit module already exists to deploy meterpreter over DoublePulsar. This allows an attacker the opportunity to install a wide range of tools on compromised devices rather quickly. The question is what are these devices connected to?
If you have boxes with Windows Server 2003 or Windows XP, Microsoft will never patch the underlying SMB exploits. Thus, you will remain vulnerable to DoublePulsar. If you need to keep those boxes, your best option is to segment them on the network. You can also create good internal access control lists, if you haven’t already. This will limit but not prevent a remote attacker from exploiting DoublePulsar on your network.
If you don’t have older Windows boxes, then you shouldn’t hesitate to update with MS17-010 which fixes the underlying SMB issues.